Researchers from the Cisco Talos team discovered 11 vulnerabilities in a number of Schneider Electric Modicon Programmable Logic Controllers (PLCs).
Cisco Talos released vulnerability analysis recommendations to mitigate risks for users.
“There are several vulnerabilities in the Schneider Electric Modicon M580 that could lead to a variety of conditions, the majority of which can cause a denial of service. The Modicon M580 is the latest in Schneider Electric’s Modicon line of programmable automation controllers. The majority of the bugs we will discuss exist in the Modicon’s use of FTP”, — write Cisco Talos specialists.
Vulnerabilities affect Modicon M580, M340, BMENOC 0311, BMENOC 0321, Quantum (no longer supported), Premium and Modicon BMxCRA and 140CRA modules. The latest M580 controller contains a total of 11 problems, the rest – 2-8.
Read also: Attackers deployed a skimmer on the site of Magento extensions provider
Vulnerabilities are contained in the Modbus, FTP and TFTP protocols, as well as in the REST API. Problems (CVE-2019-6841 and CVE-2019-6851) affecting TFTP and REST API can be exploited by sending specially generated requests to the target device.
“Using a vulnerability in TFTP could lead to leaks of information about files and directories, however, according to Schneider Electric, the TFTP port is disabled by default on the controllers”, – write researchers at Cisco Talos.
Three vulnerabilities (CVE-2019-6848, CVE-2019-6849, CVE-2019-6850) contained in the REST API are regarded as dangerous and can be used to conduct DoS attacks or can lead to leakage of confidential information.
Vulnerability in Modbus (CVE-2019-6845) allows the transfer of confidential information in clear text when Modbus is used to move applications to the controller. Problems affecting FTP can cause a denial of service by using a specially crafted firmware image.
Researchers told the company about vulnerabilities in May and July this year. Although Schneider Electric did not release any patches for these vulnerabilities, it provided a number of recommendations to prevent potential attacks.
In particular, users are advised to disable the affected services as unnecessary, block unauthorized access to certain ports on the firewall, and change the default passwords.