Vulnerability in Schneider Electric Modicon PLCs would allow hackers to bypass authentication mechanisms and take over these IoT devices

Cybersecurity specialists report the discovery of an authentication bypass vulnerability that resides in some of the Modicon programmable logic programmers (PLCs), developed by Schneider Electric. The report, prepared by IoT security firm Armis tracked the flaw as CVE-2021-22779 and dubbed it as ModiPwn.

The researchers mention that the vulnerability can be exploited by unauthenticated threat actors to gain network access to the target PLC and take full control of the vulnerable devices.

“A critical vulnerability has been reported in Schneider Electric’s Modicon PLCs. The vulnerability would allow attackers to evade authentication mechanisms that can lead to the execution of native remote code on vulnerable PLCs,” Schneider’s security alert mentions.

The researchers demonstrated that by chaining this flaw with other known security issues (CVE-2018-7852, CVE-2019-6829, and CVE-2020-7537) in the Unified Messaging Application Services (UMAS) protocol, it is possible to take complete control of the target device.

These protocol flaws are undocumented commands that probably weren’t removed due to legacy dependencies. In a safety report, Schneider Electric points to the addition of an authentication mechanism to mitigate the risk of exploitation that in the end did not turn out as functional as expected.

On the other hand, experts mention that the UMAS protocol operates on the Modbus protocol, which has no authentication or encryption mechanisms. The manufacturer fixed the previous flaws although this new report mentions that the ModiPwn vulnerability would still allow hackers to evade this authentication mechanism on Modicon M580 and M340.

This flaw was reported to Schneider Electric in mid-November by researchers Kai Wang of FortiGuard Labs, Nicholas Miles of Tenable and Andrey Muravitsky of Kaspersky ICS CERT, according to the company’s public disclosure documents.

The company also released a notice that includes a detailed report of the flaw and some recommendations to mitigate the risk of exploitation, this because a security patch has not yet been released to fully address the issue.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.