Remotely exploitable flaw in Schneider Electric PLCs is a danger to OT networks

A vulnerability in the Schneider Electric Modicon M221, a programmable logic controller (PLC) deployed in commercial industrial facilities worldwide, can be exploited to remotely disconnected the device from communicating in the ICS network.

Schneider Electric Modicon M221

“An unauthorized user could have easily exploited this vulnerability to execute a synchronized attack and cause a number of these controllers to stop communicating. This type of unauthorized action would allow a cyber-attacker to massively disconnect the effected PLCs from the HMI leaving the operator with no way to view and control the physical processes on the OT network, while instantly harming the safety and reliability of the ICS systems,” Radiflow researchers have noted.

About the vulnerability (CVE-2018-7789)

Uncovered by Radiflow CTO Yehonatan Kfir and responsibly disclosed to Schneider Electric over two months ago, the vulnerability affects all versions of Modicon M221 firmware prior to v1.6.2.0 and can be triggered with specially crafted programing protocol frames.

The vulnerability was assigned a CVSS v3 base score of 4.8, and there are no known public exploits specifically targeting it.

But Kfir says that, from the perspective of the OT operations, the score probably should have been different.

“I say this because in general the assessment for this scoring is usually taken from the perspective of IT, which takes into account the vulnerability’s impact on the potential for confidential data to be compromised. This of course is important, although less relevant to OT operations and as such the reason we think that the score could have been higher,” he explained to Help Net Security.

“This CVE could have resulted in the controller getting stuck and causing its communication to drop from the OT network. Disconnecting the PLC from the HMI certainly has more than just a low impact on the availability of an OT network. To recover such a problem, an onsite visit from a technician to do a power reset is required. The impact of such a situation on availability seems much higher than reflected in the scoring.”

The ICS CERT also pointed out that high skill level is needed to exploit the flaw.

To be sure, attackers would have to be familiar with the proprietary protocols used by Schneider Electric. But, as Kfir notes, many experienced hacking groups are now targeting OT networks and have demonstrated the capability to hack through proprietary protocols.

“This was clearly demonstrated in the Triton/Trisis case,” he says. “In addition, a simple search on the Shodan site can lead any hacker to find more than 100 vulnerable devices that are connected to the Internet. It would have been just a matter of a few clicks that could have led to a cyberattack to take down those vulnerable PLCs.”

Mitigation

Kfir praises Schneider Electric’s “highly professional” response to their report and for fixing the issue quickly.

For those industrial operators that can’t implement the new firmware immediately, the company has pointed out temporary mitigation steps: set up a firewall blocking all remote/external access to port 502 and disable all unused protocols.