20 мая 2022

KLCERT-20-061 / KLCERT-20-068: Schneider Electric Modicon M340/M580 Authentication Bypass by Spoofing

  • CVE

    2021-22779

  • KLCERT

    KLCERT-20-061 / KLCERT-20-068

Researcher

Andrey Muravitsky, Senior Security Researcher, Kaspersky ICS CERT

Timeline

Timeline

  • Kaspersky ICS CERT advisory published

    20 мая 2022

  • Advisory published

    июля 2021

Description

Kaspersky ICS CERT has discovered an authentication bypass vulnerability in Schneider Electric Modicon M340/M580 controllers.


Exploitability

Remotely

Attack complexity

Low

User interaction

None

Impact

Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access and send control commands to the controller

Existence of exploit

Proof-of-Concept

Affected products

The following Schneider Electric products:

  • Modicon M580 CPU (part numbers BMEP* and BMEH*), all versions
  • Modicon M340 CPU (part numbers BMXP34*), < V3.50

Mitigation

Vendor mitigation

Upgrading to EcoStruxure™ Control Expert V15.1 version and EcoStruxure™ Process Expert V2021 version is the first step in a two-step process to fully address this vulnerability. To fully address this issue, follow the mitigation recommendations provided below.

EcoStruxure™ Control Expert versions prior to V15.1 Including all versions of Unity Pro (former name of EcoStruxure™ Control Expert):

  • Update EcoStruxure™ Control Expert to V15.1
  • It is strongly recommended that customers using Unity Pro should consider migrating to EcoStruxure™ Control Expert. Please contact your local Schneider Electric technical support for more information.
  • Store project files in a secure storage and restrict access to trusted users only
  • When exchanging files over the network, use secure communication protocols
  • Encrypt project files when stored
  • Only open project files received from trusted sources
  • Compute a hash of each project file and regularly check the consistency of this hash to verify the integrity before usage
  • Harden the workstation running EcoStruxure™ Control Expert or Unity Pro

EcoStruxure™ Process Expert versions prior to V2021, including all versions of EcoStruxure™ Hybrid DCS (former name of EcoStruxure™ Process Expert):

  • Update EcoStruxure™ Process Expert to V2021
  • Store project files in a secure storage and restrict access to trusted users only
  • When exchanging files over the network, use secure communication protocols
  • Encrypt project files when stored
  • Only open project files received from trusted sources
  • Compute a hash of each project files and regularly check the consistency of this hash to verify the integrity before usage
  • Harden the workstation running EcoStruxure™ Process Expert

SCADAPack RemoteConnect, all versions:

  • Store project files in a secure storage and restrict access to trusted users only
  • When exchanging files over the network, use secure communication protocols
  • Encrypt project files when stored
  • Only open project files received from trusted sources
  • Compute a hash of each project file and regularly check the consistency of this hash to verify the integrity before usage
  • Harden the workstation running SCADAPack RemoteConnect™

Modicon M580 CPU (part numbers BMEP* and BMEH*), all versions:

Modicon M340 CPU (part numbers BMXP34*), versions prior to V3.50:

  • Update Modicon M340 firmware to version 3.50 or higher
  • Using application passwords is recommended in addition to following the remediation recommendations provided for EcoStruxure™ Control Expert to ensure the complete remediation of this issue
  • Set up network segmentation and implement a firewall to block all unauthorized access to port 502/TCP
  • Configure the Access Control List following the recommendations provided in the following user manual: “Modicon M340 for Ethernet Communications Modules and Processors User Manual” in chapter “Messaging Configuration Parameters”

Set up a VPN connection between impacted Modicon PLC modules and the engineering workstation with EcoStruxure™ Control Expert or Process Expert.

Kaspersky publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.

Timeline

  • Kaspersky ICS CERT advisory published

    20 мая 2022

  • Advisory published

    июля 2021