Security News > 2021 > July > Critical Vulnerability Can Be Exploited to Hack Schneider Electric's Modicon PLCs

Critical Vulnerability Can Be Exploited to Hack Schneider Electric's Modicon PLCs
2021-07-13 11:10

A vulnerability affecting some of Schneider Electric's Modicon programmable logic controllers can be exploited to bypass authentication mechanisms, allowing attackers to take complete control of the targeted device.

It can be exploited by an unauthenticated attacker who has network access to the targeted PLC. The exploit chain demonstrated by Armis also involves several other vulnerabilities discovered over the past few years.

These older issues - they are tracked as CVE-2018-7852, CVE-2019-6829 and CVE-2020-7537 - are related to Schneider's UMAS protocol, which is used to configure and monitor the French industrial giant's PLCs. According to Armis, UMAS operates over the Modbus industrial communications protocol, which "Lacks encryption and proper authentication mechanisms." Schneider said in the past that it had been planning on adopting the Modbus Security protocol, but until the more secure version of the protocol is widely adopted, the old version will continue to pose security-related risks.

Armis researchers discovered that the older vulnerabilities, which are related to undocummented UMAS commands, could actually be exploited for remote code execution and information disclosure, not only for DoS attacks as Schneider initially claimed.

The new ModiPwn vulnerability found by Armis can be exploited to bypass that authentication mechanism.

The ModiPwn vulnerability was initially reported to Schneider Electric in mid-November 2020.


News URL

http://feedproxy.google.com/~r/securityweek/~3/TxR8mLDRmqI/critical-vulnerability-can-be-exploited-hack-schneider-electrics-modicon-plcs

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-12-11 CVE-2020-7537 Unspecified vulnerability in Schneider-Electric products
A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.
network
low complexity
schneider-electric
7.5
2019-09-17 CVE-2019-6829 Improper Handling of Exceptional Conditions vulnerability in Schneider-Electric Modicon M340 Firmware and Modicon M580 Firmware
A CWE-248: Uncaught Exception vulnerability exists in Modicon M580 (firmware version prior to V2.90) and Modicon M340 (firmware version prior to V3.10), which could cause a possible denial of service when writing to specific memory addresses in the controller over Modbus.
network
low complexity
schneider-electric CWE-755
7.5
2019-05-22 CVE-2018-7852 Improper Handling of Exceptional Conditions vulnerability in Schneider-Electric products
A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service when an invalid private command parameter is sent to the controller over Modbus.
network
low complexity
schneider-electric CWE-755
7.5