An exploitable reliance on untrusted inputs vulnerability exists in the strategy transfer function of the Schneider Electric Unity Pro L Programming Software. When a specially crafted strategy is programmed to a Modicon M580 Programmable Automation Controller, and UnityProL is used to read that strategy, a configuration different from that on the device is displayed to the user. This results in the inability for users of Unity Pro L to verify that the device is acting as intended. An attacker can send unauthenticated commands to trigger this vulnerability.
Unity Pro L V13.0 - 170914B Schneider Electric Modicon M580 BMEP582040 SV2.70
7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE-807: Reliance on Untrusted Inputs in a Security Decision
The Modicon M580 is the latest in Schneider Electric’s Modicon line of programmable automation controllers. The device contains a Wurldtech Achilles Level 2 certification and global policy controls to quickly enforce various security configurations. Communication with the device is possible over FTP, TFTP, HTTP, SNMP, EtherNet/IP, Modbus and a management protocol referred to as “UMAS.”
Unity Pro can be used to communicate with a Modicon M580, allowing a user to conduct actions such as reading the device’s existing strategy or programming a new strategy. During normal operation, any changes made to a strategy built in Unity Pro and programmed to the device will be reflected in the interface if that strategy is later read from the device.
If a strategy is read from the device, modified, and reprogrammed on the device without modifying the project checksum, the changes will not be reflected in Unity Pro. This can leave users of Unity Pro unable to trust that the state reported by Unity Pro is accurate.
2018-12-10 - Initial contact
2018-12-17 - Vendor acknowledged
2019-01-01 - 30 day follow up
2019-05-14 - Vendor Patched
2019-06-10 - Public Release
Discovered by Jared Rittle of Cisco Talos.