Unpatched Critical RCE Bug Allows Industrial, Utility Takeovers
#1
Information 
Quote:A critical remote code-execution (RCE) vulnerability in Schneider Electric programmable logic controllers (PLCs) has come to light, which allows unauthenticated cyberattackers to gain root-level control over PLCs used in manufacturing, building automation, healthcare and enterprise environments.
 
If exploited, attackers could impact production lines, sensors and conveyor belts in factory settings, according to the researchers at Armis who discovered the bug – as well as affect devices familiar to the everyday consumer, such as elevators, HVACs and other automated devices.
 
The vulnerability (CVE-2021-22779), which takes advantage of undocumented commands in device code, impacts the Modicon M340, M580 and other models from the Modicon series, according to Armis, which dubbed it “ModiPwn.” It’s technically an authentication bypass by spoofing vulnerability, researchers said, and it rates 9.8 out 10 on the CVSS vulnerability-rating scale, making it critical. It’s one of a slew of bugs addressed by the vendor on Tuesday.
 
Any attack would begin with gaining network access to the same network to which the targeted Modicon PLC is attached, researchers said – a positive mitigation in that the extra, required first step makes it harder for an attacker to be successful.
 
However, “through this access, the attacker can leverage undocumented commands in the UMAS protocol and leak a certain hash from the device’s memory,” according to Armis’ analysis, released on Tuesday. UMAS is a proprietary protocol used to configure and monitor Schneider PLCs.
 
Researchers added, “Using this hash, the attacker can take over the secure connection between the controller and its managing workstation to reconfigure the controller with a password-less configuration. This will allow the attacker to abuse additional undocumented commands that lead to remote-code-execution — a full takeover of the device.”
 
This takeover can then be used to install malware on the controller, alter its operation and then hide the attack’s breadcrumbs from the workstation that manages the controller, they added.

Read more: Unpatched, Critical RCE Bug Allows Utility Takeovers | Threatpost
[-] The following 1 user says Thank You to silversurfer for this post:
  • harlan4096
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
GFYI [Official] EaseUS Christmas 2024 B...
Merry Christmas and ...zevish — 08:07
AirVPN Christmas Sale 2024!
AirVPN CHRISTMAS SAL...jasonX — 07:52
ON1 Software
ON1 Photo RAW 2025.1...jasonX — 06:29
QOwnNotes 19.1.6
24.12.4 The wel...Kool — 12:56
INTEL Arc Graphics 32.0.101.6325/6253 dr...
Highlights Fix...harlan4096 — 11:06

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>