Threat Signal Report
ModiPwn: Zero-day vulnerability (CVE-2021-22779) in Schneider Electric Modicon PLCs
FortiGuard Labs is aware of a report of an unpatched vulnerability (CVE-2021-22779) in Schneider Electric's Modicon programmable logic controllers (PLCs). Dubbed ModiPwn by a researcher who disclosed the issue, the vulnerability is an authentication bypass vulnerability that allows the attacker to bypass an authentication mechanism hence take a full control over the PLC. The vulnerability exists due to a weak authentication mechanism that could cause unauthorized access in read and write mode to the controller by spoofing the Modbus communication between the engineering software and the controller.
The vulnerability was discovered by FortiGuard Labs and was reported to Schneider Electric in accordance with Responsible Disclosure.
How Serious of an Issue is This?
High. The vulnerability is an authentication bypass that allows the attacker to take a full control of the PLC.
How Widespread is this Attack?
As this time, there are no known attacks observed in the field.
Is the Proof of Concept Code for the Vulnerability Publicly Available?
Has the Vendor Released an Advisory for the Vulnerability?
Yes. Please refer to the "EcoStruxure Control Expert, EcoStruxure Process Expert, SCADAPack RemoteConnect x70, and Modicon Controllers M580 and M340" advisory located in the APPENDIX.
What Versions of Products Are Affected?
According to the advisory issued by Schneider Electric, the following products are affected:
- EcoStruxure Control Expert, all versions prior to V15.0 SP1, Including all versions of Unity Pro (former name of EcoStruxure Control Expert)
- EcoStruxure Control Expert V15.0 SP1
- EcoStruxure Process Expert, all versions, Including all versions of EcoStruxure Hybrid DCS (former name of EcoStruxure Process Expert)
- SCADAPack RemoteConnect for x70, all versions
- Modicon M580 CPU (part numbers BMEP* and BMEH*), all versions
- Modicon M340 CPU (part numbers BMXP34*), all versions
Are Patches Available for Reported Vulnerabilities by the Vendor?
No. The vendor has not provided a patch for the vulnerability nor shared the timeline as to when the patch will be available.
Is a CVE Assignment Available for the Vulnerability?
Yes, CVE-2021-22779 has been assigned to the vulnerability.
What is the Status of Coverage?
Customers running the latest IPS definitions are protected by this vulnerability with the following IPS signature:
Any Suggested Mitigation?
Schneider Electric's advisory provide some guidance on hardening measures needed on the controller side to reduce the risk of exploit. For further guidance, please refer to the "EcoStruxureTM Control Expert, EcoStruxureTM Process Expert, SCADAPack RemoteConnect x70, and Modicon Controllers M580 and M340" advisory in the APPENDIX.
The potential for damage to daily operations, reputation, and unwanted release of data, the disruption of business operations, etc. is apparent, and because of this it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed once available and updated on a regular basis to protect against attackers establishing a foothold within a network.
AppendixFortinet Discovers Authentication Bypass By Spoofing Vulnerability In Multiple Schneider Electric Products (FortiGuard Labs)
Traffic Light Protocol
|Color||When Should it Be used?||How may it be shared?|
TLP: REDNot for disclosure, restricted to participants only.
|Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused.||Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.|
TLP: AMBERLimited disclosure, restricted to participants’ organizations.
|Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved.||Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.|
TLP: GREENLimited disclosure, restricted to the community.
|Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector.||Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.|
TLP: WHITEDisclosure is not limited.
|Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release.||Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.|