Vulnerability in Schneider Electric PLCs allows for undetectable remote takeover

Dubbed Modipwn, the vulnerability affects a wide variety of Modicon programmable logic controllers used in manufacturing, utilities, automation and other roles.

Modern industrial plant and communication network concept.

Image: metamorworks, Getty Images/iStockphoto

A vulnerability discovered in Schneider Electric’s Modicon programmable logic controllers, used in millions of devices worldwide, could allow a remote attacker to gain total and undetectable control over the chips, leading to remote code execution, malware installation and other security compromises.

More about cybersecurity

Discovered by security researchers at asset visibility and security vendor Armis, the vulnerability, dubbed Modipwn, is similar to the vulnerability that was leveraged by the Triton malware that targeted Schneider Electric safety controllers used in Saudi Arabian petrochemical plants. Modicon chips vulnerable to Modipwn are used in manufacturing, building services, automation, energy utilities, HVAC and other industrial applications. 

SEE: Security incident response policy (TechRepublic Premium)

The vulnerability affects Modicon chips M340, M580 and “other models from the Modicon series,” Armis said. It exploits Schneider’s unified messaging application services protocol, which is used to configure and monitor Schneider’s PLCs—Modicon and others—by taking advantage of undocumented commands that allow the attacker to leak hashes from a device’s memory.

Once leaked, attackers can use the stolen hash to take over the secure connection that UMAS establishes between the PLC and its managing workstation, allowing the attacker to reconfigure the PLC without needing to know a password. Reconfiguration, in turn, allows the attacker to perform remote code execution attacks, including installation of malware and steps to obfuscate their presence. 

Schneider Electric said it applauds security researchers like Armis and has been working with the company to validate its claims and determine remediation steps. “Our mutual findings demonstrate that while the discovered vulnerabilities affect Schneider Electric offers, it is possible to mitigate the potential impacts by following standard guidance, specific instructions; and in some cases, the fixes provided by Schneider Electric to remove the vulnerability,” Schneider said in a statement.

Industrial control systems vulnerabilities have been a rising problem in recent years, but it’s important to note that just because PLCs like Schneder’s Modicon line are vulnerable doesn’t mean an attacker will have an easy time taking control of them. PLCs shouldn’t be internet facing: If they are, an attack is simple, but ideally an attacker would need to gain access to a secured network before being able to find a PLC to exploit. 

In addition to keeping PLCs off the internet, Armis’ European cyber risk officer, Andy Norton, has several recommendations for securing Internet of Things devices and other industrial control systems hardware.

Norton recommends that all organizations ensure they have real-time visibility into internet-connected assets, internal or external. “Whether in an office or on the manufacturing floor, establishing real-time, continuous monitoring enables security professionals to validate baselines for device behavior, detect anomalous activity and stop IoT device attacks before they spread,” Norton said.

Privacy and access governance strategies are essential as well, Norton said. There are several ways to do this, like with zero-trust architecture, but regardless of the method it’s essential that something is in place to limit access to data and different areas of a business’ network.

SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)

Finally, Norton recommends disabling universal plug-and-play protocols and instead configuring each device manually. “Several high-profile exploits specifically target UPnP protocols, so the safer bet is manually configuring IoT devices when introducing them into the workplace,” Norton said. 

Armis has additional findings and remediation recommendations for Modipwn on its website.

Also see