AttackerKBAKB:2F452E56-2CC5-47F9-89C9-92D29AE705E4CVE-2021-22779
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
Authentication Bypass by Spoofing vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Control Expert V15.0 SP1, EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), SCADAPack RemoteConnect for x70 (all versions), Modicon M580 CPU (all versions – part numbers BMEP* and BMEH_), Modicon M340 CPU (all versions – part numbers BMXP34_), that could cause unauthorized access in read and write mode to the controller by spoofing the Modbus communication between the engineering software and the controller.
Recent assessments:
gwillcox-r7 at July 14, 2021 4:22pm UTC reported:
Interesting bug in Modicon M340, M580 and other models from the Modicon series, and has been named by Armis as ModiPwn. Bug does require local access to the target’s network so you do have to be on the same network as an affected device, however once you do manage to do this, you can leak hashes from the devices memory via undocumented commands (got to love extra hidden features, they are a real treasure trove of bugs). Once this hash has been leaked the attacker can then take over the encrypted connection between one of the Modicon devices and its managing workstation and reconfigure the Modicon device with a passwordless configuration, then allowing the attack to abuse additional undocumented commands to gain RCE and gain full control over the device.
Whilst there are no reports of in the wild exploitation, the fact that this doesn’t yet have a patch is concerning to say the least given that these types of vulnerabilities have been used in the past such as in the Triton malware, its safe to assume that exploits for this vulnerability may start circulating in the wild soon if they haven’t already been developed. It is highly recommended to prevent access to these devices until a patch is released, and once one is released, to patch as soon as possible.
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 2
Related
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N