Jared Rittle of Cisco Talos discovered these vulnerabilities.
Executive summary
There are several vulnerabilities in the Schneider Electric Modicon M580 that could lead to a variety of conditions, including denial of service and the disclosure of sensitive information. The Modicon M580 is the latest in Schneider Electric's Modicon line of programmable automation controllers. The majority of the bugs we will discuss exist in UMAS requests made while operating the hardware.
In accordance with our coordinated disclosure policy, Cisco Talos worked with Schneider Electric to ensure that these issues are resolved and that an update is available for affected customers.
Vulnerability details
Schneider Electric Modicon M580 UMAS release reservation denial-of-service vulnerability (TALOS-2018-0735/CVE-2018-7846)
An exploitable denial-of-service vulnerability exists in the UMAS Release PLC Reservation function of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.70. A specially crafted UMAS command can cause the device to invalidate a session without verifying the authenticity of the sender, resulting in the disconnection of legitimate devices. An attacker can send unauthenticated commands to trigger this vulnerability.
Exploitation of this vulnerability leverages a technique similar to that used by Eran Goldstein on other Modicon controllers in 2017, which can be found here.
For more information on this vulnerability, read the complete advisory here.
Schneider Electric Modicon M580 UMAS strategy transfer denial-of-service vulnerability (TALOS-2018-0737/CVE-2018-7849)
An exploitable denial-of-service vulnerability exists in the UMAS strategy transfer functionality of the Schneider Electric Modicon M580 programmable automation controller firmware version SV2.70. A specially crafted UMAS command can cause the device to enter a recoverable fault state, resulting in a stoppage of normal device execution. An attacker can send unauthenticated commands to trigger this vulnerability.
For more information on this vulnerability, read the complete advisory here.
Schneider Electric Modicon M580 UMAS memory block read denial-of-service vulnerability (TALOS-2018-0738/CVE-2018-7843)
An exploitable denial-of-service vulnerability exists in the UMAS memory block read function of the Schneider Electric Modicon M580 programmable automation controller, firmware version SV2.70. A specially crafted UMAS command can cause the device to enter a non-recoverable fault state, resulting in a complete stoppage of remote communications with the device. An attacker can send unauthenticated commands to trigger this vulnerability.
For more information on this vulnerability, read the complete advisory here.
Schneider Electric Modicon M580 UMAS read memory block information disclosure vulnerability (TALOS-2018-0739/CVE-2018-7844)
An exploitable information disclosure vulnerability exists in the UMAS read memory block function of the Schneider Electric Modicon M580 programmable automation controller, firmware version SV2.70. A specially crafted UMAS command can cause the device to return blocks of memory, resulting in the disclosure of plaintext read, write and trap SNMP community strings. An attacker can send unauthenticated commands to trigger this vulnerability.
For more information on this vulnerability, read the complete advisory here.
Schneider Electric Modicon M580 UMAS strategy read information disclosure vulnerability (TALOS-2018-0740/CVE-2018-7848)
An exploitable information disclosure vulnerability exists in the UMAS strategy read functionality of the Schneider Electric Modicon M580 Programmable Automation Controller firmware version SV2.70. A specially crafted UMAS command can cause the device to return blocks of the programed strategy, resulting in the disclosure of plaintext read, write, and trap SNMP community strings. An attacker can send unauthenticated commands to trigger this vulnerability.
Exploitation of this vulnerability leverages a technique similar to that used by Reid Wightman on the Modicon Quantum line of controllers in 2012, which can be found here.
For more information on this vulnerability, read the complete advisory here.
Schneider Electric Modicon M580 UMAS improper authentication vulnerability (TALOS-2018-0741/CVE-2018-7842)
An exploitable improper authentication vulnerability exists in the UMAS PLC reservation function of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.70. A specially crafted UMAS command can allow an attacker to masquerade as an authenticated user, resulting in the ability to bypass password protections in place on the device. An attacker can send unauthenticated commands to trigger this vulnerability.
Exploitation of this vulnerability leverages a technique similar to that used by Eran Goldstein on other Modicon controllers in 2017, which can be found here.
For more information on this vulnerability, read the complete advisory here.
Schneider Electric Modicon M580 UMAS strategy file write vulnerability (TALOS-2018-0742/CVE-2018-7847)
An exploitable unauthenticated file write vulnerability exists in the UMAS strategy programming function of the Schneider Electric Modicon M580 programmable automation controller, firmware version SV2.70. A specially crafted sequence of UMAS commands can cause the device to overwrite its programmed strategy, resulting in a wide range of effects, including configuration modifications, disruption of the running process and potential code execution. An attacker can send unauthenticated commands to trigger this vulnerability.
Exploitation of this vulnerability leverages a technique similar to that used by Reid Wightman on the Modicon Quantum line of controllers in 2012, which can be found here.
For more information on this vulnerability, read the complete advisory here.
Schneider Electric Modicon M580 UnityPro reliance on untrusted inputs vulnerability (TALOS-2018-0743/CVE-2018-7850)
An exploitable reliance on untrusted inputs vulnerability exists in the strategy transfer function of the Schneider Electric UnityProL Programming Software. When a specially crafted strategy is programmed to a Modicon M580 Programmable Automation Controller, and UnityProL is used to read that strategy, a configuration different from that on the device is displayed to the user. This results in the inability for users of UnityProL to verify that the device is acting as intended. An attacker can send unauthenticated commands to trigger this vulnerability.
