Forescout reveals exploitable vulnerabilities in Modicon PLCs

In a proof of concept developed for its research into deep lateral movement in OT networks, Forescout’s research arm, Vedere Labs, used two new vulnerabilities that are being publicly disclosed for the first time: CVE-2022-45788 and CVE-2022-45789. They allow for remote code execution (RCE) and authentication bypass, respectively, on Schneider Electric Modicon PLCs — one of the most popular families of PLCs in the world, used in several critical infrastructure sectors.

These issues were found as part of Vedere Labs’ OT:ICEFALL research in 2022 but were not disclosed then at the request of the vendor. More details about the issues are available on Schneider Electric’s advisories SEVD-2023-010-05 and SEVD-2023-010-06.

The Schneider Electric Modicon family of PLCs is one of the most popular in the world and were the first PLCs on the market when introduced in 1968. The popularity of these devices has led to their targeting by threat actors.

The newly uncovered issues, summarised below, only affect the Modicon PLC Unity line. CVE-2022-45788 is an example of RCE via an undocumented memory write operation, while CVE-2022-45788 exemplifies a broken authentication scheme. As the technical report explains, when combined, these vulnerabilities can lead to RCE on Modicon Unity PLCs.

The vulnerabilities

• CVE-2022-45788: A vulnerability exists that could cause arbitrary code execution, denial of service and loss of confidentiality and integrity when undocumented Modbus UMAS CSA commands (service code 0x50) are executed. Affected products include: EcoStruxure Control Experte (all versions), EcoStruxure Process Expert (v2020 and prior), Modicon Unity PLCs (all versions).
• CVE-2022-45789: A vulnerability exists that could cause execution of unauthorised Modbus functions on the controller when hijacking an authenticated Modbus session.
   

Affected products include EcoStruxure Control Expert (all versions), EcoStruxure Process Expert (v2020 and prior) and Modicon Unity PLCs (all versions).

Note that while Schneider Electric describes CVE-2022-45788 as relating to downloading malicious project files, this vulnerability actually operates on a completely different — undocumented — set of functionality that allows for modifying internal PLC memory without affecting the PLC run state or requiring a project download.

As noted, Modicon PLCs are extremely popular and widely used around the world. Estimating the number of affected devices based on public data is difficult because these devices are not supposed to be accessible via the internet. However, the researchers say they are still able to see close to a thousand PLCs exposed online via Shodan, predominantly in the power industry (44%), followed by manufacturing (19%) and agriculture (15%). Multiple instances of public subnets were found, likely used by system integrators or contractors, exposing Modicon PLCs for different power generation projects.

For full details on the estimated number of affected devices by country and industry — including close to 30 devices mapped to critical infrastructure operators — read the new technical report.

For mitigation of CVE-2022-45788 and CVE-2022-45789, follow the steps on Schneider Electric’s advisories SEVD-2023-010-05 and SEVD-2023-010-06.

Deep lateral movement

Forescout’s Vedere Labs latest research report is the first systematic study into deep lateral movement: how advanced adversaries can move laterally among devices at the controller level — also known as Purdue level 1 or L1 — of OT networks.

Deep lateral movement lets attackers gain deep access to industrial control systems and cross often overlooked security perimeters, allowing them to perform highly granular and stealthy manipulations as well as override functional and safety limitations.

This research demonstrates that there is a lot of ‘network crawl space’; that is, space that is not on asset owners’ radars, such as links that run between security zones at deep system levels that might not receive the attention they deserve. To close these gaps, an L1 device that sits between segments still needs a corresponding perimeter security profile.

Mitigation recommendations

The all-too-common habit of treating certain links — such as serial, point-to-point, radio frequency and couplers — as if they’re immune to many of the same issues that are seen on regular Ethernet LAN networks is something that needs to be critically re-evaluated, the researchers said.

The impact of a compromised device is not limited to the explicit capabilities of a link or its first-order connectivity. Just because it only exposes a few Modbus registers or is hooked up to an uninteresting device does not mean that an attacker cannot turn that link into something else and use that uninteresting device as a staging point for moving towards more interesting targets.

With the access attackers achieve through deep lateral movement, things that magnify the impact of an attack become possible.

Mitigating the risks of deep lateral movement requires a careful blend of network monitoring to detect adversaries as early as possible, visibility into often overlooked security perimeters at the lower Purdue levels and hardening the most interconnected and exposed devices.

Forescout recommends the following mitigation strategies for hardening L1 devices and networks:

• Disable unused services on devices. For instance, if UMAS over Ethernet is not required on a PLC, disable it — even if the PLC is nested, as Vedere Labs showed in this report how attackers can leverage vulnerabilities on nested devices.
• Use DPI firewalls and IP-based access control lists to restrict sensitive flows between engineering workstations and PLCs. In cases where only subsets of protocols are required, use deep packet inspection (DPI) to restrict this further.
• From a forensics perspective, ingest level 1 event logs which contain indicators of malicious activity of this kind.
• Enforce segmentation through OT-DPI firewalls or conformance-checking gateways including for point-to-point links.
• Depending on the risk, certain point-to-point links that cross highly sensitive segments might warrant dedicated drop-in DPI firewalls for Ethernet. For serial links with similar profiles, it might be necessary to consider inline taps that collect data out of band.
   

Image: ©iStockPhoto.com/Vertigo3d