Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Research Advisory: Multiple ICS Vulnerabilities in Schneider Modicon Quantum PLC

Tenable Research discovered multiple vulnerabilities in Schneider’s Modicon Quantum programmable logic controller. Schneider has recommended mitigations for impacted end users.

Background

While examining a Schneider Modicon Quantum programmable logic controller (PLC) Tenable Research discovered several vulnerabilities.

The Modicon Quantum is used for complex process control, safety and infrastructure in industrial settings like manufacturing. Industrial control systems typically include a computer called a programmable logic controller (PLC). PLCs connect directly to instruments, for example valve and pump actuators and motors, that perform industrial processes. They communicate with other PLCs and supervisory control and data acquisition (SCADA) devices, and often connect to operator interfaces, whether local or remote via network communications.

PLCs provide automated functions to manage aspects such as pressure, flow, temperature, motion control and other process variables. They have replaced traditional analogue controls, historically based on mechanical, pneumatic or electronic components, with digital programmable software.

The vulnerabilities we discovered include unauthenticated remote flaws that permit a malicious attacker to delete legitimate accounts, and change the password for the admin account. A threat actor can gain full administrator access.

Analysis

Our research focused on the Schneider Modicon Quantum PLC with a 140 NOC77101 Ethernet communication module.

The first two vulnerabilities that we discovered permit an unauthenticated attacker to manipulate user accounts via the built-in web server in the PLC. An attacker can change any user's passwords, including the administrator password (CVE-2018-7811). It is also possible to delete the existing admin username and password (CVE-2018-7809) for the web interface, in the process resetting the web server username and password to USER:USER.

We also discovered two web application vulnerabilities that permit cross-site scripting attacks. In a cross-site scripting (XSS) attack, malicious code is injected into otherwise benign and trusted websites or URLs.The attacker uses the web application to send malicious code, usually in the form of a browser side script, to a different end user. One of the vulnerabilities is a reflected cross-site scripting flaw (CVE-2018-7810). An attacker can insert Javascript into the "name" parameter that will then be executed by the client clicking on the crafted link.

The second web application vulnerability is a cross-site request forgery (CSRF) flaw (CVE-2018-7831). An attacker can forge a link to be sent to an authenticated victim. Once clicked, the victim’s password will be changed to a password chosen by the attacker.

Lastly, we also discovered two denial-of-service (DoS) vulnerabilities. One of the DoS vulnerabilities can be triggered by sending a crafted request to the web server and will render the web server inaccessible for around one minute (CVE-2018-7830). The other DoS vulnerability impacts a Schneider Modbus function, and can be used to completely shut down the communication module.

You can find further technical details in the Advisory.

Business impact

Organizations using these devices in ICS and SCADA environments have two key priorities: securing health, safety and the environment and protecting the business processes that matter most. These priorities may pull against one another when it comes to vulnerabilities in hardware like a PLC. These devices provide critical control functionality and cannot be taken offline to be patched, in the event any patch is provided.

Organizations must have visibility into their OT assets and put strong controlling measures in place to mitigate risk. The lifespans of these devices are measured in decades and, because of increasing cost pressures, those lifespans are being stretched even further. This means organizations may have vulnerable devices in sensitive environments for extended periods of time. Visibility and mitigation have to be a top priority.

Solution

Schneider has issued a Security Notification for these vulnerabilities. Because the Quantum product line is end of life, software updates will not be released. Schneider has provided a set of recommendations, including standard mitigations, to protect impacted end users from these vulnerabilities. These mitigations are outlined in the Security Notification and include:

  • Disable the web server by default
  • Configure access control lists to restrict web server access to authorized IP addresses
  • Protect access to Modicon products with network, industrial, and application firewalls

Identifying affected systems

The products affected include all Modicon M340, Premium, Quantum PLCs and BMXNOR0200. Tenable has released a Nessus plugin to detect CVE-2018-7831, which can be found here.

Additional information

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security