23 November 2018

Critical vulnerability in Modicon M221 PLC

A critical vulnerability (CVE-2018-7798), which could lead to traffic interception, has been identified in Schneider Electric Modicon M221 PLCs. Successful exploitation of the vulnerability could allow attackers to modify an affected device’s IPv4 configuration, including its IP address, mask and gateway, when remotely connected to the device.

The issue, caused by an improper implementation of the network configuration module in UMAS protocol, leads to insufficient verification of the authenticity of incoming data transferred over that protocol.

A CVSS v.3 base score of 8.2 has been calculated for this vulnerability.

Schneider Electric has not yet released a firmware update for affected devices, but it has published recommendations to minimize the risk of this flaw being exploited. Specifically, the vendor recommends that owners of affected PLCs configure firewalls to block all remote/external access on port 502 of these devices and disable all unused network protocols, especially programming protocol.

Sources: Schneider Electric, ICS CERT