High-Severity Flaws Patched in Schneider Electric Products

Schneider Electric has released fixes for a slew of vulnerabilities that can be exploited remotely in two of its industrial control system products.

The two flaws, which exist in Schneider Electric’s power management system, PowerLogic PM5560, and its programmable logic controller, Modicon M221, can be exploited remotely, according to dual advisories released by ICS-CERT on Tuesday.

The PowerLogic PM5560 (in all versions prior to firmware Version 2.5.4) contains a cross-site scripting flaw, CVE-2018-7795.  The advisory noted no exploits for this flaw have been discovered.

“Successful exploitation of this vulnerability could allow user input to be manipulated, allowing for remote code execution,” according to the advisory.

The vulnerability enables user input to be manipulated – ultimately resulting in remote code execution, so an attacker can manipulate inputs to cause execution of JavaScript code.

Because it can be exploited remotely and requires a “low skill level” to exploit, the flaw has been assigned a CVSS score of 8.2, which is “high” severity on Mitre’s CVSS rating scale.  Schneider Electric has released a fix. The vulnerability was discovered by security researchers Ezequiel Fernandez and Bertin Jose.

A slew of additionally severe vulnerabilities were discovered in Schneider Electric’s Modicon M221 series of products (in all versions prior to firmware V1.6.2.0). The programmable logic controller (PLC) monitors inputs and outputs and makes logic-based decisions for automated systems.

“Successful exploitation of these vulnerabilities may allow unauthorized users to replay authentication sequences, overwrite passwords, or decode passwords,” according to the advisory.

The first flaw, CVE-2018-7790, allows unauthorized users to replay authentication sequences. If an attacker exploits this vulnerability and connects to a Modicon M221, the attacker may upload the original program from the PLC, according to Schneider Electric.  This flaw was rated 7.1, or “high”.

The second flaw, CVE-2018-7791, enables unauthorized users to overwrite the original password, according to the advisory.  If an attacker exploits this vulnerability and overwrites the password, the attacker may upload the original program from the PLC. This flaw was given a CVSS base score of 7.7, or “high.”

Finally, Modicon M221 products contain a flaw, CVE-2018-7792, that allows unauthorized users to decode the password using a rainbow table, which is a precomputed table that enables bad actors to reverse cryptographic hash functions (generally used for cracking password hashes). This glitch was given a CVSS base score of 7.7, or “high.”

Irfan Ahmed, Hyunguk Yoo, Sushma Kalle, and Nehal Ameen of the University of New Orleans reported these vulnerabilities.

Schneider Electric has also released a fix for its Modicon M221 lineup, available on its website.

The company suggested as a temporary mitigation that users of Modicon M221 set up a firewall blocking all remote or external access to Port 502, and disable all unused protocols within the Modicon M221 application (especially programming protocol).

“This will prevent remote programming of the M221 PLC,” according to Schneider Electric.

In May, Schneider Electric issued fixes for a vulnerability in its SoMachine Basic software, which could result in the disclosure and retrieval of arbitrary data; as well as a critical remote code execution vulnerability in two Schneider Electric industrial control related products that could give attackers the ability to disrupt or shut down plant operations.