A major vulnerability in Schneider Electric’s Modicon programmable logic controllers can be chained with others to allow for remote code execution. A comprehensive patch is not expected until fourth quarter, according to the company, which expects to deliver short-term fixes in the meantime.
The flaw is dubbed Modipwn by security firm Armis, the company that discovered it, and requires pre-existing network access to a Modicon controller to work. It affects Modicon models M340, M580 and others, which are found in “millions” of controllers used in building services, automation, manufacturing, energy utilities and HVAC systems. Other Modicon models are still being investigated for potential impact.
According to Armis, an attacker can send undocumented commands in the Unified Messaging Application Services protocol of a Modicon controller to force the device to bypass existing authentication protections and leak a hash. That hash can then be used to commandeer the connection between the controller and its managing workstation to create a new password-less configuration, which I turn allows the attacker to run additional undocumented commands that can give them full control of the PLC, deploy malware and hide its presence.
While the attack is done through UMAS, it really exploits cryptographic and authentication weaknesses in Modbus, a protocol used to manage data communications between Modicon PLCs and other devices.
At first, Armis researchers thought the vulnerabilities just allowed for denial of service attacks, but subsequent research confirmed its potential for remote code execution. They also outline two additional attack scenarios where the bugs could be exploited in a Machine in the Middle and Machine on the Side to achieve authentication bypass.
Schneider Electric confirmed the vulnerability and five others in a security advisory issued today, saying a fix would likely require a mix of patching and client-side mitigation. Armis claims a holistic patch for the problem won’t be available until Q4 of 2021.
“Our findings demonstrate that while the discovered vulnerabilities affect Schneider Electric offers, it is possible to mitigate the potential impacts by following standard guidance, specific instructions; and in some cases, the fixes provided by Schneider Electric to remove the vulnerabilities,” the advisory states.
One of the vulnerabilities (CVE-2018-7852) in the chain dates back to 2018 and was originally patched for denial of service-related weaknesses, while another (CVE-2019-6829) was issued in 2019. Though they were patched, Armis researchers were able to leverage them in new ways to make the attack work.
Ben Seri, vice president of research at Armis, told SC Media that this was an “unusual” case where a new vulnerability is able to leverage older existing, patched vulnerabilities in new ways in order to gain control of a device.
“You would have thought that these vulnerabilities would have been patched or removed from the software completely, but actually this…bypasses the mechanism that was added to the software to prevent UMAS commands from being accessible to an unauthenticated attacker,” Seri said. “They probably have some legacy requirements in which these commands can’t be completely removed from the code and so the alternative was to have them be mitigated with this authentication mechanism.”
A timeline from Armis shows that the vulnerabilities were first reported on November 13, 2020, and over the next four months they and Schneider Electric disputed the severity or ease of exploitation multiple times. However, Seri said the exchanges were far from contentious and related to the ongoing discoveries they two parties found as they continued to discuss the problem and a desire to take the time to conclusively fix the underlying issue after previous patches were insufficient.
“It wasn’t much of a disagreement it was really that the investigation just evolved,” he said, adding later that Schneider Electric has “gone through the cycles of trying to fix this (problem) quickly and have not found a good solution and so right now they’re pressing the pause button and trying to ask deeper questions around how do we fix this in a more long-lasting way.”
While customers wait for a full patch later this year, there are a number of other short and intermediate term work that can be done. Because the flaw requires very specific commands, it should be relatively easy to set up rules for intrusion detection systems to find them. Other long term fixes like micro segmentation of the network and adopting stricter Modbus protocols can also help. Overall, Seri emphasized that the strength of programmable logic controllers is in its name: their flexibility and programmability.