Researchers have discovered a vulnerability in Schneider Electric process logic controllers (PLCs) that could enable attackers to gain complete control of the system. The components are used in industrial control system environments, such as public utilities and building controls.
The vulnerabilities, discovered by researchers at security company Armis, affect Schneider Electric's Modicon M580 and M340 controllers. They enable attackers to run remote code natively on the controllers, altering their function.
Nicknamed ModiPwn, the attacks use a vulnerability in the control protocol that interacts with the controllers. Originally, controllers used a 1970s industrial control protocol called ModBus, which had few security protections.
Schneider Electric revised this with an extended protocol called UMAS, which adds some security enhancements. One of these includes the ability for administrators to reserve a PLC so they can update it without any conflicts caused by other updates happening simultaneously.
The researchers chained several undocumented commands together in UMAS that enable attackers to write code to the PLC's memory and then trigger it.
Schneider Electric attempted to disable these commands altogether when the PLC uses an application password. However, the researchers discovered an authentication vulnerability in this reservation system that enabled them to derive the hash of the authentication password stored on the PLC.
RELATED RESOURCE
The Forrester Wave: Top security analytics platforms
The 11 providers that matter most and how they stack up
This vulnerability, CVE-2021-22779, enables the attackers to read the password hash from the PLC's memory and use it to bypass authentication altogether.
Using this authentication bypass vulnerability, they could upload a new project file that doesn't have a password. This downgrades the device’s security, removing application password functionality and enabling the chained attack.
CVE-2021-22779 has a 9.8 CVSS score, making it critical, although attackers would need network access to implement it. There appeared to be no patch at the time of writing, but Schneider Electric's advisory mentioned several workarounds while it works on a patch, including adding firewalls and segmenting networks.
The vulnerability is another example of the security challenges facing companies that use industrial control systems with protocols on networks increasingly connected to the internet.
The Biden administration has prioritized cyber security with an initiative to shore up resilience in the electrical grid as a blueprint for a broader infrastructural security plan.
-
Why keeping track of AI assistants can be a tricky businessColumn Making the most of AI assistants means understanding what they can do – and what the workforce wants from them
-
Nvidia braces for a $5.5 billion hit as tariffs reach the semiconductor industryNews The chipmaker says its H20 chips need a special license as its share price plummets
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
