Security flaws in Schneider Electric PLCs allow full take over

Schneider Electric released advisories for multiple flaws, including issues that can allow taking control of Modicon M221 PLCs.

Schneider Electric released security advisories for multiple vulnerabilities impacting various products, including four issues that can be exploited by attackers to take control of Modicon M221 programmable logic controllers (PLCs).

Four encryption and authentication issues in Modicon M221 PLCs were reported by Trustwave, three of which have been independently found by the security firm Claroty.

“Schneider Electric is aware of multiple vulnerabilities in its Modicon M221 product. The Modicon M221 is a Nano Programmable Logic Controller (PLC) made to control basic automation for machines. The M221 is configured using Machine Expert – Basic software.” Reads the advisory published by Schneider Electric. “Failure to apply the mitigations provided below may allow unauthorized users to replay authentication sequences, which could result in an attacker taking control over the PLC.”

The flaws in the PLCs are:

• CVE-2020-7565 – A high-severity issue described as an inadequate encryption strength flaw that could be exploited to break the encryption key when the attacker has captured the traffic between EcoStruxure Machine – Basic software and Modicon M221 controller.
• CVE-2020-7566 – A high-severity issue described as small space of random values vulnerability that could be exploited to break the encryption keys when the attacker has captured the traffic between EcoStruxure Machine – Basic software and Modicon M221 controller.
• CVE-2020-7567 – A high-severity issue described as missing encryption of sensitive data vulnerability that could be exploited to find the password hash when the attacker has captured the traffic between EcoStruxure Machine – Basic software and Modicon M221 controller and broke the encryption keys.
• CVE-2020-7568 – A low-severity issue described as an exposure of sensitive information to an unauthorized actor vulnerability that can be exploited to disclose non-sensitive information when the attacker has captured the traffic between EcoStruxure Machine – Basic software and Modicon M221 controller.

According to the analysis published by Claroty the flaw could be triggered by an attacker with a foothold on the OT network.

“The vulnerabilities reported to Schneider on June 10 can only be exploited by an attacker who already has a foothold on an OT network or ICS device.” states the analysis published by Claroty. “For example, an attacker could capture network traffic between the Modicon M221 PLC and the EcoStruxure Machine Expert Basic software that includes upload and download data or successful authentication attempts. This data is encrypted using a 4-byte XOR key, which is a weak encryption method.”

The vendor provided the following mitigations to reduce the risk of exploit:

• Setup network segmentation and implement a firewall to block all unauthorized access to port 502/TCP.
• Within the Modicon M221 application, the user must:
  • Disable all unused protocols, especially Programming protocol, as described in section “Configuring Ethernet Network” of EcoStruxure Machine Expert – Basic online help for the M221 PLC. This action will prevent unintended remote programming access.
  • Set a password to protect the project
  • Set a password for read access on the controller
  • Set a different password for write access on the controller

The advisory also includes General Security Recommendations for the above vulnerabilities.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Schneider Electric)

[adrotate banner=”5″]

[adrotate banner=”13″]