Get in Touch
Two critical vulnerabilities detected in Schneider Electric technology
Overview
Severity Level: Critical (CVE-2022-45789 and CVE-2022-45788: CVSSv3 Score 9.8) – Compromise may result in the loss of confidentiality and integrity of data.
Two critical security vulnerabilities have been detected in operational technology (OT) systems belonging to Schneider Electric. The vulnerabilities are being tracked as CVE-2022-45788 and CVE-2022-45789, both of which have been linked with ICEFALL, a set of 56 previously discovered vulnerabilities affecting major OT equipment manufacturers.
Both of the outlined security flaws specifically relate to the Unity line of Schneider’s Modicon programmable logic controllers (PLCs). These controllers are integral to various technological components such as traffic lights, elevators and critical infrastructure. Schneider PLCs, in particular, operate in systems involved in water and wastewater processing, mining, manufacturing and energy production.
Impact
– CVE-2022-45788: The Video Conferencing with Zoom WordPress plugin prior to version 4.0.10 does not validate and escape some of the shortcode attributes before outputting them back into the page. Successful exploitation of this vulnerability could allow threat actors with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as administrators.
– CVE-2022-45789: This is an authentication bypass by capture-replay vulnerability. Successful exploitation of this vulnerability by a threat actor could lead to the execution of unauthorised Modbus functions on the controller when hijacking an authenticated Modbus session.
Security researchers from Forescout have reported that the vulnerabilities could be chained together to provide cyber threat actors with access to the safety mechanisms that typically would limit the physical damage that could arise from successful exploitation. Such exploitation could be leveraged by threat actors to move laterally between different network segments and network types.
The researchers also stated that this would be an attractive target for nation-state threat actors, as they provide the potential to bypass functional and safety restrictions that would otherwise prohibit cyber-attacks with the most devastating consequences.
Vulnerability Detection
Schneider Electric has patched the security flaws within the respective product versions. As such, previous product versions are vulnerable to the potential exploits.
Affected Products
Unity line of Schneider’s Modicon PLCs.
CVE-2022-45789:
– EcoStruxure™ Control Expert (all versions)
– EcoStruxure™ Process Expert (version V2020 and prior)
– Modicon M340 CPU (part numbers BMXP34*) (all versions)
– Modicon M580 CPU (part numbers BMEP* and BMEH*) (all versions)
– Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S) (all versions)
CVE-2022-45788:
– EcoStruxure™ Control Expert (all versions)
– EcoStruxure™ Process Expert (Version V2020 & prior) • Modicon M340 CPU (part numbers BMXP34*) (all versions)
– Modicon M580 CPU (part numbers BMEP* and BMEH*) (all versions)
– Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S) (all versions)
– Modicon Momentum Unity M1E Processor (171CBU*) (all versions)
– Modicon MC80 (BMKC80) (all versions)
– Legacy Modicon Quantum (140CPU65*) and Premium CPUs (TSXP57*) (all versions)
Containment, Mitigations & Remediations
It is strongly recommended that the relevant mitigation steps are adhered to with regards to each of the product versions outlined above, pertaining to each vulnerability. These can be found at the Schneider Electric Cybersecurity support portal.
Moreover, Schneider Electric product users should implement cyber security best practices across their operation base, as a further precaution. These have been outlined below:
Perimeter Hardening:
– Set up firewalls.
Network Hardening:
– Implement secure access controls
– Disable unused communication ports and protocols
– Use secure methods for remote access
– Create an asset inventory and network map
– Set up measures for detecting compromises
Workstation Hardening:
– Implement strong authentication and authorisation controls
– Set up a block list to deny access to known suspicious or malicious entities
– Use an allow list to help keep systems safe from unwanted software
– Encourage secure workstation habits
Device Protection and Hardening:
– Install physical controls to prevent unauthorised access
– Track operating modes
– Check the documentation for product-specific details
Disaster Recovery Plan:
– Maintain current back-up copies
– Prepare and test recovery protocols
– Engage in exercises to test the incident response plan
Minimise Risk:
– Apply patches and updates as soon as possible
– Be aware of vulnerabilities
– Train employees to detect attempts of cyber-attacks
Further details can be found in the Schneider Electric Recommended Cybersecurity Best Practices White Paper.
Indicators of Compromise
No specific Indicators of Compromise (IoC) are available at this time.
Threat Landscape
Schneider Electric has become one of the largest global sellers of PLCs, with the Modicon family being one of the most popular in the world. Shodan research has detected over 1,000 internet-connected PLCs, even though security experts warn against connecting them to the internet. Forescout researchers found that France (33%), Spain (17%), Italy (15%), and the United States (6%) are the countries with the most exposed devices.
It has been reported that since the onset of the Russia-Ukraine conflict, there have been several documented instances where malware variants, such as TRITON and INCONTROLLER, have demonstrated that threat actors are both capable of, and interested in, developing such methods of exploiting vulnerabilities in OT and ICS technology systems. Most industrial malware variants focus on stealth and persistence techniques. However, Forescout researchers warned of the devastating consequences should physical compromise be sought after by malicious cybercriminals.
Threat Group
No attribution to specific threat actors or groups has been identified at the time of writing.
Mitre Methodologies
Tactic:
TA0008– Lateral Movement
Technique – Initial Access:
T1189– Drive-by Compromise
Technique – Persistence:
T1556 – Modify Authentication Process
Further Information
