Schneider Electric Serial Modbus Driver Buffer Overflow (Update A)

Act NowICS-CERT ICSA-14-086-01ADec 28, 2014

Schneider ElectricEnergy

Summary

Schneider Electric Modbus Serial Driver contains a buffer overflow vulnerability (CWE-121) in how it processes Modbus protocol messages over serial connections. The vulnerability affects 16 related products including engineering suites (TwidoSuite, SoMachine, Unity Pro), OPC Factory Server, and dedicated Modbus Serial Driver packages for Windows XP, Vista, and 7. All affected products are legacy or end-of-life with no patches planned by the vendor. An attacker could exploit this by sending a malformed Modbus message to a workstation running the driver, potentially leading to code execution with the privileges of the engineering application.

What this means

What could happen

A buffer overflow in Schneider Electric's Modbus Serial Driver could allow an attacker to execute code on engineering workstations, potentially compromising configuration and control of industrial devices or halting engineering activities during critical operations.

Who's at risk

Energy utilities and industrial facilities using Schneider Electric engineering tools (TwidoSuite, PowerSuite, SoMove, SoMachine, Unity Pro, Concept, PL7) and OPC Factory Server on Windows workstations, particularly those that use the Modbus Serial Driver for device configuration or commissioning. Any facility where engineering workstations are on networks that could be accessed by untrusted sources is at risk.

How it could be exploited

An attacker would need to send a specially crafted Modbus message over a serial connection (or serial-over-network) to the affected driver software running on Windows workstations. This could occur if a workstation is connected to a network segment where an attacker can intercept or inject traffic, or if the workstation is directly exposed to untrusted serial/network inputs.

Prerequisites

Network or serial access to the Windows workstation running the Modbus Serial Driver
The driver must be actively processing Modbus traffic (listening on serial port or network interface)
No authentication is required to send a Modbus message to trigger the overflow

remotely exploitableno authentication requiredlow complexityhigh EPSS score (50.6%)no patch availableaffects engineering workstations that control device configuration

Exploitability

Likely to be exploited — EPSS score 50.6%

Affected products (16)

16 EOL

ProductAffected VersionsFix Status

TwidoSuite: <=2.31.04≤ 2.31.04No fix (EOL)

PowerSuite: <=2.6≤ 2.6No fix (EOL)

SoMove: <=1.7≤ 1.7No fix (EOL)

SoMachine: 2.0|3.0|3.1|3.02.0|3.0|3.1|3.0No fix (EOL)

Unity Pro: <=7.0≤ 7.0No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIsolate engineering workstations running affected Modbus Serial Driver versions from untrusted network segments; restrict serial and network access to Modbus traffic only from known, trusted devices

HARDENINGSegment the engineering network from operational control networks using firewalls and access control lists; block inbound Modbus traffic to workstations from the plant floor unless absolutely required

WORKAROUNDDisable or uninstall the Modbus Serial Driver if it is not actively being used for live configuration or monitoring

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor for signs of exploitation: unexpected process crashes, unusual system behavior, or unexpected code execution on engineering workstations

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: TwidoSuite: <=2.31.04, PowerSuite: <=2.6, SoMove: <=1.7, SoMachine: 2.0|3.0|3.1|3.0, Unity Pro: <=7.0, Concept: <=2.6_SR7, PL7: <=4.5_SP5, SFT2841: 14, OPC Factory Server (OFS): <=3.40, Modbus Serial Driver Windows XP 32 bit: V1.10_IE_v37, Modbus Serial Driver Windows Vista 32 bit: V2.2_IE12, Modbus Serial Driver Windows 7 32 bit: V2.2_IE12, Modbus Serial Driver Windows 7 64 bit: V3.2_IE12, UnityLoader: <=2.3, ModbusCommDTM sl: <=2.1.2, SFT2841: <=13.1. Apply the following compensating controls:

HARDENINGEvaluate transition to modern Schneider Electric engineering platforms that have vendor security support; this advisory covers legacy products with no planned fixes

CVEs (1)

CVE-2013-0662

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bfeb072c-387e-4321-b979-3919871e2e50

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.