CISA discloses security vulnerabilities in Schneider Electric EcoStruxure and Modicon, Rockwell’s Armor PowerFlex

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published Tuesday two ICS (industrial control systems) advisories, providing timely information about current security issues, vulnerabilities, and exploits surrounding ICS. The agency highlighted the presence of hardware vulnerabilities in components of Schneider Electric EcoStruxure and Modicon, and Rockwell Automation Armor PowerFlex. 

The cybersecurity agency disclosed the presence of remotely exploitable ‘authentication bypass by capture-replay’ vulnerability in Schneider Electric’s EcoStruxure Control Expert, EcoStruxure Process Expert, Modicon M340 CPU, Modicon M580 CPU, Modicon Momentum Unity M1E Processor, Modicon MC80 equipment. Deployed across the critical manufacturing, energy, and commercial facilities, Jos Wetzels and Daniel dos Santos, researchers from Forescout Technologies, reported these vulnerabilities to Schneider Electric.

“Successful exploitation of this vulnerability could allow an attacker to execute unauthorized Modbus functions on the controller when hijacking an authenticated Modbus session,” the CISA advisory said. 

The affected components include all versions of EcoStruxure control expert, EcoStruxure Process Expert version V2020 and prior, all versions of Modicon M340 CPU (part numbers BMXP34); and all versions of Modicon M580 CPU (part numbers BMEP and BMEH). All versions of the Modicon M580 CPU Safety (part numbers BMEP58 S and BMEH58 S), Modicon Momentum Unity M1E Processor (171CBU), and Modicon MC80 (BMKC80) are also said to be affected.

“An authentication bypass by capture-replay vulnerability exists that could execute unauthorized Modbus functions on the controller when hijacking an authenticated Modbus session,” the CISA advisory added. “CVE-2022-45789 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated.”

Schneider Electric has called upon users of EcoStruxure Process Expert to upgrade to version V2021 is available for download and is not impacted by this vulnerability as the affected component has been removed from this version. For the EcoStruxure Control Expert, the French company has advised users to set up a VPN (virtual private network) between the Modicon PLC controllers and the engineering workstation containing EcoStruxure Control, and harden the workstation running EcoStruxure Control Expert.

To address and mitigate the EcoStruxure Process Expert vulnerability, users must set up a VPN between the Modicon PLC controllers and the engineering workstation containing EcoStruxure Control, and harden the workstation running EcoStruxure Process Expert.

Modicon M340 CPU (part numbers BMXP34) users must set up an application password in the project properties, set up network segmentation and implement a firewall to block all unauthorized access to port 502/TCP, and set up secure communication. Additionally, they must configure the access control list following the recommendations of the user manuals, and consider the use of external firewall devices such as EAGLE40-07 from Belden to establish VPN connections for M340 and M580 architectures.

Modicon M580 CPU (part numbers BMEP and BMEH) users must set up an application password in the project properties, set up network segmentation and implement a firewall to block all unauthorized access to port 502/TCP, configure the access control list following the recommendations of the user manuals, setup a secure communication following recommended guidelines in Modicon Controllers Platform – Cyber Security Reference Manual chapter, and use a BMENUA0100 module and follow the instructions to configure IPSEC feature as described in M580 – BMENUA0100 OPC UA Embedded Module, Installation and Configuration Guide chapter.

In the case of Rockwell Automation’s Armor PowerFlex v1.003, CISA warned of an ‘incorrect calculation’ vulnerability that is remotely exploitable with low attack complexity. “​Successful exploitation of this vulnerability could allow an attacker to send an influx of network commands, causing the product to generate an influx of event log traffic at a high rate, resulting in the stop of normal operation.”

Deployed across the critical manufacturing sector, Rockwell reported the vulnerability to the CISA.

The advisory added that, “a vulnerability was discovered in Armor PowerFlex when the product sends communications to the local event log. Threat actors could exploit this vulnerability by sending an influx of network commands, causing the product to generate an influx of event log traffic at a high rate. If exploited, the product would stop normal operations and self-reset. The error code would need to be cleared prior to resuming normal operations. ​CVE-2023-2423 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated.”

Rockwell recommends users update Armor PowerFlex to v2.001 or later, and implement the company’s best security practices.

Last month, CISA published ICS advisories warning of hardware vulnerabilities in equipment from Axis Communications, Rockwell Automation, Johnson Controls, and Emerson. These notices provide timely information about current security issues, vulnerabilities, and exploits surrounding the ICS environment.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.