Vulnerability identified in PACTware Instrument Management Software
The PACTware Consortium, via distributor Pepperl+Fuchs, recently released an update to supported versions of the popular Instrument Management Software. During testing, Dragos identified issues in the access control system. End users who utilize the role-based access control system should make plans to update their PACTware installations during their next plant maintenance/refresh window. The PACTware software is redistributed by several instrument vendors and incorporates a basic role-based access control system. Simple roles allow the plant owner to establish passwords, which restrict access to instrument settings within the PACTware software.
Dragos identified that the password management system had two weaknesses:
- It is possible to decrypt passwords for all PACTware user roles.
- The passwords can be modified by any local user on the system – even a user with no knowledge of the current passwords.
This practice in password management is typical in engineering software. Since PACTware is a protocol-agnostic tool, it is required to manage its own passwords. These passwords are enforced in the client software, where they are more difficult to protect from local users. This software will often store passwords either inside of project files or in a common area on the filesystem or system registry. Since any normal user of the system must be able to read and write the stored authentication data, permissions on these storage mechanisms are typically weak.
Repairing old software to use modern secure password storage techniques is not glamorous but should be viewed as housekeeping by software maintainers. In this case, the old versions of PACTware were found to store the passwords in the Windows registry. The encrypted passwords were stored using a homebrew algorithm, likely devised years ago when security was not a greater concern. The PACTware software performed password verification by first decrypting the stored password, and then comparing the result to the value that was entered by the user.
Update now available
PACTware’s new mechanism uses a stronger, standard one-way hashing algorithm. This stores the passwords in a format that makes password recovery more difficult. Securing the password storage mechanism from tampering is also reportedly incorporated in the recent update.
While it is extremely difficult to prevent access to instruments from this point on a control system, taking an easy-to-use tool out of the hands of would-be attackers, and even malicious insiders, should be in every operator’s interest. Updates are available now: users can update their PACTware installation to version 4.1SP6 or 188.8.131.52. Both versions are available from Pepperl+Fuchs and should be made available by other distributors and instrument vendors in the coming weeks.
Dragos would like to thank BSI, CERT@VDE, and Pepperl+Fuchs for their help in coordinating and reviewing the public advisories for these issues.