7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.5 High
AI Score
Confidence
High
0.006 Low
EPSS
Percentile
78.2%
Schneider Electric SoMachine Basic 1.4 SP1 and Schneider Electric Modicon TM221CE16R 1.3.3.3 devices have a hardcoded- key vulnerability. The Project Protection feature is used to prevent unauthorized users from opening an XML protected project file, by prompting the user for a password. This XML file is AES-CBC encrypted; however, the key used for encryption (SoMachineBasicSoMachineBasicSoMa) cannot be changed. After decrypting the XML file with this key, the user password can be found in the decrypted data. After reading the user password, the project can be opened and modified with the Schneider product.
This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(500298);
script_version("1.9");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/04");
script_cve_id("CVE-2017-7574");
script_name(english:"Schneider Electric Modicon M221 PLCs and SoMachine Basic Use of Hard-Coded Cryptographic Key (CVE-2017-7574)");
script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"Schneider Electric SoMachine Basic 1.4 SP1 and Schneider Electric Modicon TM221CE16R 1.3.3.3 devices have a hardcoded-
key vulnerability. The Project Protection feature is used to prevent unauthorized users from opening an XML protected
project file, by prompting the user for a password. This XML file is AES-CBC encrypted; however, the key used for
encryption (SoMachineBasicSoMachineBasicSoMa) cannot be changed. After decrypting the XML file with this key, the user
password can be found in the decrypted data. After reading the user password, the project can be opened and modified
with the Schneider product.
This plugin only works with Tenable.ot. Please visit
https://www.tenable.com/products/tenable-ot for more information.");
script_set_attribute(attribute:"see_also", value:"https://os-s.net/advisories/OSS-2017-02.pdf");
script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-17-103-02a");
script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/bid/97518");
# http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2017-097-01
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6f09e632");
# https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2017-097-01
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?225e045b");
script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.
Schneider Electric recommends that users store project files in secure, access-restricted locations and encrypt project
files with reputable third party file encryption tools.
On June 14, 2017, Schneider Electric released firmware v1.5.1.0 and associated SoMachineBasic V1.5SP1. The new version
uses an enhanced encryption mechanism and prevents M221 from returning the password. Users may download SoMachineBasic
V1.5SP1 (including firmware v1.5.1.0) from the Schneider Electric web site at the following location:
http://www.schneider-electric.com/en/download/document/SOMBASAP15SP1SOFT/
or by using Schneider Electric Software Update tool.
Schneider Electricâs security notice SEVD-2017-097-01 is available at the following location:
http://www.schneider-electric.com/en/download/document/SEVD-2017-097-01/
Schneider Electricâs security notice SEVD-2017-097-02 is available at the following location:
http://www.schneider-electric.com/en/download/document/SEVD-2017-097-02/");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-7574");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(798);
script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/06");
script_set_attribute(attribute:"patch_publication_date", value:"2017/04/06");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/02/07");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:schneider-electric:modicon_tm221ce16r_firmware:1.3.3.3");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tenable.ot");
script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tenable_ot_api_integration.nasl");
script_require_keys("Tenable.ot/Schneider");
exit(0);
}
include('tenable_ot_cve_funcs.inc');
get_kb_item_or_exit('Tenable.ot/Schneider');
var asset = tenable_ot::assets::get(vendor:'Schneider');
var vuln_cpes = {
"cpe:/o:schneider-electric:modicon_tm221ce16r_firmware:1.3.3.3" :
{"versionEndIncluding" : "1.3.3.3", "versionStartIncluding" : "1.3.3.3", "family" : "ModiconM221"}
};
tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);
Vendor | Product | Version | CPE |
---|---|---|---|
schneider-electric | modicon_tm221ce16r_firmware | 1.3.3.3 | cpe:/o:schneider-electric:modicon_tm221ce16r_firmware:1.3.3.3 |
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.5 High
AI Score
Confidence
High
0.006 Low
EPSS
Percentile
78.2%