Critical vulnerability found in Schneider Electric's Unity Pro software

A new vulnerability has been discovered in Schneider Electric's Unity Pro software that could allow an attacker to execute code remotely on industrial networks.

A critical vulnerability has been found in Schneider Electric's Unity Pro software that gives hackers the ability to remotely execute code that could disrupt any business or utility which uses the company's controllers.

The vulnerability was discovered by the industrial cybersecurity firm Indegy that has since released a report detailing the flaw and how it could affect the industrial controllers used by businesses and utilities to control their operations. The company's CTO Mille Gandelsman has strongly encouraged users running Unit Pro to update to the latest version of the software in order to protect themselves from a potential attack.

Gandelsman highlighted the seriousness of the flaw, saying: “If the IP address of the Windows PC running the Unity Pro software is accessible to the internet, then anyone can exploit the software and run code on hardware.  This is the crown jewel of access. An attacker can do anything they want with the controllers themselves.”

A large number of businesses and utilities could potentially be disrupted by this vulnerability, as Schneider Electric's Unity Pro software is used to manage and program millions of industrial controllers worldwide. The flaw itself though was found in a component of the software called Unity Pro PLC Simulator which is utilised to test industrial controllers.

Gandelsman explained what could happen if an attacker was able to access this component, saying: “This is what an attacker would want to have access to in order to impact the actual production process within an ICS physical environment. That includes the valves, turbines, centrifuges and smart meters. These are accessible from the engineering stations natively. With this type of access, an attacker can use it to change the recipe to drugs being manufactured or turn off the power grid of a city."

Schneider Electric has informed its customers regarding the flaw through a Security Notification in which it said: “The vulnerability is arbitrary code execution made possible by remotely downloading a patched project file to the Unity Simulator.”

Every version of Unity Pro, including version 11.1, are susceptible to the flaw so it is essential that anyone using Schneider Electric's software upgrade as soon as possible.

Image Credit: Ricochet64 / Shutterstock

ABOUT THE AUTHOR

Anthony currently resides in South Korea where he teaches and experiences Korean technological advances first hand.