A vulnerability discovered in Schneider Electric’s Modicon PLC could allow a remote attacker to gain total and undetectable control over the chips, leading to remote code execution, malware installation and other security compromises.
The vulnerability affects Modicon chips M340, M580 and “other models from the Modicon series,”. It exploits Schneider’s unified messaging application services protocol, which is used to configure and monitor Schneider’s PLCs Modicon and others by taking advantage of undocumented commands that allow the attacker to leak hashes from a device’s memory.
Dubbed Modipwn, is similar to the vulnerability that was leveraged by the Triton malware that targeted Schneider Electric safety controllers used in Saudi Arabian petrochemical plants.
Once leaked, attackers can use the stolen hash to take over the secure connection that UMAS establishes between the PLC and its managing workstation, allowing the attacker to reconfigure the PLC without needing to know a password. Reconfiguration, in turn, allows the attacker to perform RCE attacks, including installation of malware and steps to obfuscate their presence.
ICS vulnerabilities have been a rising problem in recent years, but it’s important to note that just because PLCs like Schneder’s Modicon line are vulnerable doesn’t mean an attacker will have an easy time taking control of them. PLCs shouldn’t be internet facing: If they are, an attack is simple, but ideally an attacker would need to gain access to a secured network before being able to find a PLC to exploit.
Norton recommends disabling UPnP protocols and instead configuring each device manually. “Several high-profile exploits specifically target UPnP protocols, so the safer bet is manually configuring IoT devices when introducing them into the workplace,”