Schneider Electric Modicon M340 Buffer Overflow Vulnerability

Monitor7.5ICS-CERT ICSA-15-351-01Sep 19, 2015

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric Modicon M340 PLC modules contain a buffer overflow vulnerability (CWE-121) in the network stack that can be triggered by specially crafted network packets. The vulnerability affects multiple M340 CPU and communication card models (BMXP3420302H, BMXPRA0100, BMXNOC0401, BMXNOE0100 series, BMXNOR0200 series, BMXP342020 series, and BMXP342030). Exploitation could cause the PLC to stop processing control commands or restart unexpectedly, disrupting industrial automation and process control operations. Schneider Electric has not released a patch or firmware update to address this issue.

What this means

What could happen

A buffer overflow in the Modicon M340 CPU could allow an attacker to crash the PLC or potentially execute arbitrary code on the device, disrupting process control and automation in your facility.

Who's at risk

Energy providers and manufacturing facilities using Schneider Electric Modicon M340 PLC modules (CPUs, communication cards, and I/O adapters across the entire M340 series) should review their reliance on these devices for critical process control. The vulnerability affects multiple hardware variants used for controlling pumps, compressors, generators, and other automated equipment in power plants, water treatment facilities, and production lines.

How it could be exploited

An attacker with network access to the M340 PLC could send a specially crafted packet to trigger the buffer overflow condition in the processor. This could cause the PLC to stop responding to input/output commands or reload unexpectedly, interrupting critical control logic for pumps, valves, generators, or other automated equipment.

Prerequisites

Network access to the Modicon M340 PLC (typically port 502 for Modbus)
No credentials or authentication required

remotely exploitableno authentication requiredlow complexityno patch availableaffects control systems

Exploitability

Moderate exploit probability (EPSS 2.9%)

Affected products (13)

13 EOL

ProductAffected VersionsFix Status

Modicon M340 PLC: BMXP3420302HBMXP3420302HNo fix (EOL)

Modicon M340 PLC: BMXPRA0100BMXPRA0100No fix (EOL)

Modicon M340 PLC: BMXNOC0401BMXNOC0401No fix (EOL)

Modicon M340 PLC: BMXNOE0100BMXNOE0100No fix (EOL)

Modicon M340 PLC: BMXNOE0100HBMXNOE0100HNo fix (EOL)

Modicon M340 PLC: BMXNOE0110BMXNOE0110No fix (EOL)

Modicon M340 PLC: BMXNOR0200BMXNOR0200No fix (EOL)

Modicon M340 PLC: BMXNOR0200HBMXNOR0200HNo fix (EOL)

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGImplement network segmentation: place the M340 PLC on a dedicated control network isolated from the corporate network using a firewall or industrial demilitarized zone (DMZ). Allow only approved engineering workstations and SCADA servers to communicate with the PLC.

HARDENINGDeploy an industrial firewall or access control list on your network gateway to restrict inbound traffic to the PLC to only necessary ports (Modbus TCP/502) and only from trusted IP addresses (engineering workstations, HMI, redundant controllers).

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor the M340 PLC and network traffic for unexpected communication patterns. Alert on traffic to the PLC from unauthorized hosts or unusual payload sizes that could indicate a buffer overflow attempt.

CVEs (1)

CVE-2015-7937

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c34d350a-4b7e-428f-86db-ea2b918fe026