The vulnerability could allow attackers to insert malicious code and easily avoid detection.
Several programmable logic controllers (PLCs) from Schneider Electric’s Modicon series that automate industrial processes in factories, energy utilities, HVAC systems and other installations are impacted by a flaw that could allow hackers to bypass their authentication mechanism and execute malicious code. According to researchers from security firm Armis, who found and reported the vulnerability, attackers with network access to impacted controllers could exploit the issue to install malware that alters the operation of the controllers and hides those malicious changes from the workstations and operators managing them.
Attacks against industrial controllers have been observed in the wild in the past with Stuxnet, the cyber-sabotage worm that infected Siemens PLCs used to control uranium enrichment centrifuges at Iran’s Natanz nuclear plant, and with Triton, the malware that targeted Triconex safety controllers at a petrochemical plant in Saudi Arabia.
Authentication bypass re-enables past flaws The issue is caused by an undocumented command in the protocol used by engineering workstations to communicate with the PLCs and upload programs to them to be executed. This protocol, known as UMAS, is an extension to the Modbus protocol originally designed in 1979 and widely used to control PLCs over serial or TCP/IP connections. UMAS implements functionalities that were missing from Modbus, including firmware updates, binary transfers and authentication.