Tenable Research Advisory: Multiple ICS Vulnerabilities in Schneider Modicon Quantum PLC

Tenable Research

Tenable Research discovered multiple vulnerabilities in Schneider’s Modicon Quantum programmable logic controller. Schneider has recommended mitigations for impacted end users.

Background

While examining a Schneider Modicon Quantum programmable logic controller (PLC) Tenable Research discovered several vulnerabilities.

The Modicon Quantum is used for complex process control, safety and infrastructure in industrial settings like manufacturing. Industrial control systems typically include a computer called a programmable logic controller (PLC). PLCs connect directly to instruments, for example valve and pump actuators and motors, that perform industrial processes. They communicate with other PLCs and supervisory control and data acquisition (SCADA) devices, and often connect to operator interfaces, whether local or remote via network communications.

PLCs provide automated functions to manage aspects such as pressure, flow, temperature, motion control and other process variables. They have replaced traditional analogue controls, historically based on mechanical, pneumatic or electronic components, with digital programmable software.

The vulnerabilities we discovered include unauthenticated remote flaws that permit a malicious attacker to delete legitimate accounts, and change the password for the admin account. A threat actor can gain full administrator access.

Analysis

Our research focused on the Schneider Modicon Quantum PLC with a 140 NOC77101 Ethernet communication module.

The first two vulnerabilities that we discovered permit an unauthenticated attacker to manipulate user accounts via the built-in web server in the PLC. An attacker can change any user's passwords, including the administrator password (CVE-2018-7811). It is also possible to delete the existing admin username and password (CVE-2018-7809) for the web interface, in the process resetting the web server username and password to USER:USER.

We also discovered two web application vulnerabilities that permit cross-site scripting attacks. In a cross-site scripting (XSS) attack, malicious code is injected into otherwise benign and trusted websites or URLs.The attacker uses the web application to send malicious code, usually in the form of a browser side script, to a different end user. One of the vulnerabilities is a reflected cross-site scripting flaw (CVE-2018-7810). An attacker can insert Javascript into the "name" parameter that will then be executed by the client clicking on the crafted link.

The second web application vulnerability is a cross-site request forgery (CSRF) flaw (CVE-2018-7831). An attacker can forge a link to be sent to an authenticated victim. Once clicked, the victim’s password will be changed to a password chosen by the attacker.

Lastly, we also discovered two denial-of-service (DoS) vulnerabilities. One of the DoS vulnerabilities can be triggered by sending a crafted request to the web server and will render the web server inaccessible for around one minute (CVE-2018-7830). The other DoS vulnerability impacts a Schneider Modbus function, and can be used to completely shut down the communication module.

You can find further technical details in the Advisory.

Business impact

Organizations using these devices in ICS and SCADA environments have two key priorities: securing health, safety and the environment and protecting the business processes that matter most. These priorities may pull against one another when it comes to vulnerabilities in hardware like a PLC. These devices provide critical control functionality and cannot be taken offline to be patched, in the event any patch is provided.

Organizations must have visibility into their OT assets and put strong controlling measures in place to mitigate risk. The lifespans of these devices are measured in decades and, because of increasing cost pressures, those lifespans are being stretched even further. This means organizations may have vulnerable devices in sensitive environments for extended periods of time. Visibility and mitigation have to be a top priority.

Solution

Schneider has issued a Security Notification for these vulnerabilities. Because the Quantum product line is end of life, software updates will not be released. Schneider has provided a set of recommendations, including standard mitigations, to protect impacted end users from these vulnerabilities. These mitigations are outlined in the Security Notification and include:

  • Disable the web server by default
  • Configure access control lists to restrict web server access to authorized IP addresses
  • Protect access to Modicon products with network, industrial, and application firewalls

Identifying affected systems

The products affected include all Modicon M340, Premium, Quantum PLCs and BMXNOR0200. Tenable has released a Nessus plugin to detect CVE-2018-7831, which can be found here.

Additional information

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Read more >

Published on Nov 27, 2018

People also viewed

Customer Success Manager - ANZ

North Sydney Australia Pacific Highway, North Sydney, Australia, NSW 2060 Customer Success Sales
Your Role:Tenable has an immediate need for a Customer Success Manager who will be responsible for establishing and driving sales activities for our software products within a designated geography.Companies today are grappling with an ever expandi...

Finance & Investor Relations Intern

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Finance Internships
Your Role:Tenable has a Finance and Investor Relations Intern opportunity for college students entering their senior year or actively enrolled in an MBA program. If you're looking for a chance to apply what you're learning in your degree program, ...

Field and Channel Marketing Manager, Nordics and Benelux

Uxbridge United Kingdom Furzeground Way , Stockley Park, Uxbridge, United Kingdom, UB11 1EZ Field & Channel Marketing Marketing
Your Role:Tenable seeks an experienced field and channel marketing manager to generate demand for Tenable products and solutions across our Scandinavia and Benelux territories.  The successful candidate will have demonstrated experience creating, ...

Senior Data Engineer

Dublin Ireland Campshires, Sir John Rogerson's Quay, Dublin, Ireland Research Engineering
Your Role:Data Engineers here are involved in designing, developing and maintaining systems for data analysis, transformation, modelling and visualisation. We work directly with the data scientists to develop cutting edge uses of the data we colle...

Technical Support Manager

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Technical Support Technical Support
Your Role:Tenable is seeking a high energy, results oriented customer advocate capable of motivating an already exceptional support team to even higher levels of customer satisfaction. Our current global rating is over 93% satisfaction and we expe...

Cloud Security Intern

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Information Security Internships
Your Role: The Cloud Security Intern will help the Tenable secure their use of cloud systems across the company.  The intern will develop, implement and monitor security solutions for cloud that assess risk, keep Tenable data safe and bake in secu...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.