Schneider Electric has identified out-of-bounds read and write, and classic buffer overflow security flaws in the web servers of its Modicon M340, Quantum and Premium equipment deployed in critical infrastructure, while Hitachi ABB reported improper authentication in its FOX615 Multiservice-Multiplexer power grids.
If successfully exploited, the Schneider Electric Security flaws may allow write access and the execution of commands, which could result in data corruption or a web server crash, according to an advisory issued by Cybersecurity and Infrastructure Security Agency (CISA). Kai Wang of Fortinet’s FortiGuard Labs reported these vulnerabilities to Schneider Electric.
An out-of-bounds read vulnerability exists that could possibly lead to a segmentation fault or a buffer overflow when uploading a specially crafted file on the controller over FTP (file transfer protocol), while the out-of-bounds write vulnerability that exist in the infrastructure could result in corruption of data, a crash, or code execution when uploading a specially crafted file on the controller over FTP. The classic buffer overflow vulnerability exists, which could lead to write access and the execution of commands when uploading a specially crafted file on the controller over FTP.
Schneider Electric’s Modicon Premium and Modicon Quantum controllers have reached their end of life and are no longer commercially available, and have been replaced by the Modicon M580 ePAC controller, the advisory pointed out.
The French multinational, which specializes in energy management and automation offerings, is establishing a remediation plan to fix these vulnerabilities in current and future versions of Modicon PAC controllers, and will update its users when the remediation is available.
Until then, users must disable FTP through UnityPro / Ecostruxure Control Expert, which is disabled by default when a new application is created. To reduce the risk of the exploit, users must also configure the access control list using the Ecostruxure Control Expert programming tool, and set up network segmentation and implement a firewall to block all unauthorized access to Port 21/TCP.
The Hitachi ABB Security flaws could allow an attacker to remotely access the device without authentication, and has been given a CVSS v3 base score of 9.1, according to the CISA advisory released Thursday. The attacker can send a specially crafted message to the device causing it to open a communication channel without first authenticating the user, which may allow an attacker to execute arbitrary commands. Hitachi ABB Power Grids reported this vulnerability to CISA.
Hitachi ABB Power Grids recommends that energy users follow security practices and firewall configurations to help protect a process control network from attacks originating from outside the network. Such practices require process control systems to be physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by a firewall system that has a minimal number of ports exposed. Other systems must be evaluated on a case-by-case basis.
Last month, CISA detected an improper privilege management vulnerability in Schneider Electric’s EcoStruxure Platform that could cause privilege escalation on the workstation when interacting directly with a driver installed by the runtime software of EcoStruxure Operator Terminal Expert.