29 March 2018

Multiple vulnerabilities identified in the Modicon family of industrial controllers

US CERT has published an advisory on vulnerabilities in the Modicon family of industrial controllers by Schneider Electric. Successful exploitation of these vulnerabilities could provide remote unauthorized attackers with access to the file transfer service on vulnerable devices, enabling them to execute arbitrary code or install malicious firmware.

The vulnerabilities identified affect the following Modicon PLC models:

  • Modicon Premium;
  • Modicon Quantum;
  • Modicon M340;
  • Modicon X80 RTU (BMXNOR0200H).

According to a security notification by Schneider Electric, the security issues identified are associated with three vulnerabilities in embedded FTP servers:

  • Unlimited length of a command parameter, which may cause a buffer overflow condition (CVE-2018-7240). This vulnerability affects only Modicon Quantum PLCs;
  • Hardcoded accounts (CVE-2018-7241), which can be used for unauthorized access;
  • The use of hash algorithms that are vulnerable to hash function collision search attacks (CVE-2018-7242).

To minimize the risk associated with possible exploitation of the vulnerabilities, Schneider Electric recommends that access to Modicon PLCs be restricted using a firewall and that the FTP service be enabled only when necessary (the FTP service is disabled by default).

Sources: ICS-CERT, Schneider Electric