Schneider Electric has mitigation details for an improper authentication vulnerability and cross-site request forgery vulnerability in its Modicon, Premium, and Quantum PLC modules, according to a report on ICS-CERT.
Independent researcher Arthur Gervais identified multiple vulnerabilities in the common Ethernet modules used across a broad range of Schneider Electric’s PLC products. These remotely exploitable vulnerabilities became public at the 2013 Digital Bond SCADA Security Scientific Symposium (S4) conference in January 2013.
The following Schneider Electric products suffer from the issue:
• Modicon M340 PLC modules
• Quantum PLC modules
• Premium PLC modules
A malicious attacker may remotely halt, reset, or change settings for PLC modules by exploiting these vulnerabilities. This could affect products deployed in the critical manufacturing, energy, water, agriculture and food, dams, transportation, postal, nuclear, government facilities, and defense industrial sectors worldwide.
Schneider Electric is a Europe-based company that maintains offices in 190 countries worldwide. Their PLC products see use in a wide variety of automation and control applications across all industrial, infrastructure, and building sectors.
The affected PLC products, Modicon M340, Quantum, and Premium lines are PLC devices used in the United States, China, Russia, and India, and throughout the rest of the world.
Products supporting the Factory Cast feature, including the Modicon M340, Quantum, and Premium PLC ranges, allow users to send Modbus messages embedded in HTTP POST requests using SOAP messages.
Modbus commands sent to the PLC via this mechanism do not undergo authentication. These messages can result in unintended consequences such as halting operation or modification of I/O data to and from the PLC. CVE-2013-0664 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.
The affected devices incorporate a Webserver interface that receives requests from clients without a mechanism verifying it was intentionally sent. It is possible for an attacker to trick a client into making an unintentional request to the Webserver, which would end up treated as an authentic request.
Valid commands could go to the PLC via specially crafted HTTP requests. CVE-2013-0663 is the number assigned to this vulnerability, which has a CVSS v2 base score of 8.5.
At present there are no known public exploits specifically targeting these vulnerabilities. An attacker with a low to medium skill would be able to exploit these vulnerabilities.
Schneider Electric has not issued a patch or software update to mitigate these vulnerabilities, but has issued a vulnerability disclosure notification that contains the following recommended mitigations for both vulnerabilities:
• Do not connect the affected PLC modules to an untrusted network.
• If a users need to make such a connection, block all HTTP access to the module from untrusted IP addresses using a firewall, and only allow HTTP connections from known IP addresses from secured workstations.