Claroty discloses new vulnerabilities in Modicon M221 PLCs

Claroty

Friday, 13 November, 2020

Claroty has released new research that discloses four vulnerabilities in Schneider Electric’s Modicon M221 PLC and EcoStruxure Machine Expert Basic. The details were privately disclosed in June, and Schneider Electric has recommended mitigations for these security issues, which affect M221, all versions, and EcoStruxure Machine Expert Basic, all versions. The vulnerabilities could allow an advanced attacker to bypass authentication on these devices, break the encryption securing data transfers, modify code and run commands.

Digital transformation is dragging operational technology (OT) networks from behind the protective curtain of air-gaps into the connected world. And while IT and OT steam ahead towards convergence and industrial processes modernise, the security of many industrial control devices still lags from a time when it was impossible to reach internal OT networks without physical access.

Claroty’s Biannual ICS Risk & Vulnerability Report, published in August, exposed an evolving dynamic, uncovering alarming trends around vulnerabilities in ICS software, most notably that seven of 10 flaws disclosed during the first half of the year were remotely exploitable, according to the company.

Some providers are adapting quicker than others, however. Vendors such as Schneider Electric and Rockwell Automation, for example, have built extensive security teams and have developed vulnerability disclosure programs that facilitate important relationships between researchers and vendors, in addition to improving the integrity, safety and reliability of industrial devices.

In this case, Schneider Electric’s mitigations include a recommendation to set up network segmentation and implement a firewall to block unauthorised access to TCP port 502. Schneider also recommends that users disable unused protocols, especially the Programming protocol, within the Modicon M221 application.

Modicon M221 PLCs are used in multiple industries, and an advanced attacker with some knowledge of the authentication mechanism in place and the cryptographic implementations in place could exploit these flaws and put processes at risk.

Below is a summary of the four vulnerabilities:

CVE-2020-7565
Related CWE-326: Inadequate Encryption Strength — Read/Write encryption uses a 4-byte XOR key for data encryption, a weak implementation that can be broken using a known plaintext attack where data may be read in certain memory regions without authentication, or statistical analysis of repetitive sequences of XOR keys in traffic.
CVE-2020-7566
Related CWE-334: Small Space of Random Values — A weak key exchange method or read/write encryption where a too small of a Diffie-Hellman secret is used and the 4-byte XOR key can be uncovered.
CVE-2020-7567
Related CWE-311: Missing Encryption of Sensitive Data — Password hashes can be uncovered in upload-download communications between the PLC and the EcoStruxure Machine Expert Basic software. An attacker who is able to deduce the XOR key using another of these vulnerabilities may use that same key to find the password hash and use a Pass-the-Hash attack to authenticate themselves to the PLC.
CVE-2020-7568
Related CWE-200: Exposure of Sensitive Information to an Unauthorized Actor — Some sections or memory are readable without entering a password, even if read and write protections are activated.