A vulnerability in Schneider Electric’s Modicon programmable logic controller (PLCs) could allow full exploitation of the system.
SE Modicon PLCs are used in various industrial sectors for managing industrial Internet of Things devices.
Researchers from Armis discovered an authentication bypass flaw that can allow an attacker to bypass the existing security mechanisms of programmable logic controller (PLCs) chips. Researchers dubbed the vulnerability Modipwn, which has been assigned code CVE-2021-22779.
Without authorization, an attacker can execute code and cause a machine to crash. Also, attackers get unauthorized access to the memory, a hash required to take over secure connections, and code execution capabilities.
Armis researchers say only network access is required to perform an attack.
The issue is found in Modbus protocol, its weak encryption and authentication mechanism make SE’s proprietary UMAS vulnerable to exploitation. The CVE-2021-22779 issue can lead to exploitation of other known UMAS bugs (CVE-2021-22779, CVE-2018-7852, CVE-2019-6829, and CVE-2020-7537). These UMAS issues should be considered a risk to Modicon M340 and M580 products, as well as “other models.”
“SE has stated in the past its intent to adopt the Modbus Security protocol that offers encryption and authentication mechanisms that are not part of the classic Modbus protocol,” Armis says. “These adoption steps, however, have yet to be implemented.”
Armis notified SE of its findings in November 2020, but a full patch is not expected before Q4 2021.
Two other authentication bypass flaws were reported by the researchers, identified as critical weaknesses that require immediate resolution.
“Due to inherent shortcomings of the Modbus protocol that powers SE’s Unified Messaging Application Services (UMAS) protocol used by Modicon PLCs, Armis will continue working with SE and additional vendors to address these issues,” company says.
“As always, we appreciate and applaud independent cybersecurity research because, as in this case, it helps the global manufacturing industry strengthen our collective ability to prevent and respond to cyberattacks,” Schneider Electric said in a statement.