CVE-2018-7847
An exploitable unauthenticated file write vulnerability exists in the UMAS strategy programming functionality of the Schneider Electric Modicon M580 Programmable Automation Controller firmware version SV2.70. A specially crafted sequence of UMAS commands can cause the device to overwrite its programmed strategy, resulting in a wide range of effects including configuration modifications, disruption of the running process, and potential code execution. An attacker can send unauthenticated commands to trigger this vulnerability.
Schneider Electric Modicon M580 BMEP582040 SV2.70
https://www.schneider-electric.com/en/work/campaign/m580-epac/
9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-284: Improper Access Control
The Modicon M580 is the latest in Schneider Electric’s Modicon line of Programmable Automation Controllers. The device boasts a Wurldtech Achilles Level 2 certification and global policy controls to quickly enforce various security configurations. Communication with the device is possible over FTP, TFTP, HTTP, SNMP, EtherNet/IP, Modbus, and a management protocol referred to as UMAS.
When programming a new strategy to a Modicon M580, six UMAS commands must be used in a specific order. First a valid session and additional privilege must be obtained via a TAKE_PLC_RESERVATION request. This request gives the session the ability to successfully send privileged commands. With a valid reservation obtained an INITIALIZE_UPLOAD command must be sent, indicating that the new program will be following.
After the upload has been initialized, the first block of data must be sent to the device using an UPLOAD_BLOCK command. Failure to do so will prevent the device from accepting the upload.
Next a command with the function code 0x6D must be sent. When this command is successfully received, the new strategy must be sent to the device in chunks of size 0x3F4 using the UPLOAD_BLOCK command. When sending the strategy it is important to resend the first block. Failure to do so will prevent the device from accepting the upload.
Once the strategy has been successfully sent, an END_STRATEGY_UPLOAD request must be sent to indicate that the last block has been sent. Finally, a RELEASE_PLC_RESERVATION command must be sent to give back the device reservation and restore the normal operating state.
The structure of a TAKE_PLC_RESERVATION command takes a form similar to the following:
0 1 2 3 4 5 6 7 8 9 a b c d e f
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
0 | A | B | C | D | E | F | G | H
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
1
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
A --> Modbus Function Code (0x5A)
B --> Session
C --> UMAS Function Code (0x10)
D --> Unknown (0x3B)
E --> Unknown (0x0E)
F --> Unknown (0x0000)
G --> Client Name Length (size of Client Name)
H --> Client Name (variable size)
The structure of the 0x6D command takes a form similar to the following:
0 1 2 3 4 5 6 7 8 9 a b c d e f
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
0 | A | B | C |
+---+---+---+
A --> Modbus Function Code (0x5A)
B --> Session
C --> UMAS Function Code (0x6D)
The structure of a INITIALIZE_UPLOAD command takes a form similar to the following:
0 1 2 3 4 5 6 7 8 9 a b c d e f
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
0 | A | B | C | D |
+---+---+---+---+---+
A --> Modbus Function Code (0x5A)
B --> Session
C --> UMAS Function Code (0x30)
D --> Unknown (0x0001)
The structure of a UPLOAD_BLOCK command takes a form similar to the following:
0 1 2 3 4 5 6 7 8 9 a b c d e f
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
0 | A | B | C | D | E | F | G
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
1
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
A --> Modbus Function Code (0x5A)
B --> Session
C --> UMAS Function Code (0x31)
D --> Unknown (0x0001)
E --> Block Number
F --> Block Size (0x03F4)
G --> Data
The structure of a END_STRATEGY_UPLOAD command takes a form similar to the following:
0 1 2 3 4 5 6 7 8 9 a b c d e f
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
0 | A | B | C | D | E |
+---+---+---+---+---+---+---+
A --> Modbus Function Code (0x5A)
B --> Session
C --> UMAS Function Code (0x32)
D --> Unknown (0x0001)
E --> Blocks Sent
The structure of a RELEASE_PLC_RESERVATION command takes a form similar to the following:
0 1 2 3 4 5 6 7 8 9 a b c d e f
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
0 | A | B | C |
+---+---+---+
A --> Modbus Function Code (0x5A)
B --> Session
C --> UMAS Function Code (0x11)
If a valid strategy is uploaded during this process, the device will overwrite its existing strategy with the new one and begin executing accordingly. The ability to program a new strategy has a wide range of possible effects. Various scenarios are discussed below in an attempt to demonstrate the potential impact.
Scenario 1: Unlock Security
UnityPro gives engineers programming the Modicon M580 the ability to enable or disable the numerous remote system services supported by the device. Additionally, an access control list can be configured to further restrict access to those services that are enabled. To assist in globally controlling these settings, UnityPro provides the ability to ‘Enforce Security’ and ‘Unlock Security.’ When ‘Enforce Security’ is selected, all services are disabled and the access control list is enabled. Conversely, when ‘Unlock Security’ is selected, all services are enabled and the access control list is disabled.
By modifying the ST_SECURITY and ST_ACL parameters within the device’s APX file, it is possible to modify this state to any desired configuration. Using this method it is possible to replicate the effects of selecting the ‘Unlock Security’ option in UnityPro. When these changes are integrated into a strategy read from a security enforced device and the necessary CRC recalculations are made, it is possible to use the technique described above to re-program the device and expose previously disabled services.
Scenario 2: Fault the device via Ladder Logic Modifications
UnityPro gives engineers programming the Modicon M580 the ability to create a wide range of logic programs. When a logic program is built, each instruction is compiled into ARM byte code and appended into a specific block in the device strategy. When using UnityPro there is no way to directly modify the compiled instruction; it can only be controlled via designated instructions.
By modifying the block in the device’s strategy that contains these compiled instructions, it is possible to trigger a non-recoverable device fault by introducing an invalid instruction. In the non-recoverable fault state the CPU has entered an error mode where all remote communications have been stopped, process logic stops execution, and the device requires a physical power cycle to regain functionality.
2018-12-10 - Initial contact
2018-12-17 - Vendor acknowledged
2019-01-01 - 30 day follow up
2019-05-14 - Vendor Patched
2019-06-10 - Public Release
Discovered by Jared Rittle of Cisco Talos.