Critical vulnerability in Schneider Electric Modicon PLCs can bypass authentication mechanisms

Researchers from security firm Armis have detected the presence of a bypass vulnerability in Schneider Electric’s Modicon PLCs, which allows cyber attackers to circumvent authentication mechanisms, leading to native remote code execution (RCE) on vulnerable industrial devices. 

The security flaw can be chained with additional vulnerabilities in the UMAS protocol that Schneider Electric operates, without encryption and proper authentication mechanisms. The flaws in the UMAS protocol were discovered in the past but only partly mitigated while escaping the security mechanisms added to the Modicon PLCs to prevent abuse of undocumented Modbus commands. These undocumented commands can allow full control over the PLC — overwriting critical memory regions, leaking sensitive memory content, or invoking internal functions. 

PLCs are industrial computer control systems that continuously monitor the state of input devices and make decisions based upon a custom program to control the state of output devices. Schneider’s Modicon PLCs are used to control and monitor industrial operations in a sustainable, flexible, efficient and protected way. The PLC supplies edge technology that works with Ethernet connectivity, built-in cybersecurity, and processing power needed to handle big data analysis, and provide protection against new vulnerabilities that exist amongst connected industrial assets, across devices or into the cloud. 

Armis researchers found that the undocumented Modbus commands can be used to take over the PLC and gain native code execution on the device. It can be used to alter the operation of the PLC, while hiding the alterations from the engineering workstation that manages the PLC. This attack is an unauthenticated attack that only requires network access to the targeted PLCs.

“Armis informed SE on November 13, 2020 and has since worked with them to understand the underlying issues and work towards a patch,” according to research published by the company. “In the process of working with SE, Armis researchers discovered and reported two additional authentication bypass techniques that have yet to be resolved by SE. Due to inherent shortcomings of the Modbus protocol that powers SE’s UMAS protocol used by Modicon PLCs, Armis will continue working with SE and additional vendors to address these issues,” it added.

Schneider also released on Tuesday its own security advisory stating that the Rueil-Malmaison, France, based company is aware of multiple vulnerabilities in its EcoStruxure Control Expert, EcoStruxure Process Expert, SCADAPack RemoteConnect x70, and Modicon M580 and M340 control products. “These vulnerabilities pose several risks, primary among these is the possibility of arbitrary code execution and loss of confidentiality and integrity of the project file,” it said in its advisory. 

“Our findings demonstrate that while the discovered vulnerabilities affect Schneider Electric offers, it is possible to mitigate the potential impacts by following standard guidance, specific instructions; and in some cases, the fixes provided by Schneider Electric to remove the vulnerabilities,” it added. 

The Armis researchers revealed weak points of the industry-standard Modbus protocol used commonly in a wide array of industrial controls. These known deficiencies lead to vulnerabilities that are discovered, patched, and then re-patched time and time again, in a classic ‘whack-a-mole’ cycle. Schneider has earlier stated its intent to adopt the Modbus Security protocol that offers encryption and authentication mechanisms that are not part of the classic Modbus protocol, but it is yet to implement these steps.  

Armis discovered that earlier Modicon PLCs vulnerabilities were categorized as denial-of-service, but they can actually lead to native remote-code execution. These vulnerabilities are essentially undocumented commands in the UMAS protocol, and Armis researchers discovered that instead of removing these commands from the protocol, possibly due to legacy dependencies Schneider added an authentication mechanism around them to mitigate that risk. 

Armis’ European cyber-risk officer, Andy Norton, advised keeping the PLCs off the internet while making recommendations for securing Internet of Things devices and other industrial control systems hardware.

The executive encouraged organizations to ensure they have real-time visibility into internet-connected assets, internal or external. “Whether in an office or on the manufacturing floor, establishing real-time, continuous monitoring enables security professionals to validate baselines for device behavior, detect anomalous activity and stop IoT device attacks before they spread,” Norton told TechRepublic.

Schneider Electric has advised all industrial companies to ensure they have implemented cybersecurity best practices across their operations and supply chains to reduce cyber risks. It also recommended locating industrial systems and remotely accessible devices behind firewalls, installing physical controls to prevent unauthorized access, preventing mission-critical systems and devices from being accessed from outside networks, and systematically applying security patches.

In June, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) ​​identified the existence of security issues in Schneider’s Modicon X80 equipment used globally in the commercial facilities, critical manufacturing and energy segments. The remotely exploitable low attack complexity vulnerability can expose sensitive information to an unauthorized hacker, which could result in an understanding of the network architecture.

Last December, Armis tracked the exposures from the URGENT/11 and CDPwn exploit discoveries over the past 18 months, and identified that 97 percent of the OT (operational technology) devices impacted by URGENT/11 have not been patched, while 80 percent of those affected by CDPwn remain unpatched. Using one of the critical RCE vulnerabilities from URGENT/11, Armis was able to exploit Schneider’s Modicon M580, which led to the French company subsequently issuing patches for the URGENT/11 vulnerability.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.