Positive Technologies finds vulnerabilities in legacy industrial process controllers

Even an unskilled attacker can remotely control or disable vulnerable equipment

Positive Technologies’ experts Nikita Maximov, Alexey Stennikov, Kirill Chernyshov, Anton Dorfman, Alexander Melkikh, and Ivan Kurnakov have discovered vulnerabilities in older versions of Schneider Electric’s programmable logic controllers (PLCs). These controllers ensure the high availability of critical systems in infrastructure and industrial manufacturing, including petrochemicals, cement production, metallurgy, power generation, and water supply.

Security issues were found in Modicon Premium, Modicon Quantum, Modicon M340 controllers and the Modicon BMXNOR0200 communication module. Schneider Electric publicly disclosed the vulnerabilities in March 2018, along with necessary steps for users to take to secure their controllers.

"Presence of these vulnerabilities in infrastructure at critical industrial facilities heightens the risk of process disruption, accidents, fraud, and other dangers," said Paolo Emiliani, Industrial & SCADA Research Security Analyst at Positive Technologies.

The vulnerability with highest score (CVE-2018-7760, CVSS base score 7.7) was disclosed by Schneider Electric in an advisory on March 22. Attackers can use CGI requests to bypass authorization on the built-on web server of affected controllers. Another vulnerability, CVE-2018-7761 (CVSS base score 7.3), allows running arbitrary code on the web server of BMXNOR0200 communication modules. Two other vulnerabilities, CVE-2018-7759 and CVE-2018-7762 (each with a CVSS base score of 5.9), relate to buffer overflows, which may cause denial of service on all listed PLC models.

In addition, Schneider Electric released a separate advisory describing three other vulnerabilities discovered by Positive Technologies experts, with two of those scoring  5.9. The first, CVE-2018-7241, involves use of hard-coded passwords for controller accounts. In the second, CVE-2018-7242, a weak password hashing algorithm is used. As a result, the algorithm for encrypting passwords is vulnerable to collisions, which may help an attacker to brute force the password.

The third vulnerability in the advisory, CVE-2018-7240 (CVSS base score 4.8), allows unauthorized access to the file system, but affects only Modicon Quantum controllers. The FTP command to upgrade the module firmware may be used incorrectly in a way that allows an attacker to disable the controller or upload malicious firmware.

Klaus Jaeckle, Chief Product Security Officer at Schneider Electric, said, “Working with Positive Technologies reinforces again that effectively securing the world’s most critical industrial operations truly relies on open collaboration across multiple industry organizations, including between providers, end users and independent experts. We appreciate their research and responsible disclosure.

“The reported vulnerabilities affect our very successful, twenty-year-old PLCs. To minimize risk, we urge end users to follow the instructions provided in the Modicon Controllers Platform — Cybersecurity, Reference Manual and the Security Notifications section of the Schneider Electric website. These guidelines provide recommendations and best practices on the safe, secure usage of these legacy PLC products, but end users should also consider contacting the Schneider Electric Cybersecurity Services team to help identify and implement appropriate cybersecurity measures. Additionally, we highly recommend end users consider upgrading to the current generation of Modicon controllers, like the Modicon M580, which has embedded cybersecurity and industry-leading Achilles Level 2, ISA and ANSSI CSPN cybersecurity certifications.”

To detect cyber-incidents and vulnerabilities in ICS/SCADA systems, Positive Technologies offers PT ISIM and MaxPatrol 8 for the specific needs of industrial protocols and networks.