Researchers at Cisco Talos have discovered nearly a dozen vulnerabilities in some of Schneider Electric’s Modicon programmable logic controllers (PLCs).
There are a total of 11 security holes affecting Modicon M580, M340, BMENOC 0311, BMENOC 0321, Quantum (no longer supported), Premium, and Modicon BMxCRA and 140CRA modules. The M580 PLC, which is the newest Modicon controller, is the only one affected by all the vulnerabilities, while the rest are impacted by 2-8 flaws.
The vulnerabilities are related to the Modbus, FTP and TFTP protocols, and the REST API. The more serious flaws — the ones affecting TFTP and the REST API — can be exploited by sending specially crafted requests to the targeted device. They have been assigned the CVE identifiers CVE-2019-6841 through CVE-2019-6851.
The three flaws related to the REST API are all classified as high severity, and they can be exploited for denial-of-service (DoS) attacks or they could lead to the disclosure of sensitive information.
The vulnerability related to the TFTP protocol is also high severity. Exploitation of the bug can result in the exposure of file and directory information, but the TFTP port is disabled by default on controllers, Schneider said.
As for the Modbus-related issue, it’s a medium-severity weakness involving the transmission of sensitive information in clear text when Modbus is used to transfer applications to the controller.
In the case of the FTP-related vulnerabilities, most of them can be exploited to cause devices to enter a DoS condition using a specially crafted firmware image.
Talos reported the vulnerabilities to Schneider Electric in May and July. The company this week published four separate advisories for the weaknesses, each focusing on the affected component. In each case, it blamed the vulnerabilities on the impacted protocol.
While it has not released any firmware updates to address the vulnerabilities, the company has provided a series of recommendations for preventing potential attacks. These include disabling the impacted services if not needed, blocking unauthorized access to specific ports at the firewall, and, in the case of the FTP-related bugs, changing default passwords.
Talos has published a blog post describing the FTP-related vulnerabilities, and released separate advisories for most of the flaws.