Users of Schneider Electric’s Modicon programmable logic controllers (PLCs), which are widely present in manufacturing, building services automation applications, energy utilities, and HVAC systems, are advised to be on the alert for the exploitation of an authentication bypass vulnerability that could lead to remote code execution (RCE) on a target system.
Dubbed Modipwn by the Armis researchers responsible for its discovery, the vulnerability, assigned CVE-2021-22779, allows for complete device takeover of several Modicon models, including the M340 and M580.
A theoretical attacker would begin by gaining network access to a target Modicon PLC. Once done, they can exploit undocumented commands in the unified messaging application services (UMAS) protocol to leak a specific hash from the device’s memory.
Once in possession of this hash, they can take over the secure connection between the PLC and its managing workstation to reconfigure it with a password-less configuration.
From there, they can abuse additional undocumented commands to obtain RCE capabilities, establish persistence, obfuscate their presence, and install malware.
“Armis and Schneider Electric have worked together to ensure the proper security mitigations are being provided,” said Armis’ Ben Seri. “We urge all affected organizations to take action now.
“The trouble with these legacy devices found in OT environments is that, historically, they have evolved over unencrypted protocols. It will take time to address these weak underlying protocols. In the meantime, organizations operating in these environments should ensure visibility over these devices to see where their exposure points lie.
“This is crucial to preventing attackers from being able to control their systems – or even hold them to ransom,” Armis said. Attacks that alter the operations of industrial controllers threaten business continuity and safety, and those that hide from monitoring solutions are hard to spot. Sophisticated attacks such as those that could potentially exploit Modipwn have often been seen in the wild, with examples including the Triton malware attack on a Middle Eastern petrochemical facility in December 2017.
Speaking to Computer Weekly’s sister titled SearchSecurity, Seri said the problem was symptomatic of much deeper issues around the security of industrial control systems and spoke of a lack of due care and attention during the development process. He said this meant that even when CVE-2021-22779 is fully patched – expected later in 2021 – Modicon PLCs could remain vulnerable to other attacks.
A spokesperson for Schneider Electric’s Corporate Product CERT said: “Schneider Electric is committed to collaborating openly and transparently. In this case, we have collaborated with these researchers to validate the research and assess its true impact. Our mutual findings demonstrate that while the discovered vulnerabilities affect Schneider Electric’s offers, it is possible to mitigate the potential effects by following legal guidance, specific instructions, and in some cases, the fixes provided by Schneider Electric to remove the vulnerability.
“As always, we appreciate and applaud independent cyber security research because, as in this case, it helps the global manufacturing industry to strengthen our collective ability to prevent and respond to cyber-attacks.
“Working together has improved our understanding of potential weaknesses in EcoStruxure Control Expert. It enabled us to disclose this vulnerability in a timely, responsible manner to better protect our customers and end-users operations, assets, and people.
“Together, we continue to encourage the ecosystem of automation suppliers, cyber security solution providers, and end-users to collaborate to reduce cyber security risks and support our customers to ensure they have implemented best practices across their operations and supply chains.” A full breakdown of Modipwn, including a deeper technical dive, can be found here.
