Schneider Modicon Vulnerability

Thursday, August 13, 2015 @ 12:08 PM gHale

There are vulnerabilities with some proof-of-concept (PoC) exploit code affecting several Schneider Electric’s Modicon M340 PLC Station P34 CPU modules, according to a report from ICS-CERT.

This is a supervisory control and data acquisition/programmable logic controller (SCADA/PLC) interface product and, according to multiple reports, the vulnerabilities consist of remote and local vulnerabilities and affect the modules that support the Factory Cast Modbus feature.

KACO HMI Password Vulnerability
Schneider Fixes DTM Vulnerability
Schneider Fixes Password Storage Hole
Home Automation System Holes Fixed

Some reports released without coordination with either the vendor or ICS-CERT, while other vulnerabilities were in the process of vulnerability coordination when the researcher decided to publicly release the information.

The vendor is aware of the reports and is in the process of confirming the vulnerability and identifying mitigations. ICS CERT issued this alert to provide early notice of the reports and identify baseline mitigations for reducing risks to these and other security attacks.

The report included vulnerability details and PoC exploit code for the following vulnerabilities:

Three vulnerabilities ended up identified: A hard-coded credential, which could result in remote-code execution; a local file inclusion, which could lead to a directory traversal/file manipulation, and a remote file inclusion, which could lead to possible remote code execution/possible denial of service. All but the local file inclusion are remotely exploitable.

Aditya K. Sood discovered the vulnerabilities and presented them at DefCon 2015 in Las Vegas.

ICS CERT had already notified Schneider Electric of the vulnerabilities in the BMX P34 module. ICS-CERT is currently coordinating with Schneider Electric on the additional Factory Cast support vulnerability.