Security News > 2021 > July > Critical Vulnerability Can Be Exploited to Hack Schneider Electric's Modicon PLCs
A vulnerability affecting some of Schneider Electric's Modicon programmable logic controllers can be exploited to bypass authentication mechanisms, allowing attackers to take complete control of the targeted device.
It can be exploited by an unauthenticated attacker who has network access to the targeted PLC. The exploit chain demonstrated by Armis also involves several other vulnerabilities discovered over the past few years.
These older issues - they are tracked as CVE-2018-7852, CVE-2019-6829 and CVE-2020-7537 - are related to Schneider's UMAS protocol, which is used to configure and monitor the French industrial giant's PLCs. According to Armis, UMAS operates over the Modbus industrial communications protocol, which "Lacks encryption and proper authentication mechanisms." Schneider said in the past that it had been planning on adopting the Modbus Security protocol, but until the more secure version of the protocol is widely adopted, the old version will continue to pose security-related risks.
Armis researchers discovered that the older vulnerabilities, which are related to undocummented UMAS commands, could actually be exploited for remote code execution and information disclosure, not only for DoS attacks as Schneider initially claimed.
The new ModiPwn vulnerability found by Armis can be exploited to bypass that authentication mechanism.
The ModiPwn vulnerability was initially reported to Schneider Electric in mid-November 2020.
News URL
Related news
- Hackers target critical zero-day vulnerability in PTZ cameras (source)
- Schneider Electric confirms dev platform breach after hacker steals data (source)
- Schneider Electric ransomware crew demands $125k paid in baguettes (source)
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- Critical vulnerability in Cisco industrial wireless access points fixed (CVE-2024-20418) (source)
- CISA Alerts to Active Exploitation of Critical Palo Alto Networks Vulnerability (source)
- Urgent: Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites (source)
- Critical SailPoint IdentityIQ Vulnerability Exposes Files to Unauthorized Access (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-12-11 | CVE-2020-7537 | Unspecified vulnerability in Schneider-Electric products A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller. | 7.5 |
2019-09-17 | CVE-2019-6829 | Improper Handling of Exceptional Conditions vulnerability in Schneider-Electric Modicon M340 Firmware and Modicon M580 Firmware A CWE-248: Uncaught Exception vulnerability exists in Modicon M580 (firmware version prior to V2.90) and Modicon M340 (firmware version prior to V3.10), which could cause a possible denial of service when writing to specific memory addresses in the controller over Modbus. | 7.5 |
2019-05-22 | CVE-2018-7852 | Improper Handling of Exceptional Conditions vulnerability in Schneider-Electric products A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service when an invalid private command parameter is sent to the controller over Modbus. | 7.5 |