Tenable Research Advisory: Multiple ICS Vulnerabilities in Schneider Modicon Quantum PLC

Tenable Research discovered multiple vulnerabilities in Schneider’s Modicon Quantum programmable logic controller. Schneider has recommended mitigations for impacted end users.

Background

While examining a Schneider Modicon Quantum programmable logic controller (PLC) Tenable Research discovered several vulnerabilities.

The Modicon Quantum is used for complex process control, safety and infrastructure in industrial settings like manufacturing. Industrial control systems typically include a computer called a programmable logic controller (PLC). PLCs connect directly to instruments, for example valve and pump actuators and motors, that perform industrial processes. They communicate with other PLCs and supervisory control and data acquisition (SCADA) devices, and often connect to operator interfaces, whether local or remote via network communications.

PLCs provide automated functions to manage aspects such as pressure, flow, temperature, motion control and other process variables. They have replaced traditional analogue controls, historically based on mechanical, pneumatic or electronic components, with digital programmable software.

The vulnerabilities we discovered include unauthenticated remote flaws that permit a malicious attacker to delete legitimate accounts, and change the password for the admin account. A threat actor can gain full administrator access.

Analysis

Our research focused on the Schneider Modicon Quantum PLC with a 140 NOC77101 Ethernet communication module.

The first two vulnerabilities that we discovered permit an unauthenticated attacker to manipulate user accounts via the built-in web server in the PLC. An attacker can change any user's passwords, including the administrator password (CVE-2018-7811). It is also possible to delete the existing admin username and password (CVE-2018-7809) for the web interface, in the process resetting the web server username and password to USER:USER.

We also discovered two web application vulnerabilities that permit cross-site scripting attacks. In a cross-site scripting (XSS) attack, malicious code is injected into otherwise benign and trusted websites or URLs.The attacker uses the web application to send malicious code, usually in the form of a browser side script, to a different end user. One of the vulnerabilities is a reflected cross-site scripting flaw (CVE-2018-7810). An attacker can insert Javascript into the "name" parameter that will then be executed by the client clicking on the crafted link.

The second web application vulnerability is a cross-site request forgery (CSRF) flaw (CVE-2018-7831). An attacker can forge a link to be sent to an authenticated victim. Once clicked, the victim’s password will be changed to a password chosen by the attacker.

Lastly, we also discovered two denial-of-service (DoS) vulnerabilities. One of the DoS vulnerabilities can be triggered by sending a crafted request to the web server and will render the web server inaccessible for around one minute (CVE-2018-7830). The other DoS vulnerability impacts a Schneider Modbus function, and can be used to completely shut down the communication module.

You can find further technical details in the Advisory.

Business impact

Organizations using these devices in ICS and SCADA environments have two key priorities: securing health, safety and the environment and protecting the business processes that matter most. These priorities may pull against one another when it comes to vulnerabilities in hardware like a PLC. These devices provide critical control functionality and cannot be taken offline to be patched, in the event any patch is provided.

Organizations must have visibility into their OT assets and put strong controlling measures in place to mitigate risk. The lifespans of these devices are measured in decades and, because of increasing cost pressures, those lifespans are being stretched even further. This means organizations may have vulnerable devices in sensitive environments for extended periods of time. Visibility and mitigation have to be a top priority.

Solution

Schneider has issued a Security Notification for these vulnerabilities. Because the Quantum product line is end of life, software updates will not be released. Schneider has provided a set of recommendations, including standard mitigations, to protect impacted end users from these vulnerabilities. These mitigations are outlined in the Security Notification and include:

• Disable the web server by default
• Configure access control lists to restrict web server access to authorized IP addresses
• Protect access to Modicon products with network, industrial, and application firewalls

Identifying affected systems

The products affected include all Modicon M340, Premium, Quantum PLCs and BMXNOR0200. Tenable has released a Nessus plugin to detect CVE-2018-7831, which can be found here.

Additional information

• Visit the Tenable Tech Blog on Medium to read researcher Jacob Baines’s in-depth story about his team’s work bug hunting in the Schneider Modicon Quantum PLC.
• Schneider Security Notification
• Tenable Research Advisory

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.