Modipwn vulnerability puts millions of building systems at risk

Users of Schneider Electric’s Modicon programmable logic controllers (PLCs), which are widely present in manufacturing, building services automation applications, energy utilities and HVAC systems, are advised to be on the alert to exploitation of an authentication bypass vulnerability that could lead to remote code execution (RCE) on a target system.

Dubbed Modipwn by the Armis researchers responsible for its discovery, the vulnerability, to be assigned CVE-2021-22779, allows for complete device takeover of several Modicon models, including the M340 and M580.

A theoretical attacker would begin by gaining network access to a target Modicon PLC. Once that is done, they can exploit undocumented commands in the unified messaging application services (UMAS) protocol to leak a certain hash from the device’s memory.

Once in possession of this hash, they can then take over the secure connection between the PLC and its managing workstation to reconfigure it with a password-less configuration.

From there, they can abuse additional undocumented commands to obtain RCE capabilities, establish persistence, obfuscate their presence and install malware.

“Armis and Schneider Electric have worked together to ensure the proper security mitigations are being provided,” said Armis’ Ben Seri. “We urge all affected organisations to take action now.

“The trouble with these legacy devices found in OT environments is that, historically, they have evolved over unencrypted protocols. It will take time to address these weak underlying protocols. In the meantime, organisations operating in these environments should ensure they have visibility over these devices to see where their points of exposure lie.

“This is crucial to preventing attackers from being able to control their systems – or even hold them to ransom.”

Sophisticated attacks such as those that could potentially exploit Modipwn have often been seen in the wild before, with examples including the Triton malware attack on a Middle Eastern petrochemical facility in December 2017. Armis said attacks that alter the operations of industrial controllers threatened business continuity and safety, and those that hide from monitoring solutions are obviously hard to spot.

Speaking to Computer Weekly’s sister title SearchSecurity, Seri said the problem was symptomatic of much deeper issues around the security of industrial control systems, and spoke of a lack of due care and attention during the development process. He said this meant that even when CVE-2021-22779 is fully patched – expected later in 2021 – Modicon PLCs could remain vulnerable to other attacks.

A spokesperson for Schneider Electric’s Corporate Product CERT said: “Schneider Electric is committed to collaborating openly and transparently. In this case, we have collaborated with these researchers to validate the research and to assess its true impact. Our mutual findings demonstrate that while the discovered vulnerabilities affect Schneider Electric offers, it is possible to mitigate the potential impacts by following standard guidance, specific instructions, and in some cases, the fixes provided by Schneider Electric to remove the vulnerability.

“As always, we appreciate and applaud independent cyber security research because, as in this case, it helps the global manufacturing industry to strengthen our collective ability to prevent and respond to cyber attacks.

“Working together has allowed us to improve our understanding of potential weaknesses in EcoStruxure Control Expert. It enabled us to disclose this vulnerability in a timely, responsible manner so that our customers and end-users can better protect their operations, assets and people.

“Together, we continue to encourage the ecosystem of automation suppliers, cyber security solution providers and end-users to collaborate to reduce cyber security risks, and support our customers to ensure they have implemented cyber security best practices across their operations and supply chains.”

A full breakdown of Modipwn, including a deeper technical dive, can be found here.