For more information on this vulnerability, read the complete advisory here.
Schneider Electric Modicon M580 UMAS read memory block out-of-bounds information disclosure vulnerability (TALOS-2018-0745/CVE-2018-7845)
An exploitable information disclosure vulnerability exists in the UMAS memory block read functionality of the Schneider Electric Modicon M580 Programmable Automation Controller. A specially crafted UMAS request can cause an out-of-bounds read, resulting in the disclosure of sensitive information. An attacker can send unauthenticated commands to trigger this vulnerability.
For more information on this vulnerability, read the complete advisory here.
Schneider Electric Modicon M580 UMAS function code 0x6d multiple denial-of-service vulnerabilities (TALOS-2019-0763/CVE-2018-7852)
Multiple denial-of-service vulnerabilities exist in the UMAS protocol functionality of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.70. Specially crafted UMAS commands can cause the device to enter a non-recoverable fault state, resulting in a complete stoppage of remote communications with the device. An attacker can send unauthenticated commands to trigger these vulnerabilities.
For more information on this vulnerability, read the complete advisory here.
Schneider Electric Modicon M580 UMAS function code 0x28 denial-of-service vulnerability (TALOS-2019-0764/CVE-2018-7853)
An exploitable denial-of-service vulnerability exists in the UMAS function code 0x28 functionality of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.70. A specially crafted UMAS command can cause the device to enter a non-recoverable fault state, resulting in a complete stoppage of remote communications with the device. An attacker can send unauthenticated commands to trigger this vulnerability.
For more information on this vulnerability, read the complete advisory here.
Schneider Electric Modicon M580 UMAS function code 0x65 denial-of-service vulnerability (TALOS-2019-0765/CVE-2018-7854)
An exploitable denial-of-service vulnerability exists in the UMAS function code 0x65 functionality of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.70. A specially crafted UMAS command can cause the device to enter a non-recoverable fault state, resulting in a complete stoppage of remote communications with the device. An attacker can send unauthenticated commands to trigger this vulnerability.
For more information on this vulnerability, read the complete advisory here.
Schneider Electric Modicon M580 UMAS set breakpoint denial-of-service vulnerability (TALOS-2019-0766/CVE-2018-7855)
An exploitable denial-of-service vulnerability exists in the UMAS set breakpoint functionality of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.70. A specially crafted UMAS command can cause the device to enter a non-recoverable fault state, resulting in a complete stoppage of remote communications with the device. An attacker can send unauthenticated commands to trigger this vulnerability.
For more information on this vulnerability, read the complete advisory here.
Schneider Electric Modicon M580 UMAS memory block write denial-of-service vulnerability (TALOS-2019-0767/CVE-2018-7856)
An exploitable denial-of-service vulnerability exists in the UMAS memory block write functionality of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.70. A specially crafted UMAS command can cause the device to enter a non-recoverable fault state, resulting in a complete stoppage of remote communications with the device. An attacker can send unauthenticated commands to trigger this vulnerability.
For more information on this vulnerability, read the complete advisory here.
Schneider Electric Modicon M580 UMAS write system coils and holding registers denial-of-service vulnerability (TALOS-2019-0768/CVE-2018-7857)
An exploitable denial-of-service vulnerability exists in the UMAS write system coils and holding registers functionality of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.70. A specially crafted UMAS command can cause the device to enter a non-recoverable fault state, resulting in a complete stoppage of remote communications with the device. An attacker can send unauthenticated commands to trigger this vulnerability.
For more information on this vulnerability, read the complete advisory here.
Schneider Electric Modicon M580 UMAS read system blocks and bits information disclosure vulnerability (TALOS-2019-0769/CVE-2019-6806)
An exploitable information disclosure vulnerability exists in the UMAS Read System Blocks and Bits functionality of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.70. A specially crafted UMAS command can cause the device to return blocks of memory, resulting in the disclosure of plaintext read, write, and trap SNMP community strings. An attacker can send unauthenticated commands to trigger this vulnerability.
For more information on this vulnerability, read the complete advisory here.
Schneider Electric Modicon M580 UMAS write system bits and blocks denial-of-service vulnerability (TALOS-2019-0770/CVE-2019-6807)
An exploitable denial-of-service vulnerability exists in the UMAS write system bits and blocks functionality of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.70. A specially crafted set of UMAS commands can cause the device to enter a non-recoverable fault state, resulting in a complete stoppage of remote communications with the device. An attacker can send unauthenticated commands to trigger this vulnerability.
For more information on this vulnerability, read the complete advisory here.
Schneider Electric UnityPro PLC simulator remote code execution vulnerability (TALOS-2019-0771/CVE-2019-6808)
An exploitable remote code execution vulnerability exists in the UMAS strategy programming functionality of the Schneider Electric Unity Pro L Programming Software PLC Simulator. A specially crafted sequence of UMAS commands sent to the software's PLC simulator can cause a modified strategy to be programmed, resulting in code execution when the simulator is switched into the start mode. An attacker can send unauthenticated commands to trigger this vulnerability.
Exploitation of this vulnerability leverages a technique similar to that used by Mille Gandelsman and Avihay Kain on Unity Pro in 2016, which can be found here and here.
For more information on this vulnerability, read the complete advisory here.
Versions tested
Talos tested and confirmed that that the Schneider Electric Modicon M580, BMEP582040 SV2.70 is affected by these vulnerabilities.
Coverage
The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.
Snort Rules: 48521 - 48528