PRUEBA AHORA
Vulnerability

Schneider Electric PLCs at Risk of Deep Lateral Movement Attacks

3 min. read
17/02/2023
By Laura Libeer
Schneider-Vulnerability-Blog_Image_Base_Featured

⚡ TL;DR | Go Straight to the Schneider Electric Vulnerability Report

Security researchers have found two vulnerabilities affecting Schneider Electric Modicon programmable logic controllers (PLCs). By chaining the vulnerabilities, attackers could achieve deep lateral movement in OT networks. This would in turn allow them to carry out highly granular and stealthy manipulations or to override functional and safety limitations.

CVE-2022-45788 and CVE-2022-45789

The two Schneider Electric vulnerabilities are an improper check for unusual or exceptional conditions vulnerability (CVE-2022-45788) and an authentication bypass by capture-replay vulnerability. They received CVSS scores of 7.5 and 8.1 respectively, making them both high severity. Separately, these vulnerabilities could already carry serious risks. CVE-2022-45788 could cause arbitrary code execution, denial of service, and loss of confidentiality & integrity when a malicious project file is loaded onto the controller. CVE-2022-45789 could lead to the execution of unauthorized Modbus functions on the controller when hijacking an authenticated Modbus session.

However, when chained together, they also allow an attacker to achieve deep lateral movement. As Forescout describes it: «Deep lateral movement lets attackers gain deep access to industrial control systems and cross often overlooked security perimeters, allowing them to perform highly granular and stealthy manipulations as well as override functional and safety limitations.» Essentially, deep lateral movement allows attackers to use an uninteresting device as a starting point to gain access to more interesting targets.

Update Vulnerable Devices

Both CVE-2022-45788 and CVE-2022-45789 affect multiple devices. Schneider Electric has put out advisories for both vulnerabilities (CVE-2022-45788 and CVE-2022-45789). They list all affected devices, as well as the necessary steps to protect yourself against the vulnerabilities described above, and links to the necessary patches.

Affected ProductsAffected VersionsVulnerable to
EcoStruxure™ Control ExpertAll VersionsCVE-2022-45788, CVE-2022-45789
EcoStruxure™ Process ExpertVersion V2020 & priorCVE-2022-45788, CVE-2022-45789
Modicon M340 CPU (part numbers BMXP34*)All VersionsCVE-2022-45788, CVE-2022-45789
Modicon M580 CPU (part numbers BMEP* and BMEH*)All VersionsCVE-2022-45788, CVE-2022-45789
Modicon M580 CPU Safety (part numbers BMEP58S and BMEH58S)All VersionsCVE-2022-45788, CVE-2022-45789
Modicon Momentum Unity M1E Processor (171CBU*)All VersionsCVE-2022-45788
Modicon MC80 (BMKC80)All VersionsCVE-2022-45788
Legacy Modicon Quantum (140CPU65) and Premium CPUs (TSXP57)All VersionsCVE-2022-45788

Discover Vulnerable Schneider Electric Modicon PLCs

Many of the affected devices are Modicon PLCs. Based on the information shared by Schneider Electric, our experts have created a specialized Lansweeper Cloud report using the new Lansweeper OT scanner to help you identify these PLCs in your environment. This way you have an actionable list of devices that may still need your intervention.