CIO Influence
Automation CIO Influence News Networking Security

Armis Discloses Critical Attack Vector That Allows Remote Take-Over of Schneider Electric Industrial Controllers

Armis Discloses Critical Attack Vector That Allows Remote Take-Over of Schneider Electric Industrial Controllers
New ModiPwn vulnerability puts Schneider Electric PLCs in global organizations at risk to attacker takeover

Researchers at Armis, the unified asset visibility and security platform provider, have today announced the discovery of an authentication bypass vulnerability in Schneider Electric’s Modicon programmable logic controllers (PLCs) that can lead to remote-code-execution (RCE). The vulnerability, dubbed ModiPwn, allows for a complete takeover of impacted devices by leveraging the UMAS protocol, and impacts Modicon M340, M580 and other models from the Modicon series. Millions of these PLCs and are now deemed to be at risk in what is considered to be a widescale vulnerability. Such controllers are used widely in manufacturing, building services, automation applications, energy utilities, HVAC systems to name but a few.

Recommended ITech News: Cirrus Logic Announces Agreement To Acquire Lion Semiconductor

How would an attacker use ModiPwn?
An attack that leverages ModiPwn would begin with network access to a Modicon PLC. Through this access, the attacker can leverage undocumented commands in the UMAS protocol and leak a certain hash from the device’s memory. Using this hash, the attacker can take over the secure connection between the controller and its managing workstation to reconfigure the controller with a password-less configuration. This will allow the attacker to abuse additional undocumented commands that lead to remote-code-execution – a full takeover of the device.

This takeover can then be used to install malware on the controller that alters its operation and hide the existence of these alterations from the workstation that manages this controller. The CVE for this vulnerability is CVE-2021-22779.

Recommended ITech News: Quantum Xchange Strengthens Priseda’s National Private Network for Resiliency with Advanced Quantum Security

Sophisticated attacks such as this have been seen in the wild before; the Triton malware, for example, was spotted targeting safety controllers by Schneider Electric used in petrochemical plants in Saudi Arabia. Attacks that alter operations of industrial controllers are a threat to both business continuity and safety, and attacks that hide from monitoring solutions can be extremely difficult to detect.

“Armis and Schneider Electric have worked together to ensure the proper security mitigations are being provided. We urge all affected organizations to take action now,” said Ben Seri, Armis. “The trouble with these legacy devices found in OT environments is that historically, they have evolved over unencrypted protocols. It will take time to address these weak underlying protocols. In the meantime, organisations operating in these environments should ensure that they have visibility over these devices to see where their points of exposure lie. This is crucial to preventing attackers from being able to control their systems – or even hold them to ransom.”

Recommended ITech News: Insightfinder, The Leading Ai Platform For IT Operations, Announced New Customers, Leadership, And Funding To Meet Growing Demand For Its AIOps Technology

Related posts

CoreStack Participates in AWS Marketplace Vendor Insights Preview

CIO Influence News Desk

Axonius Adds SaaS Management Actions and Automations to Help Organizations Mitigate Risk and Optimize Spend

Business Wire

Aunalytics Launches Security Patching Platform as a Service

CIO Influence News Desk

Leave a Comment