Schneider Modicon PLCs Vulnerable to Lateral Movement
February 13, 2023
Researchers from security firm Forescout have discovered two vulnerabilities in Schneider Modicon PLCs that could enable attackers to move laterally through point-to-point and other non-routable connections to other low-level devices. The two vulnerabilities, tracked as CVE-2022-45788 and CVE-2022-45789, are rated with 7.5 and 8.1 severity on the CVSS scale respectively.
The first vulnerability allows attackers to hijack an already authenticated Modbus session and execute unauthorized Modbus functions on the controller. The second vulnerability allows for remote code execution on the PLC and involves the use of an undocumented Modbus UMAS command. According to Forescout researchers, "It should be noted that while Schneider Electric describes CVE-2022-45788 as relating to downloading malicious project files, this vulnerability actually operates on a completely different – undocumented – set of functionality that allows for modifying internal PLC memory without affecting the PLC run state or requiring a project download."
Modicon PLCs are among the most popular in the world and are used in industries including water, power generation, mining, transportation, and manufacturing. A quick search for the affected models on Shodan has shown exposed Modicon PLCs in everything from airports, mining, and solar and hydro power generation to chemical manufacturing. Forescout researchers warn that these controllers should be treated as perimeter devices and flaws in their firmware could enable deep lateral movement through the point-to-point and other non-routable connections they maintain to other low-level devices. As Forescout researcher, Oded Vanunu, said, "Oftentimes people have this assumption that once an attacker reaches a PLC, then that's it and then whatever the PLC kind of allows them to do as an attack surface, that's what they can do. What we are showing is that that assumption is not always correct."
Latest News
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.