TID-401

TID-401: Undocumented Protocol Features

Threat Description

Some devices may support proprietary protocols, or may add proprietary functionality to open protocols. Many of the custom functions or commands may not be sufficiently documented. If users aren’t aware of these functions/commands, they cannot be expected to properly configure the device to remove unwanted functionality. Further, they are limited in their ability to monitor the device for any potential malicious use of these functions/commands to exploit devices.

Threat Maturity and Evidence

Proof of Concept
The Vulnerability Can Lead to Native Remote-Code-Execution on Vulnerable PLCs
“Armis researchers discovered a new vulnerability (CVE-2021-22779) in Schneider Electric (SE) Modicon PLCs that bypasses security mechanisms added to these PLCs to prevent abuse of undocumented Modbus commands. These undocumented commands can allow full control over the PLC — overwriting critical memory regions, leaking sensitive memory content, or invoking internal functions.”

CWE

CWE-1371: ICS Supply Chain: Poorly Documented or Undocumented Features
“Undocumented capabilities and configurations pose a risk by not having a clear understanding of what the device is specifically supposed to do and only do. Therefore possibly opening up the attack surface and vulnerabilities.”

CWE-912: Hidden Functionality (Class)
“The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product’s users or administrators.”

CWE-1059: Insufficient Technical Documentation
“The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc.”

CVE

Sixnet Universal Protocol Undocumented Function Codes - CVE-2013-2802
Sixnet devices use a universal protocol with 6 undocumented opcodes that can perform remote management functions (e.g., code execution) without authentication

Schneider Electric Modicon Controllers and Software - CVE-2021-22779
“An authentication bypass by spoofing vulnerability exists that could cause unauthorized access in read and write mode to the controller by spoofing the Modbus communication between the engineering software and the controller.”

Device Properties: