Attacker Value
Very High
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2021-22779

Disclosure Date: July 14, 2021
CVE-2021-22779 CVSS v3 Base Score: 9.1
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Authentication Bypass by Spoofing vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Control Expert V15.0 SP1, EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), SCADAPack RemoteConnect for x70 (all versions), Modicon M580 CPU (all versions – part numbers BMEP* and BMEH), Modicon M340 CPU (all versions – part numbers BMXP34), that could cause unauthorized access in read and write mode to the controller by spoofing the Modbus communication between the engineering software and the controller.

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Low
Common in enterpriseEasy to weaponizeUnauthenticatedVulnerable in default configurationRequires physical access
Technical Analysis

Interesting bug in Modicon M340, M580 and other models from the Modicon series, and has been named by Armis as ModiPwn. Bug does require local access to the target’s network so you do have to be on the same network as an affected device, however once you do manage to do this, you can leak hashes from the devices memory via undocumented commands (got to love extra hidden features, they are a real treasure trove of bugs). Once this hash has been leaked the attacker can then take over the encrypted connection between one of the Modicon devices and its managing workstation and reconfigure the Modicon device with a passwordless configuration, then allowing the attack to abuse additional undocumented commands to gain RCE and gain full control over the device.

Whilst there are no reports of in the wild exploitation, the fact that this doesn’t yet have a patch is concerning to say the least given that these types of vulnerabilities have been used in the past such as in the Triton malware, its safe to assume that exploits for this vulnerability may start circulating in the wild soon if they haven’t already been developed. It is highly recommended to prevent access to these devices until a patch is released, and once one is released, to patch as soon as possible.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
9.1 Critical
Impact Score:
5.2
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
None

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Control Expert V15.0 SP1, EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), SCADAPack RemoteConnect for x70 (all versions), Modicon M580 CPU (all versions - part numbers BMEP* and BMEH*), Modicon M340 CPU (all versions - part numbers BMXP34*)
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • schneider-electric

Products

  • ecostruxure control expert,
  • ecostruxure control expert 15.0,
  • ecostruxure process expert,
  • modicon m340 bmxp341000 firmware,
  • modicon m340 bmxp342010 firmware,
  • modicon m340 bmxp342020 firmware,
  • modicon m340 bmxp342030 firmware,
  • modicon m580 bmeh582040 firmware,
  • modicon m580 bmeh582040c firmware,
  • modicon m580 bmeh582040s firmware,
  • modicon m580 bmeh584040 firmware,
  • modicon m580 bmeh584040c firmware,
  • modicon m580 bmeh584040s firmware,
  • modicon m580 bmeh586040 firmware,
  • modicon m580 bmeh586040c firmware,
  • modicon m580 bmeh586040s firmware,
  • modicon m580 bmep581020 firmware,
  • modicon m580 bmep581020h firmware,
  • modicon m580 bmep582020 firmware,
  • modicon m580 bmep582020h firmware,
  • modicon m580 bmep582040 firmware,
  • modicon m580 bmep582040h firmware,
  • modicon m580 bmep582040s firmware,
  • modicon m580 bmep583020 firmware,
  • modicon m580 bmep583040 firmware,
  • modicon m580 bmep584020 firmware,
  • modicon m580 bmep584040 firmware,
  • modicon m580 bmep584040s firmware,
  • modicon m580 bmep585040 firmware,
  • modicon m580 bmep585040c firmware,
  • modicon m580 bmep586040 firmware,
  • modicon m580 bmep586040c firmware,
  • remoteconnect

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis