Critical Vulnerability Can Be Exploited to Hack Schneider Electric's Modicon PLCs

A vulnerability affecting some of Schneider Electric’s Modicon programmable logic controllers (PLCs) can be exploited to bypass authentication mechanisms, allowing attackers to take complete control of the targeted device.

The flaw, tracked as CVE-2021-22779 and dubbed ModiPwn, was identified by researchers at enterprise IoT security firm Armis. It can be exploited by an unauthenticated attacker who has network access to the targeted PLC.

The exploit chain demonstrated by Armis also involves several other vulnerabilities discovered over the past few years. These older issues — they are tracked as CVE-2018-7852, CVE-2019-6829 and CVE-2020-7537 — are related to Schneider’s UMAS (Unified Messaging Application Services) protocol, which is used to configure and monitor the French industrial giant’s PLCs.

According to Armis, UMAS operates over the Modbus industrial communications protocol, which “lacks encryption and proper authentication mechanisms.” Schneider said in the past that it had been planning on adopting the Modbus Security protocol, but until the more secure version of the protocol is widely adopted, the old version will continue to pose security-related risks.

Armis researchers discovered that the older vulnerabilities, which are related to undocummented UMAS commands, could actually be exploited for remote code execution and information disclosure, not only for DoS attacks as Schneider initially claimed.

The vendor patched those older flaws by adding an authentication mechanism that should have prevented them from being abused. However, the new ModiPwn vulnerability found by Armis can be exploited to bypass that authentication mechanism.

An attacker can exploit the ModiPwn flaw to bypass authentication and they can then leverage the undocummented commands — basically the older vulnerabilities — to carry out various actions.

A hacker could use this method to “take over the PLC and gain native code execution on the device which can be used to alter the operation of the PLC, while hiding the alterations from the engineering workstation that manages the PLC.”

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

“Malware that targets industrial controllers have been found in attacks in the wild - such as the Triton malware, which targeted Triconex safety controllers from SE. This malware was an example of the devastating potential a malware running on an industrial controller can achieve by gaining native code execution. This latest vulnerability shows the potential for an attacker to gain native code execution on a similar controller,” Armis said.

The ModiPwn vulnerability was initially reported to Schneider Electric in mid-November 2020. The vendor on Tuesday published an advisory providing mitigations for this vulnerability, but a patch has yet to be released. Modicon M580 and M340 PLCs are impacted.

The security firm has disclosed the details of the attack and it has posted a video showing the exploit chain in action.

Related: Another Stuxnet-Style Vulnerability Found in Schneider Electric Software

Related: Industrial Controllers Still Vulnerable to Stuxnet-Style Attacks