UMAS and the cybersecurity of this communications

Updated on 11/07/2024

Autor

INCIBE (INCIBE)

In the industrial world, a multitude of electronic devices manufactured by different brands and with different characteristics are used. Due to this great competition, brands have had to improve and develop new technologies in order to differentiate themselves in the market from their competitors and to ensure that buyers only use their products.

Companies have often created specific software, only suitable for their devices, or even the creation of specific protocols for communication between devices of the same companies.

One of the best examples is the UMAS (Unified Messaging Application Services) protocol, created by Schneider and used to configure and monitor Schneider Electric PLCs.

This protocol is based on the Modbus/TCP protocol, this protocol is widely used in the industrial world as it is one of the oldest, and is also characterised by master-slave communication. Next, we will see the structure of this protocol.

- UMAS structure. Source -

One of the main features of the UMAS protocol is that it uses the function code 90(0x5A) to define that the data field can be transmitted to another device. As can be seen in the picture above, the function code is followed by the session key. In this section, which has the capacity of one byte, is where, depending on its value, write requests can be made, thus allowing PLC information to be modified. Finally, the part of the UMAS function is where you can see the type of activity you are going to do with the PLC. After seeing how the UMAS protocol is structured, one might think that it would be difficult for it to suffer any type of cyber-attack, as it is an industrial protocol that, due to its difficult access and its high level of complexity in terms of the functioning of the communication, but this is not the case. This protocol has received many cyber-attacks and various vulnerabilities have even been discovered, such as CVE-2020-28212 and CVE-2021-22779.

CVE-2020-28212: the main problem with the basic fallback mechanism is that it does not use the application password and therefore an attacker could use the session key to send requests and change the device configuration. For example, on Modicon M340 devices, with a version prior to 2.7, the session key has the same value every time the device is reserved and is equal to "0x01". This means that the attacker could make changes to the device by calling the most relevant functions, after reserving the device, via a legitimate user or the attacker himself.
- Attack flow. Source -
As the image shows, if the device has not been able to reserve the session, the attacker could anticipate and send the umas_QueryTakePLCReservation(0x01) function to reserve the session key and thus be able to change the device's configuration.
Although this type of attack only works for the lower version of 2.7, as Modicon M340s with firmware version 2.7 or higher have a session key with random values and is not always 0x01, 2.7 also has weaknesses as it is only one byte long, so it has a very low capacity, allowing the attacker to perform a brute force attack.
To carry out this other attack, requests can be sent to port 502/TCP of the PLC with different session ID values and visualise the different responses of the PLC. If the code sent by the attacker is correct, the PLC will send the code "0xfe", but if it is not correct, the device will respond with the code "0xfd".
Due to the major problems that this vulnerability can cause, the developers of the Schneider company have made improvements to mitigate this vulnerability. This improvement consists of implementing cryptographic algorithms and increasing the length of the session ID.
CVE-2021-22779: After the improvements were made to the device, further research has revealed that the implementation introduced has some flaws. For example, this CVE could allow a remote attacker to bypass the authentication mechanism and use functions that require reservation to make changes to the PLC. In the following image you can see how the new improved communication works.
- Communication with the permitted application password. Source-
The problem that was discovered with this improvement is that the device always sends the same response regardless of the request that has been sent, so the attacker can perform a replay attack using the network traffic between the client and the server, capturing the PLC process beforehand. In order to avoid this problem, Schneider has ensured that the memory block 0x14 of the PLC does not contain the password hash used but is hidden with the SHA256 hash.

Conclusion

Finally, as has been observed throughout this article, the industrial world is a sector that over the years is suffering a high growth in cyber-attacks, one of the devices that has suffered a large number of cyber-attacks is the Modicon M340 and the UMAS protocol, both from Schneider, since after conducting various investigations several CVEs have been found (CVE-2020-28212 and CVE-2021-22779) that could allow the modification of the device configuration, which would imply major problems in the operation of the PLC. For this reason, more and more companies are investing in cybersecurity, carrying out different types of pentesting tests that allow the device to be as cybersecure as possible before it is put on the market.

Content produced in the framework of the Spanish Government's Recovery, Transformation and Resilience Plan financed by the European Union (Next Generation).