A security vulnerability discovered in Schneider Electric Modicon controllers has the potential to severely disrupt industrial equipment and networks.
According to researchers from industrial cybersecurity firm Radiflow, the bug, tracked as CVE-2018-7789, "severely exposes the safety and availability of the ICS networks on which these devices were installed."
The vulnerability is present in the Schneider Electric Modicon M221 controller and is described as an improper check for unusual or exceptional conditions error.
If exploited, the vulnerability could allow unauthorized users to remotely reboot the controller using crafted programming protocol frames.
Modicon M221 versions prior to firmware v220.127.116.11 are affected.
A remote reboot may not seem like a problem on the full scale of what can be achieved by remote tampering, but given that the M221 controllers are found in industrial settings, the potential implications of the bug are serious.
Should the vulnerability result in unscheduled reboots, this would prevent the devices from communicating with the rest of an industrial control system (ICS) network, which would leave operators without any means to view or connect to the physical processes on an operational platform.
This could not only seriously impact the function of industrial control systems, but could also force corporations and factory managers to endure significant downtime in order to regain control of impacted devices.
It would also be possible for threat actors to potentially use the flaw to stage an attack in which multiple devices are rebooted at the same time, causing widespread disruption.
The bug was discovered by Radiflow CTO Yehonatan Kfir, who said there are at least two use cases in which the security flaw could be harnessed in exploit chains.
CVE-2018-7789 was discovered two months ago and privately reported to Schneider Electric. A security update has been issued to resolve the flaw.
The firmware update is found in Modicon M221 v18.104.22.168, delivered by SoMachine Basic v1.6 SP2, or through the Schneider Electric Software Update tool.
In January, researchers from FireEye revealed the existence of a zero-day vulnerability in Triconex SIS controllers which was being used to target industrial systems in the Middle East.
The Triton malware was able to tamper with emergency shutdown systems and was described as "part of a complex malware infection scenario."