Schneider Electric has an instruction plan to help ward off multiple vulnerabilities in its Modicon Premium, Modicon Quantum, Modicon M340, and Modicon BMXNOR0200 products, according to a report with ICS-CERT.
The remotely exploitable vulnerabilities, discovered by Nikita Maximov, Alexey Stennikov, and Kirill Chernyshov of Positive Technologies, are a stack-based buffer overflow, use of hard-coded credentials, and a use of a broken or risky cryptographic algorithm.
The following versions of Modicon PLCs are affected:
• Modicon Premium all versions
• Modicon Quantum all versions
• Modicon M340 all versions
• Modicon X80 RTU (BMXNOR0200H) all versions
Successful exploitation of these vulnerabilities could allow a remote unauthorized attacker access to the file transfer service on the device, which could result in arbitrary code execution or malicious firmware installation.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
In one vulnerability, the FTP server does not limit the length of a command parameter which may cause a buffer overflow condition.
CVE-2018-7240 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.8.
In addition, the FTP servers contain a hard-coded account, which could allow unauthorized access.
CVE-2018-7241 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.9.
Also, the FTP server does not limit the length of a command parameter, which may cause a buffer overflow condition.
CVE-2018-7242 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.9.
The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.
Schneider Electric recommends users follow the instructions outlined in the Modicon Controllers Platform – Cyber Security, Reference Manual to install Modicon PLCs securely.
Schneider Electric also recommends affected users disable FTP services on the device during times when maintenance or configuration activities are not needed.
For more information please see Schneider Electric’s security notification SEVD-2018-081-01.