Security News > 2021 > July > Critical Vulnerability Can Be Exploited to Hack Schneider Electric's Modicon PLCs
A vulnerability affecting some of Schneider Electric's Modicon programmable logic controllers can be exploited to bypass authentication mechanisms, allowing attackers to take complete control of the targeted device.
It can be exploited by an unauthenticated attacker who has network access to the targeted PLC. The exploit chain demonstrated by Armis also involves several other vulnerabilities discovered over the past few years.
These older issues - they are tracked as CVE-2018-7852, CVE-2019-6829 and CVE-2020-7537 - are related to Schneider's UMAS protocol, which is used to configure and monitor the French industrial giant's PLCs. According to Armis, UMAS operates over the Modbus industrial communications protocol, which "Lacks encryption and proper authentication mechanisms." Schneider said in the past that it had been planning on adopting the Modbus Security protocol, but until the more secure version of the protocol is widely adopted, the old version will continue to pose security-related risks.
Armis researchers discovered that the older vulnerabilities, which are related to undocummented UMAS commands, could actually be exploited for remote code execution and information disclosure, not only for DoS attacks as Schneider initially claimed.
The new ModiPwn vulnerability found by Armis can be exploited to bypass that authentication mechanism.
The ModiPwn vulnerability was initially reported to Schneider Electric in mid-November 2020.
News URL
Related news
- Critical FortiClient EMS vulnerability fixed, (fake?) PoC for sale (CVE-2023-48788) (source)
- Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool (source)
- PoC exploit for critical Fortra FileCatalyst MFT vulnerability released (CVE-2024-25153) (source)
- Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability (source)
- Critical Unpatched Ray AI Platform Vulnerability Exploited for Cryptocurrency Mining (source)
- Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks (source)
- Fortinet Rolls Out Critical Security Patches for FortiClientLinux Vulnerability (source)
- CISA investigates critical infrastructure breach after Sisense hack (source)
- CISA says Sisense hack impacts critical infrastructure orgs (source)
- A critical vulnerability in Delinea Secret Server allows auth bypass, admin access (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-12-11 | CVE-2020-7537 | Improper Check for Unusual or Exceptional Conditions vulnerability in Schneider-Electric products A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller. | 7.5 |
| 2019-09-17 | CVE-2019-6829 | Improper Handling of Exceptional Conditions vulnerability in Schneider-Electric Modicon M340 Firmware and Modicon M580 Firmware A CWE-248: Uncaught Exception vulnerability exists in Modicon M580 (firmware version prior to V2.90) and Modicon M340 (firmware version prior to V3.10), which could cause a possible denial of service when writing to specific memory addresses in the controller over Modbus. | 7.8 |
| 2019-05-22 | CVE-2018-7852 | Improper Handling of Exceptional Conditions vulnerability in Schneider-Electric products A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service when an invalid private command parameter is sent to the controller over Modbus. | 5.0 |