A number of security researchers in collaboration have disclosed CVE-2021-22778 through 22782; a chain of vulnerabilities that allows for authentication bypass and remote code execution (RCE) on Schneider Electric’s widespread line of Modicon Programmable Logic Controllers (PLC). These are widely used as embedded devices in industries such as energy utilities, building services, HVAC systems, et al., as part of operational technology (OT) in addition to a number of other potentially sensitive applications. The main exploit 22779, so called “ModiPwn,” was found by Armis researchers (blog linked below) and allows for chaining of other exploits including previously patched vulnerabilities whose end result is full control over the targeted PLC while simultaneously hiding the intrusion from monitoring workstations. Schneider Electric has released a security advisory and mitigations for CVE 22778 and 227780 through 22782, but has not yet released a fix for 22779. The security advisory recommends standard best practices such as maintaining perimeter security and network segmentation until a fix is released.
The situation highlights a security design flaw widespread across the manufacture of embedded devices such as PLCs. There is an assumption that OT is separated and indeed completely air-gapped or isolated from Internet facing routes, or alternatively provided 100% effective network perimeter security, but modern requirements for remote monitoring, oversight, communications, operation, and updating often require the existence of access routes to OT. In general, in today’s threat environment with highly developed and specialized commoditized malware and technique toolkits, we can assume that attackers will breach perimeter security and move directly to accessing sensitive operations; this assumption is borne out by other reported breaches in the media. A modern defense in depth program that includes MDR and active threat hunting by specialists, such as that provided by Binary Defense, is essential for developing a security posture that properly controls an organization’s risk exposure to PLC and other embedded device vulnerabilities.