virus logo Threat Signal Report

ModiPwn: Zero-day vulnerability (CVE-2021-22779) in Schneider Electric Modicon PLCs

Description

FortiGuard Labs is aware of a report of an unpatched vulnerability (CVE-2021-22779) in Schneider Electric's Modicon programmable logic controllers (PLCs). Dubbed ModiPwn by a researcher who disclosed the issue, the vulnerability is an authentication bypass vulnerability that allows the attacker to bypass an authentication mechanism hence take a full control over the PLC. The vulnerability exists due to a weak authentication mechanism that could cause unauthorized access in read and write mode to the controller by spoofing the Modbus communication between the engineering software and the controller.

The vulnerability was discovered by FortiGuard Labs and was reported to Schneider Electric in accordance with Responsible Disclosure.


How Serious of an Issue is This?

High. The vulnerability is an authentication bypass that allows the attacker to take a full control of the PLC.


How Widespread is this Attack?

As this time, there are no known attacks observed in the field.


Is the Proof of Concept Code for the Vulnerability Publicly Available?

No.


Has the Vendor Released an Advisory for the Vulnerability?

Yes. Please refer to the "EcoStruxure Control Expert, EcoStruxure Process Expert, SCADAPack RemoteConnect x70, and Modicon Controllers M580 and M340" advisory located in the APPENDIX.


What Versions of Products Are Affected?

According to the advisory issued by Schneider Electric, the following products are affected:

  • EcoStruxure Control Expert, all versions prior to V15.0 SP1, Including all versions of Unity Pro (former name of EcoStruxure Control Expert)
  • EcoStruxure Control Expert V15.0 SP1
  • EcoStruxure Process Expert, all versions, Including all versions of EcoStruxure Hybrid DCS (former name of EcoStruxure Process Expert)
  • SCADAPack RemoteConnect for x70, all versions
  • Modicon M580 CPU (part numbers BMEP* and BMEH*), all versions
  • Modicon M340 CPU (part numbers BMXP34*), all versions


Are Patches Available for Reported Vulnerabilities by the Vendor?

No. The vendor has not provided a patch for the vulnerability nor shared the timeline as to when the patch will be available.


Is a CVE Assignment Available for the Vulnerability?

Yes, CVE-2021-22779 has been assigned to the vulnerability.


What is the Status of Coverage?

Customers running the latest IPS definitions are protected by this vulnerability with the following IPS signature:

Schneider.Electric.Products.Authentication.Bypass


Any Suggested Mitigation?

Schneider Electric's advisory provide some guidance on hardening measures needed on the controller side to reduce the risk of exploit. For further guidance, please refer to the "EcoStruxureTM Control Expert, EcoStruxureTM Process Expert, SCADAPack RemoteConnect x70, and Modicon Controllers M580 and M340" advisory in the APPENDIX.


The potential for damage to daily operations, reputation, and unwanted release of data, the disruption of business operations, etc. is apparent, and because of this it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed once available and updated on a regular basis to protect against attackers establishing a foothold within a network.

Telemetry

Appendix

Fortinet Discovers Authentication Bypass By Spoofing Vulnerability In Multiple Schneider Electric Products (FortiGuard Labs)



ID 27
Date Jul 14, 2021
Threat/
Vulnerability		 Authentication Bypass
FortiGate Device Triggered N/A
Threat Actor Type Unknown
Experienced a Breach? We're here to help FortiGuard Incident Response Services
FortiGuard Incident Response Services