Vulnerability in Schneider PLC allows serious disruptions in industrial environments

A recently disclosed flaw in some of Schneider Electric’s Programmable Logic Controllers (PLC) would allow malicious actors to cause a significant disruption in Industrial Control Systems (ICS)

The vulnerability was identified by Yehonatan Kfir, an ethical hacking specialist, as part of an ongoing project aimed at finding new vulnerabilities in industrial control systems. Safety warnings for this security issue have already been published by Schneider Electric and the Industrial Control Systems Computer Emergency Response Team (ICS CERT).

The vulnerability, tracked as CVE-2018-7789 and described as a problem related to inadequate verification of unusual or exceptional conditions, can be exploited by a hacker to remotely restart the M221 controllers.

According to Schneider Electric, all M221 controllers that run firmware versions prior to 1.6.2.0, which include a patch for the security issue, could be affected.

The ethical hacking specialist mentioned that while Schneider responded to the vulnerability in a highly professional manner, he believes that the company has not considered the severity of the vulnerability in a fair measure, since Schneider and ICS CERT assigned the vulnerability a 4.8 score in the Common Vulnerability Scoring System (CVSS), which places this problem in the “medium severity” category.

“In general, a security issue is assessed from an IT perspective, which considers the impact of the vulnerability according to its potential to compromise sensitive information. This, of course, is important, though less relevant to an operational technology area, so the vulnerability should have received a higher score”, the expert mentioned. “This vulnerability could have caused the PLC disruption, to recover from such a problem a specialist technician is required to perform an energy reboot”.

The CVSS score of this flaw was also reduced because the “attack complexity” was described as “high”. According to ethical hacking specialists from the International Institute of Cyber Security, to be exploited, the attacker should be familiar with Schneider Electric proprietary protocols, which hinders the deployment of the attack.

“Although it may be complex for a novice hacker to exploit this vulnerability, it would not be difficult for more experienced hackers to take advantage of this flaw”, mentioned Kfir.

Other vulnerabilities in the M221 drivers

Different notices published in the last days by ICS-CERT and Schneider Electric disclosed three other vulnerabilities discovered in the M221 drivers.

These security holes, all classified as “high severity”, can be exploited to load the original PLC program and decode the device password using a rainbow table.

These vulnerabilities have also been managed by Schneider Electric with the release of the firmware version 1.6.2.0.