A vulnerability discovered in some of Schneider Electric’s Modicon programmable logic controllers (PLCs) may allow malicious actors to cause significant disruption to industrial control systems (ICS).
The flaw was identified by Yehonatan Kfir, CTO of industrial cybersecurity firm Radiflow, as part of an ongoing project whose goal is finding new ICS vulnerabilities. Advisories for this security hole were published recently by both Schneider Electric and ICS-CERT.
The vulnerability, tracked as CVE-2018-7789 and described as an issue related to improper checking for unusual or exceptional conditions, can be exploited by an attacker to remotely reboot Modicon M221 controllers.
According to Schneider, all Modicon M221 controllers running firmware versions prior to 188.8.131.52, which includes a patch for the issue, are impacted.
Radiflow’s Kfir told SecurityWeek that while Schneider responded to the vulnerability in a “highly professional manner,” his company does not agree with the severity rating assigned by the vendor – ICS-CERT and Schneider assigned a CVSS score of 4.8, which puts the flaw in the “medium severity” category.
“In general the assessment for the scoring is usually assessed from the perspective of IT, which takes into account the vulnerability’s impact on the potential for confidential data to be compromised,” Kfir explained. “This of course is important, although less relevant to OT operations and as such the reason we think that the score could have been higher.”
“This CVE could have resulted in the controller getting stuck and causing its communication to drop from the OT network. Disconnecting the PLC from the HMI certainly has more than a low impact on the availability of the OT network. To recover from such a problem, an onsite visit from a technician to do a power reset is required. The impact of such a situation on availability seems much higher than reflected in the scoring,” the expert added.
In a press release Radiflow will publish on Thursday, the company says an attack exploiting this flaw “would cause significant downtime to the ICS network.”
The CVSS score is also lowered due to the “attack complexity” metric being described as “high.” Kfir admits that an attacker would need to be familiar with Schneider’s proprietary protocols in order to exploit the bug, but argued that threat groups focused on targeting industrial systems – one good example is the actor behind the Triton attack – have already demonstrated these types of capabilities.
“Although it may be complex for a novice to exploit this vulnerability, it would not have been difficult at all for experienced hackers to leverage this vulnerability,” Kfir said.
Radiflow says its researchers have identified two ways to exploit the vulnerability and they both work remotely. Worryingly, Kfir told SecurityWeek that a simple Shodan search revealed over 100 vulnerable devices directly accessible from the Internet.
“It is just a matter of a few clicks that could have led to a cyberattack to take down those vulnerable PLCs.” Kfir said.
Earlier this year, Radiflow reported that a piece of cryptocurrency mining malware worked its way onto servers connected to an OT network at a wastewater facility in Europe.
Other vulnerabilities in Modicon M221 controllers
Different advisories published in recent days by ICS-CERT and Schneider Electric describe three other vulnerabilities discovered by researchers in Modicon M221 controllers.
These security holes, all classified as “high severity,” can be exploited to upload the original PLC program, and decode the device’s password using a rainbow table.
Irfan Ahmed, Hyunguk Yoo, Sushma Kalle, and Nehal Ameen of the University of New Orleans have been credited for finding these flaws.
These security holes have also been addressed by Schneider with the release of firmware version 184.108.40.206.