Tenable Research Advisory: Multiple ICS Vulnerabilities in Schneider Modicon Quantum PLC

save
Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

Tenable Research discovered multiple vulnerabilities in Schneider’s Modicon Quantum programmable logic controller. Schneider has recommended mitigations for impacted end users.

Background

While examining a Schneider Modicon Quantum programmable logic controller (PLC) Tenable Research discovered several vulnerabilities.

The Modicon Quantum is used for complex process control, safety and infrastructure in industrial settings like manufacturing. Industrial control systems typically include a computer called a programmable logic controller (PLC). PLCs connect directly to instruments, for example valve and pump actuators and motors, that perform industrial processes. They communicate with other PLCs and supervisory control and data acquisition (SCADA) devices, and often connect to operator interfaces, whether local or remote via network communications.

PLCs provide automated functions to manage aspects such as pressure, flow, temperature, motion control and other process variables. They have replaced traditional analogue controls, historically based on mechanical, pneumatic or electronic components, with digital programmable software.

The vulnerabilities we discovered include unauthenticated remote flaws that permit a malicious attacker to delete legitimate accounts, and change the password for the admin account. A threat actor can gain full administrator access.

Analysis

Our research focused on the Schneider Modicon Quantum PLC with a 140 NOC77101 Ethernet communication module.

The first two vulnerabilities that we discovered permit an unauthenticated attacker to manipulate user accounts via the built-in web server in the PLC. An attacker can change any user’s passwords, including the administrator password (CVE-2018-7811). It is also possible to delete the existing admin username and password (CVE-2018-7809) for the web interface, in the process resetting the web server username and password to USER:USER.

We also discovered two web application vulnerabilities that permit cross-site scripting attacks. In a cross-site scripting (XSS) attack, malicious code is injected into otherwise benign and trusted websites or URLs.The attacker uses the web application to send malicious code, usually in the form of a browser side script, to a different end user. One of the vulnerabilities is a reflected cross-site scripting flaw (CVE-2018-7810). An attacker can insert Javascript into the “name” parameter that will then be executed by the client clicking on the crafted link.

The second web application vulnerability is a cross-site request forgery (CSRF) flaw (CVE-2018-7831). An attacker can forge a link to be sent to an authenticated victim. Once clicked, the victim’s password will be changed to a password chosen by the attacker.

Lastly, we also discovered two denial-of-service (DoS) vulnerabilities. One of the DoS vulnerabilities can be triggered by sending a crafted request to the web server and will render the web server inaccessible for around one minute (CVE-2018-7830). The other DoS vulnerability impacts a Schneider Modbus function, and can be used to completely shut down the communication module.

You can find further technical details in the Advisory.

Business impact

Organizations using these devices in ICS and SCADA environments have two key priorities: securing health, safety and the environment and protecting the business processes that matter most. These priorities may pull against one another when it comes to vulnerabilities in hardware like a PLC. These devices provide critical control functionality and cannot be taken offline to be patched, in the event any patch is provided.

Organizations must have visibility into their OT assets and put strong controlling measures in place to mitigate risk. The lifespans of these devices are measured in decades and, because of increasing cost pressures, those lifespans are being stretched even further. This means organizations may have vulnerable devices in sensitive environments for extended periods of time. Visibility and mitigation have to be a top priority.

Solution

Schneider has issued a Security Notification for these vulnerabilities. Because the Quantum product line is end of life, software updates will not be released. Schneider has provided a set of recommendations, including standard mitigations, to protect impacted end users from these vulnerabilities. These mitigations are outlined in the Security Notification and include:

  • Disable the web server by default
  • Configure access control lists to restrict web server access to authorized IP addresses
  • Protect access to Modicon products with network, industrial, and application firewalls

Identifying affected systems

The products affected include all Modicon M340, Premium, Quantum PLCs and BMXNOR0200. Tenable has released a Nessus plugin to detect CVE-2018-7831, which can be found here.

Additional information

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
Follow
1594 Followers
About Tenable
Tenable™, Inc. is the Cyber Exposure company. Over 24,000 organizations of all sizes around the globe rely on Tenable to manage and measure their modern attack surface to accurately understand and reduce cyber risk. As the creator of Nessus®, Tenable built its platform from the ground up to deeply understand assets, networks and vulnerabilities, extending this knowledge and expertise into Tenable.io™ to deliver the world’s first platform to provide live visibility into any asset on any computing platform. Tenable customers include over 50 percent of the Fortune 500, large government agencies and organizations across the private and public sectors. Learn more at tenable.com.
Promoted Content
Five Steps to Building a Successful Vulnerability Management Program
Is your vulnerability management program struggling? Despite proven technology solutions and the best efforts of IT teams, unresolved vulnerabilities remain an ongoing source of friction and frustration in many organizations. Regardless of how many vulnerabilities are fixed, there will always be vulnerabilities that can’t easily be remediated – and too often, finger-pointing between IT teams and business groups can ensue.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel