GE, Modicon Metasploit Modules

Tuesday, April 10, 2012 @ 05:04 PM gHale


Metasploit modules are available to exploit the Schneider Electric Modicon Quantum PLC and the General Electric (GE) D20ME vulnerabilities previously released, according to reports with ICS-CERT.

Reid Wightman of Digital Bond released Metasploit modules for the Modicon and the GE vulnerabilities.

RELATED STORIES
CoDeSys, Wago Vulnerabilities
ABB WebWare Server Vulnerability
Wonderware Fixes Security Holes
Rockwell Patches FactoryTalk

In the Modicon case, the vulnerabilities are exploitable through backdoor accounts (previously disclosed), malformed HTTP or FTP requests, or cross-site scripting (XSS). Proof-of-concept (PoC) exploit code released targeting the password storage on the Schneider Electric Modicon Quantum PLC. This exploit module retrieves stored username and passwords for the webserver login and an additional password that may see use to modify control operations via the web interface.

The newly released Metasploit modules cover:
• Modicon_command, which allows a remote, unauthenticated user to issue stop and start commands. If an attacker has access to the Modbus TCP port, an attacker can simply stop or start the CPU without authentication.
• Modicon_stux_transfer, allows a remote, unauthenticated user to download and upload possibly modified ladder logic via Modbus.

Schneider Electric said the following features can restrict access and prevent modification of the PLC program.

The Ethernet modules of the PLC support an Access Control List you can enable on the module configuration screen to restrict access via Modbus/UMAS protocols (Port 502/TCP) to configured IP addresses only.

The Quantum PLCs provide a key switch located on the front panel that allows a user to protect the PLC program from modification. When set to the Memory Protect position, you cannot modify the PLC program; however, SCADA and other devices can still send commands to the PLC variables.

Programs stored on a memory card provide write protection via a switch on the memory card to protect the PLC program from modification. When set to the Memory Protect position, you cannot modify the PLC program; however, SCADA and other devices can still send commands to the PLC variables.

In the GE case, multiple vulnerabilities with proof-of-concept (PoC) exploit code affecting the GE D20ME, part of the GE D20Substation Controller product, previously released. The vulnerability is exploitable by using TFTP connections to the controller.

The newly released Metasploit module covers:
• d20_tftp_overflow, which triggers a Denial of Service (DoS) condition due to a buffer overflow vulnerability in GE’s D20ME PLC TFTP server.

ICS-CERT notified GE of the report and asked GE to confirm the vulnerability and identify mitigations. ICS-CERT is issuing this alert to provide early notice of the report and identify baseline mitigations for end users.

The report included vulnerability details and PoC exploit code for the following remotely exploitable vulnerabilities:
1. Data Leakage, where there could be a data leakage of authentication credentials
2. Arbitrary Code Execution, where an attacker can execute arbitrary commands/Denial of Service
3. Buffer Overflow, where there could be a DoS with potential of arbitrary code execution

GE requested users contact their GE support representative for additional mitigation information for these vulnerabilities.



Leave a Reply

You must be logged in to post a comment.