How can we help?
Schneider Electric released three security alerts on 9th August 2022 to address two high vulnerabilities and one critical vulnerability in Modicon Programmable Logic Controllers (PLCs), Programmable Automation Controllers (PACs) and EcoStruxure (formerly Unity Pro) software platforms:
• CVE-2021-22786 – An information exposure vulnerability exists which could allow access to memory on PLCs or PACs, potentially exposing sensitive information. An attacker could gather information on operating mode states on the device, providing knowledge on what functions may be modifiable. An adversary may also be able to map I/O image tables by accessing memory. The PLCs image table is the device’s internal storage location and stores the values of inputs/outputs during operation. This information may be used in future attacks as modifiable values could be discovered during reconnaissance.
• CVE-2022-37300 – A weak password recovery mechanism has been found on PACs and EcoStruxure software platforms which could allow an attacker to exploit the forgotten password process to reset account credentials, bypassing authentication. Access to EcoStruxure Process Expert software would allow an attacker to modify automation for an organisation’s entire infrastructure. EcoStruxure Control Expert manages PAC programming, debugging and operations. An attacker gaining the ability to change PAC implementation may have catastrophic consequences.
• CVE-2022-37301 – An integer underflow (wrap or wraparound) vulnerability exists on Modicon PLCs and PACs that may allow exploitation of memory access violations to perform denial-of-service (DoS) attacks on the devices. An integer underflow attack may cause the device to crash, corrupt data, or trigger buffer overflows allowing execution of arbitrary code. Given the critical environments in which these devices are implemented, this could cause significant damage and operational impact.
Attackers could leverage vulnerabilities in these products to perform sensitive information disclosure, exposing data stored in memory on controllers when communicating over the Modbus TCP protocol, DoS attacks by exploiting memory access violations on controllers when using the Modbus TCP protocol, and gain unauthorised access in read and write mode to the controller when communicating over Modbus.
No vulnerability detections have been provided.
• EcoStruxure Control Expert including all Unity Pro versions (former name of EcoStruxure Control Expert) – V15.0 SP1 and prior
• EcoStruxure Process Expert including all versions of EcoStruxure Hybrid DCS (former name of EcoStruxure Process Expert) – V2021 and prior
• Modicon M340 CPU (part numbers BMXP34) – V3.40 and prior • Modicon M580 CPU (part numbers BMEP and BMEH) – V3.22 and prior
• Legacy Modicon Quantum/Premium – all versions • Modicon Momentum MDI (171CBU) – all versions
• Modicon MC80 (BMKC80) – all versions
Containment, Mitigations & Remediations
Schneider Electric has provided the following remediation activities for organisations to perform:
• Ensure firmware of affected devices is updated to the latest version • Update EcoStruxure Control Expert to V15.1
• Update EcoStruxure Process Expert to V2021
• For Legacy Modicon Quantum/Premium (all versions) these devices have reached their end of life and are no longer commercially available. They have been replaced by the Modicon M580 ePAC controller.
If it is not possible to perform the remediation activities, the following mitigations have been provided:
• Set up a strong application password in the project properties
• Implement network segmentation and configure a firewall rule to block all unauthorised access to port 502/TCP
• Set up a secure communication according to the following guideline: “Modicon Controllers Platform Cyber Security Reference Manual” in chapter “Set up secure communications”.
If an organisation is unable to apply the vendor patches, please check the appropriate alert documentation for Schneider Electric’s recommendations for alternative mitigation.
Indicators of Compromise
No indicators of compromise have been provided.
Schneider Electric manufactures devices used in industrial automation globally. These include PACs, PLCs, and software used to manage these devices. PLCs and PACs are vital components for managing automation in industrial processes and critical national infrastructure operations. PLCs manage and monitor connected machines, providing the ability to monitor and control their application, and are programmed using ladder logic. PACs are automation controllers which allow programming using high-level language and can be used to manage multiple devices across geographically distributed networks. These devices are found in a variety of industrial and critical infrastructure settings. This includes implementation in critical infrastructure such as power plants, electric grid management, water utility management and industrial production facilities. Infrastructure is often dispersed due to the nature of these assets, requiring remote access and control of machines. If an adversary gains access to a vulnerable organisation’s network this could lead to catastrophic consequences.
With the vulnerabilities seen in this security bulletin, if an attacker gains access to a network using affected PACs or PLCs, they would be vulnerable to account manipulation of valid accounts through exploitation of a weakness in the password recovery mechanism found on Modicon PACs and EcoStruxure software. Such actions should be audited and alerts can be configured to detect these actions, be they legitimate or not. However, the successful compromise of valid credentials on the platform would allow an attacker the ability to manipulate Operational Technology (OT) behaviour and safety controls.
An attacker would also be able to access memory on these devices, which could expose diagnostic details of these devices and expose I/O image tables providing vital intelligence, which could prove invaluable in implementing further attacks. An integer underflow vulnerability found in these devices would provide a route to performing DoS attacks via crashing the device, corrupting data, or execution of arbitrary code. These actions may be harder to detect and audit, however the impact of DoS on OT and safety mechanisms may manifest in physical disruption.
T0868 – Detect Operating Mode
T0877 – I/O Image
T0859 – Valid Accounts
T1098 – Account Manipulation
T0814 – Denial of Service
CWE-191 – Integer Underflow (Wrap or Wraparound)
CWE-200 – Exposure of Sensitive Information to an Unauthorized Actor
CWE-640 – Weak Password Recovery Mechanism for Forgotten Password