Schneider Electric Serial Modbus Driver Buffer Overflow (Update A)
Act NowICS-CERT ICSA-14-086-01ADec 28, 2014
Summary
Schneider Electric Modbus Serial Driver contains a buffer overflow vulnerability (CWE-121) in how it processes Modbus protocol messages over serial connections. The vulnerability affects 16 related products including engineering suites (TwidoSuite, SoMachine, Unity Pro), OPC Factory Server, and dedicated Modbus Serial Driver packages for Windows XP, Vista, and 7. All affected products are legacy or end-of-life with no patches planned by the vendor. An attacker could exploit this by sending a malformed Modbus message to a workstation running the driver, potentially leading to code execution with the privileges of the engineering application.
What this means
What could happen
A buffer overflow in Schneider Electric's Modbus Serial Driver could allow an attacker to execute code on engineering workstations, potentially compromising configuration and control of industrial devices or halting engineering activities during critical operations.
Who's at risk
Energy utilities and industrial facilities using Schneider Electric engineering tools (TwidoSuite, PowerSuite, SoMove, SoMachine, Unity Pro, Concept, PL7) and OPC Factory Server on Windows workstations, particularly those that use the Modbus Serial Driver for device configuration or commissioning. Any facility where engineering workstations are on networks that could be accessed by untrusted sources is at risk.
How it could be exploited
An attacker would need to send a specially crafted Modbus message over a serial connection (or serial-over-network) to the affected driver software running on Windows workstations. This could occur if a workstation is connected to a network segment where an attacker can intercept or inject traffic, or if the workstation is directly exposed to untrusted serial/network inputs.
Prerequisites
- Network or serial access to the Windows workstation running the Modbus Serial Driver
- The driver must be actively processing Modbus traffic (listening on serial port or network interface)
- No authentication is required to send a Modbus message to trigger the overflow
remotely exploitableno authentication requiredlow complexityhigh EPSS score (50.6%)no patch availableaffects engineering workstations that control device configuration
Exploitability
High exploit probability (EPSS 50.6%)
Affected products (16)
16 EOL
ProductAffected VersionsFix Status
TwidoSuite: <=2.31.04≤ 2.31.04No fix (EOL)
PowerSuite: <=2.6≤ 2.6No fix (EOL)
SoMove: <=1.7≤ 1.7No fix (EOL)
SoMachine: 2.0|3.0|3.1|3.02.0|3.0|3.1|3.0No fix (EOL)
Unity Pro: <=7.0≤ 7.0No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3HARDENINGIsolate engineering workstations running affected Modbus Serial Driver versions from untrusted network segments; restrict serial and network access to Modbus traffic only from known, trusted devices
HARDENINGSegment the engineering network from operational control networks using firewalls and access control lists; block inbound Modbus traffic to workstations from the plant floor unless absolutely required
WORKAROUNDDisable or uninstall the Modbus Serial Driver if it is not actively being used for live configuration or monitoring
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGMonitor for signs of exploitation: unexpected process crashes, unusual system behavior, or unexpected code execution on engineering workstations
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: TwidoSuite: <=2.31.04, PowerSuite: <=2.6, SoMove: <=1.7, SoMachine: 2.0|3.0|3.1|3.0, Unity Pro: <=7.0, Concept: <=2.6_SR7, PL7: <=4.5_SP5, SFT2841: 14, OPC Factory Server (OFS): <=3.40, Modbus Serial Driver Windows XP 32 bit: V1.10_IE_v37, Modbus Serial Driver Windows Vista 32 bit: V2.2_IE12, Modbus Serial Driver Windows 7 32 bit: V2.2_IE12, Modbus Serial Driver Windows 7 64 bit: V3.2_IE12, UnityLoader: <=2.3, ModbusCommDTM sl: <=2.1.2, SFT2841: <=13.1. Apply the following compensating controls:
HARDENINGEvaluate transition to modern Schneider Electric engineering platforms that have vendor security support; this advisory covers legacy products with no planned fixes
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/bfeb072c-387e-4321-b979-3919871e2e50