Schneider Electric PLCs vulnerable to remote takeover attacks

The authentication bypass vulnerability is a symptom of a much larger security crisis plaguing industrial control hardware, according to researchers who found the bug.

A vulnerability in programmable logic controllers made by Schneider Electric could put industrial facilities at risk of serious data and physical security attacks.

The research team at security vendor Armis laid claim to the discovery of CVE-2021-22779, an authentication bypass in the Modicon Unified Messaging Application Services (UMAS) protocol that also leaves the door open for attackers to overwrite system memory and gain persistent remote code execution capabilities on Schneider Modicon programmable logic controllers (PLCs).

In practice, this means an attacker who broke into a company's operational technology (OT) network would potentially be able to not only manipulate the PLC itself, but also use the hardware to stage further malware and data theft attacks. As the Modicon PLCs are primarily used by energy utilities, building services, HVAC systems and other sensitive applications, a hardware compromise could also lead to serious physical damage.

Ben Seri, vice president of research at Armis, told SearchSecurity that the CVE-2021-22779 is not only an authentication bypass on its own, but it can also allow attackers to roll back previous security measures that would have protected against remote code execution.

"On one hand, this is yet another vulnerability in embedded devices," Seri explained. "But on the other hand, it really opened the door to how deep some basic design flaws are and how PLCs work nowadays with the lack of security that is inherent in their design."

Bug allows chained attacks

The flaw involves undocumented instructions that were used to debug the Modicon hardware during development. Normally, these debug commands are locked away from end users and are only available with an administrator password. In the case of CVE-2021-22779, however, some commands are left exposed, and using those commands can allow an attacker to retrieve the hashed administrator password from the PLC.

The hashed password can then be used to authenticate the attacker and unlock further undocumented commands. Those commands, which had been locked away behind password protection by an earlier security update, can in turn grant the attacker the ability to execute code on the system memory.

Under normal circumstances, the system memory is inaccessible and cannot be written to. By taking advantage of the undocumented commands, however, the attacker could write and execute code within that memory. Seri said this is particularly bad, as most security scans will not bother checking if the system memory has been altered.

"In that position," Seri explained, "the malware can do a lot of damage and be very hard to detect."

Sign of a larger security issue

Seri said that the vulnerability itself is symptomatic of a much larger security problem plaguing the industrial controller market these days as vendors are still failing to build the necessary protections into their network-connected hardware.

He explained that even when CVE-2021-22779 is mitigated by Schneider, the company's UMAS protocol will remain vulnerable to other attacks because its developers never thought to properly encrypt the connections between the PLCs and the administrator PC, leaving the door wide open for a man-in-the-middle attack.

Schneider Electric is not alone in these sort of security lapses, Seri said. In many cases the PLC vendors have neglected built-in security, relying on the perimeter network security to keep hardware safe from criminal hackers.

"That is the only defense that Schneider and other vendors push to users: Have a strong perimeter, separate your OT network from IT," Seri said. "Once they have their foot in the door, it is really left to the security of the PLC to fend off attackers, and that really is not there."

Armis said Schneider plans to have a permanent fix for the issue out in fourth quarter this year, as well as full encryption implemented in future firmware updates. But actually having those security measures implemented in the field could take some time, particularly as PLCs tend not to get updated regularly. Seri estimates that, for most companies, OT hardware gets patched maybe once a year, leaving major security holes open for exploitation long after they have been made public and detailed.

Dig Deeper on Risk management