Schneider Electric’s Modicon controller family, some of the first PLCs on the market and described by the company as “still top of their class,” are designed to connect industrial equipment – from oil and gas pipelines to manufacturing systems and water purification facilities – to a network. Sadly, they appear to have something of an undocumented feature: letting anyone take control of said equipment using hidden commands and an authentication bypass.
“Armis researchers found that these commands can be used to take over the PLC and gain native code execution on the device which can be used to alter the operation of the PLC, while hiding the alterations from the engineering workstation that manages the PLC. This attack is an unauthenticated attack that only requires network access to the targeted PLCs.” the infosec analysts said.
The vulnerability itself, dubbed “ModiPwn,” chains on two previously disclosed issues, discovered by security firm Talos in 2018 and 2019 respectively, which Schneider Electric claimed to have patched. The Armis researchers discovered the patches were effective only when an application password was set – and then found a number of ways to bypass said password, opening the holes back up for all even on the latest software release.
Worse, the flaws which had originally been classified as leading to denial-of-service (DoS) attacks were found to allow remote code execution – meaning an unauthenticated attacker could take full control of the PLC and, by extension, whatever industrial equipment it was controlling.
Schneider Electric confirmed the vulnerabilities and promised a patch would be released by the end of this year, but a purported security advisory [PDF] was made available for download a little prematurely: rather than the promised technical details and mitigation advice which would keep customers safe pending the release of a proper patch, the document available at the time of writing was wholly blank save for the single word “Internal” at the bottom.
Unfortunately for Schneider Electric customers, the devices can’t be considered fully secure even once the patch is out and applied. “Other bypass techniques remain unpatched due to design limitations,” the Armis researchers warned, adding that while the company had promised to adopt 2018’s Modbus Security standard by 2020 it had failed to do so.
As for what Modicon users can do to protect themselves, the researchers offered some tips: “Armis strongly recommends the use of Schneider Electric guidelines for secure configuration of Modicon PLCs such as the use of application passwords in project files, properly using network segmentation, and implementing access control lists to shield industrial controllers from unwanted communications and attacks.”
“Compromised passwords are at the heart of frustration for any information security team, but when coupled up with sophisticated new attempts to bypass a second layer of authentication, the heat is really turned on,” ESET UK cybersecurity expert Jake Moore told The Register.
This is far from the first time Schneider Electric’s industrial control products have been targeted by ne’er-do-wells. In 2017 a group using what became known as the Triton malware breached Schneider Electric devices installed at a Saudi oil and gas facility in an attack later traced to a Kremlin-backed facility in Moscow.
“Schneider Electric is committed to collaborating openly and transparently. In this case, we have collaborated with these researchers to validate the research and to assess its true impact,” the company wrote in an official statement. “Our mutual findings demonstrate that while the discovered vulnerabilities affect Schneider Electric offers, it is possible to mitigate the potential impacts by following standard guidance, specific instructions; and in some cases, the fixes provided by Schneider Electric to remove the vulnerability.
“As always, we appreciate and applaud independent cybersecurity research because, as in this case, it helps the global manufacturing industry strengthen our collective ability to prevent and respond to cyber-attacks. Together, we continue to encourage the ecosystem of automation suppliers, cybersecurity solution providers, and end-users to collaborate to reduce cybersecurity risks; and support our customers to ensure they have implemented cybersecurity best practices across their operations and supply chains.”
Schneider Electric did not respond to follow-up questions on its Modbus Security progress or lack thereof, the location of the correct vulnerability notice and mitigation advice, nor on a firm timescale for fixing what are, contrary to the above statement, still-unpatched security vulnerabilities.
The problem extends beyond Schneider Electric, though. “It is clear the underlying design flaws in UMAS [Schneider’s extensions to Modbus] and Modbus remain unfixed for the time being,” the Armis researchers warned. “While attempts to harden access to certain commands are being introduced, these design flaws create significant challenges for the developers – which will likely lead to additional vulnerabilities in the future.”