IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Schneider Electric flaws could allow remote code execution

Chained 'ModiPwn' attack could give attackers control over industrial systems

Researchers have discovered a vulnerability in Schneider Electric process logic controllers (PLCs) that could enable attackers to gain complete control of the system. The components are used in industrial control system environments, such as public utilities and building controls. 

The vulnerabilities, discovered by researchers at security company Armis, affect Schneider Electric's Modicon M580 and M340 controllers. They enable attackers to run remote code natively on the controllers, altering their function. 

Nicknamed ModiPwn, the attacks use a vulnerability in the control protocol that interacts with the controllers. Originally, controllers used a 1970s industrial control protocol called ModBus, which had few security protections. 

Schneider Electric revised this with an extended protocol called UMAS, which adds some security enhancements. One of these includes the ability for administrators to reserve a PLC so they can update it without any conflicts caused by other updates happening simultaneously. 

The researchers chained several undocumented commands together in UMAS that enable attackers to write code to the PLC's memory and then trigger it. 

Schneider Electric attempted to disable these commands altogether when the PLC uses an application password. However, the researchers discovered an authentication vulnerability in this reservation system that enabled them to derive the hash of the authentication password stored on the PLC. 

Related Resource

The Forrester Wave: Top security analytics platforms

The 11 providers that matter most and how they stack up

The Forrester Wave: Top security analytics platforms - whitepaper from IBMFree download

This vulnerability, CVE-2021-22779, enables the attackers to read the password hash from the PLC's memory and use it to bypass authentication altogether. 

Using this authentication bypass vulnerability, they could upload a new project file that doesn't have a password. This downgrades the device’s security, removing application password functionality and enabling the chained attack. 

CVE-2021-22779 has a 9.8 CVSS score, making it critical, although attackers would need network access to implement it. There appeared to be no patch at the time of writing, but Schneider Electric's advisory mentioned several workarounds while it works on a patch, including adding firewalls and segmenting networks. 

The vulnerability is another example of the security challenges facing companies that use industrial control systems with protocols on networks increasingly connected to the internet. 

The Biden administration has prioritized cyber security with an initiative to shore up resilience in the electrical grid as a blueprint for a broader infrastructural security plan.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022
How do you become an ethical hacker?
ethical hacking

How do you become an ethical hacker?

29 Apr 2022

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Microsoft to double salary budget to retain workers
Careers & training

Microsoft to double salary budget to retain workers

17 May 2022