Schneider Electric Modicon M340 PLC (Update A)

Plan Patch7.5ICS-CERT ICSA-17-054-03Feb 23, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

This vulnerability in Schneider Electric Modicon PLC CPUs allows a remotely unauthenticated attacker to cause a denial of service by sending crafted Modbus TCP packets to port 502. Successful exploitation renders the device unresponsive and requires a physical reset. Affected devices include Quantum, M580, M340, Premium, and M1E CPUs. Quantum, M580, and M340 have firmware patches available. Premium and M1E CPUs are end-of-life and will not receive patches.

What this means

What could happen

An attacker can send specially crafted network packets to the PLC that cause it to stop responding, requiring a physical reset to recover. This denial of service could halt production or critical process monitoring until the device is manually restarted.

Who's at risk

Energy and manufacturing facilities using Schneider Electric Modicon M340, M580, Quantum, Premium, or M1E PLCs should review this advisory. M340, M580, and Quantum users have patches available. Premium and M1E users cannot patch and must rely on firewall controls.

How it could be exploited

An attacker with network access to port 502 (Modbus TCP) sends malformed packets to the PLC. The device fails to process them correctly and becomes unresponsive, losing its ability to control or monitor plant processes.

Prerequisites

Network access to port 502 (Modbus TCP) on the PLC
No authentication required

remotely exploitableno authentication requiredlow complexityaffects availability of control systemsno patch available for Premium and M1E

Exploitability

Moderate exploit probability (EPSS 5.2%)

Affected products (5)

3 with fix2 EOL

ProductAffected VersionsFix Status

Quantum CPUs with firmware: prior to v3.52< 3.52v3.52 or later

Premium CPUs: all versionsAll versionsNo fix (EOL)

M580 CPUs with firmware: prior to v2.3< 2.3v2.3 or later

M340 CPUs with firmware: prior to v2.9< 2.9v2.9 or later

M1E CPUs: all versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDFor Premium and M1E CPUs (no patch available), configure a firewall to block all remote access to port 502

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Quantum CPUs to firmware v3.52 or later

HOTFIXUpdate M580 CPUs to firmware v2.3 or later

HOTFIXUpdate M340 CPUs to firmware v2.9 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Premium CPUs: all versions, M1E CPUs: all versions. Apply the following compensating controls:

HARDENINGIsolate PLC networks from the business network and block internet-facing access to control system devices

CVEs (1)

CVE-2017-6017

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9cef592c-a399-4d31-9346-79dc7ee68182