New Modicon PLC vulnerabilities uncovered by researchers
Forescout researchers discovered two new vulnerabilities in Schneider Electric’s Modicon programmable logic controllers (PLCs), which could allow for authentication bypass and remote code execution.
The flaws, identified as CVE-2022-45788 (CVSS score: 7.5) and CVE-2022-45789 (CVSS score: 8.1), are part of a larger collection of security flaws identified as OT:ICEFALL by Forescout. An adversary who successfully exploits the bugs may be able to execute unauthorized code, cause a denial of service, or disclose sensitive information.
Unauthenticated remote code execution, a weak password vulnerability, and a file upload vulnerability are among the flaws. The researchers used these flaws to move laterally through the ICS network, compromise additional PLCs, and eventually cause physical damage to equipment.
The vulnerabilities affect several Modicon PLC models, including the M221, M221 Book, M241, and M251. The flaws are especially concerning because they can be exploited without authentication, which means an attacker does not need a username or password to exploit them.
An attacker begins the attack by exploiting a vulnerability in a Wago coupler in order to communicate with a Modicon PLC. The attacker then bypasses the UMAS service authentication on the PLC and achieves remote code execution on the PLC in an attempt to gain access to the internals of the bridge control system.
The hacker can then manipulate field devices connected to the controller. Before attempting to cause physical harm, the threat actor takes advantage of a remote code execution vulnerability in an Allen Bradley safety controller designed to prevent accidents.
The attack method is covert, allowing the hacker to engage in a variety of malicious activities without drawing suspicion.
Schneider had asked the researchers not to include the two bugs on the ICEFALL list so that the company could work with customers to resolve the issues before they were made public. The two flaws, CVE-2022-45788 and CVE-2022-45789, affect Schneider’s Modicon Unity line of programmable logic controllers (PLCs).
Schneider Electric has since acknowledged the vulnerabilities and stated that patches to address them have been released.
The sources for this piece include an article in TheHackerNews.