Modipwn: code execution vulnerability discovered in Schneider Electric Modicon PLCs

The security flaw allows attackers to obtain full control over a PLC.

A vulnerability discovered in Schneider Electric (SE) Modicon programmable logic controllers (PLCs) allows full takeover of the industrial chips.

Discovered by Armis researchers, the vulnerability can be used to bypass existing security mechanisms in PLCs to hijack the devices and potentially impact wider industrial setups. The authentication bypass vulnerability, dubbed Modipwn, has been assigned as CVE-2021-22779.

Without authorization, it is possible for attackers to abuse undocumented commands and obtain full control over one of these chips, overwriting memory, leaking a hash required to take over secure connections, and executing code -- which, in turn, can impact the security of workstations that manage the PLCs. 

SE Modicon PLCs are used to control Industrial Internet of Things (IIoT) devices in the construction, energy, machinery, and utility sectors, among others.  Armis says that to trigger an attack, only network access is required to the target PLC. 

Armis says there are inherent security issues in Modbus, an industry-standard protocol -- and as SE's proprietary UMAS is based on the protocol, PLCs linked to UMAS may be beset by known, weak encryption and authentication mechanisms in the original Modbus standard.

When chained with CVE-2021-22779, this can result in known UMAS bugs (CVE-2021-22779, CVE-2018-7852, CVE-2019-6829, and CVE-2020-7537), partially mitigated, still being a risk to Modicon M340 and M580 products, as well as "other models."  

"SE has stated in the past its intent to adopt the Modbus Security protocol that offers encryption and authentication mechanisms that are not part of the classic Modbus protocol," Armis says. "These adoption steps, however, have yet to be implemented."

Armis informed SE of its findings on November 13, 2020. SE is due to issue clients an advisory with steps toward mitigation, but a full patch is not expected until Q4 2021. 

In addition, two further vulnerabilities were found by the research team -- both of which were authentication bypass bugs -- which SE also needs to resolve. 

"Due to inherent shortcomings of the Modbus protocol that powers SE's Unified Messaging Application Services (UMAS) protocol used by Modicon PLCs, Armis will continue working with SE and additional vendors to address these issues," the company says. 

In 2018, a zero-day vulnerability was exploited in SE Triconex controllers by attackers attempting to disrupt industrial operations in the Middle East. During these attacks, the Triton Trojan was deployed to tamper with emergency shutdown systems. 

"As always, we appreciate and applaud independent cybersecurity research because, as in this case, it helps the global manufacturing industry strengthen our collective ability to prevent and respond to cyberattacks," Schneider Electric said in a statement. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0