Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Flaw in Schneider PLC Allows Significant Disruption to ICS

A vulnerability discovered in some of Schneider Electric’s Modicon programmable logic controllers (PLCs) may allow malicious actors to cause significant disruption to industrial control systems (ICS).

A vulnerability discovered in some of Schneider Electric’s Modicon programmable logic controllers (PLCs) may allow malicious actors to cause significant disruption to industrial control systems (ICS).

The flaw was identified by Yehonatan Kfir, CTO of industrial cybersecurity firm Radiflow, as part of an ongoing project whose goal is finding new ICS vulnerabilities. Advisories for this security hole were published recently by both Schneider Electric and ICS-CERT.

The vulnerability, tracked as CVE-2018-7789 and described as an issue related to improper checking for unusual or exceptional conditions, can be exploited by an attacker to remotely reboot Modicon M221 controllers.

According to Schneider, all Modicon M221 controllers running firmware versions prior to 1.6.2.0, which includes a patch for the issue, are impacted.Schneider Electric Modicon M221 controllers affected by serious vulnerability

Radiflow’s Kfir told SecurityWeek that while Schneider responded to the vulnerability in a “highly professional manner,” his company does not agree with the severity rating assigned by the vendor – ICS-CERT and Schneider assigned a CVSS score of 4.8, which puts the flaw in the “medium severity” category.

“In general the assessment for the scoring is usually assessed from the perspective of IT, which takes into account the vulnerability’s impact on the potential for confidential data to be compromised,” Kfir explained. “This of course is important, although less relevant to OT operations and as such the reason we think that the score could have been higher.”

“This CVE could have resulted in the controller getting stuck and causing its communication to drop from the OT network. Disconnecting the PLC from the HMI certainly has more than a low impact on the availability of the OT network. To recover from such a problem, an onsite visit from a technician to do a power reset is required. The impact of such a situation on availability seems much higher than reflected in the scoring,” the expert added.

In a press release Radiflow will publish on Thursday, the company says an attack exploiting this flaw “would cause significant downtime to the ICS network.”

Register for SecurityWeek’s 2018 ICS Cyber Security Conference

The CVSS score is also lowered due to the “attack complexity” metric being described as “high.” Kfir admits that an attacker would need to be familiar with Schneider’s proprietary protocols in order to exploit the bug, but argued that threat groups focused on targeting industrial systems – one good example is the actor behind the Triton attack – have already demonstrated these types of capabilities.

“Although it may be complex for a novice to exploit this vulnerability, it would not have been difficult at all for experienced hackers to leverage this vulnerability,” Kfir said.

Radiflow says its researchers have identified two ways to exploit the vulnerability and they both work remotely. Worryingly, Kfir told SecurityWeek that a simple Shodan search revealed over 100 vulnerable devices directly accessible from the Internet.

“It is just a matter of a few clicks that could have led to a cyberattack to take down those vulnerable PLCs.” Kfir said.

Earlier this year, Radiflow reported that a piece of cryptocurrency mining malware worked its way onto servers connected to an OT network at a wastewater facility in Europe.

Other vulnerabilities in Modicon M221 controllers

Different advisories published in recent days by ICS-CERT and Schneider Electric describe three other vulnerabilities discovered by researchers in Modicon M221 controllers.

These security holes, all classified as “high severity,” can be exploited to upload the original PLC program, and decode the device’s password using a rainbow table.

Irfan Ahmed, Hyunguk Yoo, Sushma Kalle, and Nehal Ameen of the University of New Orleans have been credited for finding these flaws.

These security holes have also been addressed by Schneider with the release of firmware version 1.6.2.0.

Related: Flaw in Schneider PLC Programming Tool Allows Remote Attacks

Related: Schneider Electric Patches Flaws in Modicon, Wonderware Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.