ModiPwn flaw in Modicon PLCs bypasses security mechanisms

ModiPwn flaw (CVE-2021-22779) in some of Schneider Electric’s Modicon PLCs can allow attackers to bypass authentication mechanisms and take over the device.

Researchers at IoT security firm Armis discovered an authentication bypass vulnerability, tracked as CVE-2021-22779 and dubbed ModiPwn, that affects some of Schneider Electric ’s Modicon PLCs.

The flaw can be exploited by an unauthenticated attacker who has network access to the targeted PLC to take full control over the PLC  the vulnerable device.

“Armis researchers discover a critical vulnerability in Schneider Electric Modicon PLCs. The vulnerability can allow attackers to bypass authentication mechanisms which can lead to native remote-code-execution on vulnerable PLCs.” reads the advisory published by the company.

“A CWE-290: Authentication Bypass by Spoofing vulnerability exists that could cause unauthorized access in read and write mode to the controller by spoofing the Modbus communication between the engineering software and the controller.” reads the advisory published by SA.

The experts demonstrated that chaining the above issue with other vulnerabilities (CVE-2018-7852, CVE-2019-6829 and CVE-2020-7537) in the UMAS (Unified Messaging Application Services) protocol and discovered over the past years it was possible to take over the device.

These flaws in the protocol are essentially undocumented commands that were not removed likely due to legacy dependencies. The industrial vendor added an authentication mechanism to mitigate the risk of exploitation, but it was not effective.

Experts pointed out that the UMAS protocol operates over the Modbus protocol, which lacks proper authentication mechanisms and doesn’t use encryption.

Schneider Electric addressed the older issues by implementing an authentication mechanism to prevent the exploitation of the issues, but experts from Armis discovered the new ModiPwn vulnerability that can still allow attackers to bypass that authentication mechanism. The flaw impacts Modicon M580 and M340 PLCs.

The ModiPwn was reported to Schneider Electric in mid-November 2020, the vendor credited Kai Wang (Fortinet’s FortiGuard Labs), Nicholas Miles (Tenable), Andrey Muravitsky (Kaspersky ICS CERT), Gal Kauffman (Armis), Li Wei (Friday Lab – Bolean Tech) for reporting the flaw.

The vendor published an advisory that includes mitigations for this vulnerability, however, the company has yet to release a patch to address the flaw.

Armis published a video showing how to chain the issue to trigger the flaw.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Schneider Electric)

[adrotate banner=”5″]

[adrotate banner=”13″]