Schneider Patches Modicon PLC Holes

Thursday, September 3, 2015 @ 07:09 PM gHale

Schneider Electric released a firmware patch to mitigate vulnerabilities in the Modicon M340 PLC Station P34 Module, according to a report on ICS-CERT.

Initially independent researcher Aditya K. Sood reported these vulnerabilities to ICS-CERT 2 weeks before his public presentation at DEF CON on August 08. Schneider Electric was already working on resolving these vulnerabilities, because they ended up reported earlier by independent researcher Juan Francisco Bolivar.

Cogent Code Injection Vulnerability
Moxa Fixes Switch Vulnerabilities
SMA Solar Hard-Coded Account Hole
Hole in Older RuggedCom Versions

Exploits that target these vulnerabilities are publicly available.

The vulnerabilities affect the following Modicon PLC products:
• BMXNOC0401
• BMXNOE0100
• BMXNOE0110
• BMXP342020
• BMXP342020H
• BMXP342030
• BMXP3420302
• BMXP3420302H
• BMXP342030H

An attacker exploiting these vulnerabilities can cause the client browser to redirect to a remote file or execute Java script.

Schneider Electric is a Europe-based company that maintains offices in 190 countries worldwide.

Their programmable logic controller (PLC) products see use in a wide variety of automation and control applications across all industrial, infrastructure, and building sectors. The affected PLC products, Modicon M340, are PLC devices.

Modicon PLCs see action across several sectors including dams; defense industrial base; energy; food and agriculture; government facilities; nuclear reactors, materials, and waste; transportation systems, and water and wastewater systems. Schneider Electric estimates these products see use primarily in the United States, China, Russia, and India.

Remote File Inclusion allows an attacker to craft a specific URL referencing the PLC web server, which, when launched, will result in the browser redirecting to a remote file via a Java script loaded with the web page.

CVE-2015-6461 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 3.2.

Reflected Cross-Site Scripting (nonpersistent) allows an attacker to craft a specific URL, which contains Java script that can execute on the client browser.

CVE-2015-6462 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 3.2.

These vulnerabilities are not exploitable remotely and cannot end up exploited without user interaction. The exploit only triggers when a local user clicks on the specifically crafted web link.

Crafting a working exploit for these vulnerabilities would be difficult. Social engineering is mandatory to convince a person with HTTP access to the PLC web server to click on the specifically crafted web link. In addition, the attacker must know the IP address of the target PLC in order to craft the link. This decreases the likelihood of a successful exploit.

Schneider Electric released a firmware patch for the listed products to address these vulnerabilities. It will initially only be available through Schneider Electric’s Customer Support teams and will end up included in the next scheduled product firmware update.

In addition, specific modules and firmware versions allow the HTTP/FTP server to end up disabled through configuration settings, consult your product documentation for further information.

For more information on this vulnerability and detailed instructions, please see SEVD-2015-233-01.

For other modules and firmware, Schneider Electric created a recommendations document that describes firewall and network architecture settings to use to mitigate these types of vulnerabilities (Resolution 207869, Mitigation of Vulnerabilities).