Chemical Safety Incidents
Schneider Limits Modicon Holes
Tuesday, April 11, 2017 @ 03:04 PM gHale
Schneider Electric introduced compensating controls to limit the exploitability of authentication bypass by capture-replay and violation of secure design principles vulnerabilities in Modicon programmable logic controllers (PLCs), according to a report with ICS-CERT.
Modicon Modbus protocol, all versions suffer from the remotely exploitable vulnerabilities discovered by Eran Goldstein of CRITIFENCE.
Successful exploitation of these vulnerabilities may allow an unauthorized remote attacker to capture and replay sensitive commands to PLCs on a network using the Modicon Modbus protocol.
Schneider Electric introduced the compensating controls to limit the exploitability of the identified vulnerabilities in many of the Modicon PLCs, however, the company recommends users apply security measures to improve resiliency.
In one vulnerability, sensitive information is transmitted in cleartext in the Modicon Modbus protocol, which may allow an attacker to replay the following commands: Run, stop, upload, and download.
CVE-2017-6034 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 10.0.
In another issue, the Modicon Modbus protocol has a session-related weakness making it susceptible to brute-force attacks.
CVE-2017-6032 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
The product sees use in the critical manufacturing, dams, defense industrial base, energy, food and agriculture, government facilities, nuclear reactors, materials, and waste, transportation systems, and water and wastewater sectors. It sees action on a global basis.
An attacker with low skill level would be able to leverage the vulnerabilities.
Schneider Electric’s Momentum M1E controllers (all versions of model 171CBU98090 and all versions of model 171CBU98091) do not have built-in compensating controls to limit the exploitability of the identified vulnerabilities and Schneider Electric instructs users to take the following defensive measures:
• Protect access to M1E controllers by a firewall blocking all remote/external access to Port 502.
Schneider Electric reports that Modicon M340, M580, Premium and Quantum users should take one or more of the following defensive measures:
• Enable protection based on an authentication to connect to PLC. This method relies on a feature named Application Password. Once enabled, password-based authentication is required whenever a user connects to change their application program
• Enable protection relying on an input (M340, Premium, Quantum) or a key switch in the front panel (Quantum) to reject remote connection or run/stop commands
• Enable the “Access Control List protection,” where users are able to configure the restricted IP addresses that are pre-authorized to control the PLC
For additional information, Schneider Electric released a Cybersecurity Notification.