Schneider Electric Modicon vulnerability impacts ICS operation in industrial settings

The security flaw, if left unpatched, has the potential to cause unnecessary reboots.
Written by Charlie Osborne, Contributing Writer

A security vulnerability discovered in Schneider Electric Modicon controllers has the potential to severely disrupt industrial equipment and networks.

According to researchers from industrial cybersecurity firm Radiflow, the bug, tracked as CVE-2018-7789, "severely exposes the safety and availability of the ICS networks on which these devices were installed."

The vulnerability is present in the Schneider Electric Modicon M221 controller and is described as an improper check for unusual or exceptional conditions error.

If exploited, the vulnerability could allow unauthorized users to remotely reboot the controller using crafted programming protocol frames.

Modicon M221 versions prior to firmware v1.6.2.0 are affected.

A remote reboot may not seem like a problem on the full scale of what can be achieved by remote tampering, but given that the M221 controllers are found in industrial settings, the potential implications of the bug are serious.

Should the vulnerability result in unscheduled reboots, this would prevent the devices from communicating with the rest of an industrial control system (ICS) network, which would leave operators without any means to view or connect to the physical processes on an operational platform.

CNET: Huawei, ZTE get called out during Senate hearing on Facebook, Twitter

This could not only seriously impact the function of industrial control systems, but could also force corporations and factory managers to endure significant downtime in order to regain control of impacted devices.

See also: Thousands of MikroTik routers are snooping on user traffic

It would also be possible for threat actors to potentially use the flaw to stage an attack in which multiple devices are rebooted at the same time, causing widespread disruption.

The bug was discovered by Radiflow CTO Yehonatan Kfir, who said there are at least two use cases in which the security flaw could be harnessed in exploit chains.

CVE-2018-7789 was discovered two months ago and privately reported to Schneider Electric. A security update has been issued to resolve the flaw.

TechRepublic: Timehop breach illustrates need for multi-factor authentication

The firmware update is found in Modicon M221 v1.6.2.0, delivered by SoMachine Basic v1.6 SP2, or through the Schneider Electric Software Update tool.

In January, researchers from FireEye revealed the existence of a zero-day vulnerability in Triconex SIS controllers which was being used to target industrial systems in the Middle East.

The Triton malware was able to tamper with emergency shutdown systems and was described as "part of a complex malware infection scenario."

North Korea's history of bold cyber attacks

Previous and related coverage

Editorial standards