Schneider Electric fixed information management errors, permissions, privileges, and access controls vulnerabilities in its Modicon M221, according to a report with NCCIC.
Successful exploitation of these vulnerabilities, discovered by Irfan Ahmed, Hyunguk Yoo, Sushma Kalle, and Nehal Ameen of the University of New Orleans, may allow unauthorized users to replay authentication sequences, overwrite passwords, or decode passwords.
Modicon M221, all references, all versions prior to firmware v220.127.116.11 suffer from the remotely exploitable vulnerabilities.
In one vulnerability, unauthorized users can replay authentication sequences. If an attacker exploits this vulnerability and connects to a Modicon M221, the attacker may upload the original program from the PLC.
CVE-2018-7790 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.1.
In the permissions, privileges, and access controls vulnerability, unauthorized users can overwrite the original password. If an attacker exploits this vulnerability and overwrites the password, the attacker may upload the original program from the PLC.
CVE-2018-7791 is the case number assigned to this vulnerability., which has a CVSS v3 base score of 7.7.
In the permissions, privileges, and access controls vulnerability, it also allows unauthorized users to decode the password using a rainbow table.
CVE-2018-7792 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.7.
The product sees use mainly in the commercial facilities sector, and it sees action on a global basis.
No known public exploits specifically target these vulnerabilities. High skill level is needed to exploit.
A fix for these vulnerabilities is implemented in Modicon M221 Firmware v18.104.22.168, delivered within SoMachine Basic v1.6 SP2, which is available for download below, or by using Schneider Electric Software Update tool.
As a temporary mitigation, Modicon M221 users should take the following measures:
• Set up a firewall blocking all remote/external access to Port 502.
• Within the Modicon M221 application, users must disable all unused protocols, especially programming protocol, as described in section “Configuring Ethernet Network” of SoMachine Basic online help. This will prevent remote programming of the M221 PLC.
Schneider Electric’s security notice SEVD-2018-235-01 is available at the following location: