Vulnerability in Schneider Electric PLCs allows for undetectable remote takeover

A vulnerability discovered in Schneider Electric’s Modicon programmable logic controllers, used in millions of devices worldwide, could allow a remote attacker to gain total and undetectable control over the chips, leading to remote code execution, malware installation and other security compromises.

Discovered by security researchers at asset visibility and security vendor Armis, the vulnerability, dubbed Modipwn, is similar to the vulnerability that was leveraged by the Triton malware that targeted Schneider Electric safety controllers used in Saudi Arabian petrochemical plants. Modicon chips vulnerable to Modipwn are used in manufacturing, building services, automation, energy utilities, HVAC and other industrial applications.

The vulnerability affects Modicon chips M340, M580 and “other models from the Modicon series,” Armis said. It exploits Schneider’s unified messaging application services protocol, which is used to configure and monitor Schneider’s PLCs—Modicon and others—by taking advantage of undocumented commands that allow the attacker to leak hashes from a device’s memory.

Once leaked, attackers can use the stolen hash to take over the secure connection that UMAS establishes between the PLC and its managing workstation, allowing the attacker to reconfigure the PLC without needing to know a password. Reconfiguration, in turn, allows the attacker to perform remote code execution attacks, including installation of malware and steps to obfuscate their presence.