Schneider Electric Modicon M221 PLCs and SoMachine Basic (Update A)

Act Now10ICS-CERT ICSA-17-103-02AApr 13, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Modicon M221 PLCs (firmware <= 1.5.0.1) and SoMachine Basic (>= 1.5) contain multiple unauthenticated remote code execution vulnerabilities in their Modbus TCP implementation (CWE-321, CWE-693). An attacker can send specially crafted network packets to execute arbitrary code on the PLC or engineering workstation without any credentials or user interaction. No vendor patches are currently available. The vulnerabilities are easily exploitable with publicly available tools.

What this means

What could happen

An attacker with network access to a Modicon M221 PLC could execute arbitrary code on the device without credentials, allowing them to alter or stop water/power processes, modify setpoints, or cause equipment damage.

Who's at risk

Water utilities and municipal/industrial electric distribution operators who use Modicon M221 PLCs for SCADA control of pumps, motors, switchgear, and substations. Also affects anyone using SoMachine Basic for programming or monitoring M221 devices. Any facility with M221 PLCs firmware 1.5.0.1 or earlier on a network reachable from the Internet or untrusted networks is at critical risk.

How it could be exploited

An attacker sends a crafted network packet to the M221 PLC or SoMachine Basic workstation on port 502 (Modbus TCP) or other exposed network interfaces. Because no credentials are required and the code execution flaw is unauthenticated, the attacker gains immediate command execution on the device.

Prerequisites

Network access to the PLC on port 502 (Modbus TCP) or engineering interface ports
No credentials required
M221 firmware version 1.5.0.1 or earlier, or SoMachine Basic version 1.5 or earlier

remotely exploitableno authentication requiredlow complexityno patch availablepublic exploits availableaffects operational control systems

Exploitability

Moderate exploit probability (EPSS 3.4%)

Affected products (2)

2 pending

ProductAffected VersionsFix Status

All Modicon M221 PLCs with: firmware≤ 1.5.0.1No fix yet

SoMachine Basic: > 1.5> 1.5No fix yet

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to M221 PLCs and SoMachine Basic engineering workstations using firewalls or network segmentation. Block Modbus TCP (port 502) and engineering ports from the Internet and untrusted networks.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply firmware update when available from Schneider Electric. Modicon M221 firmware and SoMachine Basic are currently without a vendor fix; monitor Schneider Electric security advisories for patches.

Long-term hardening

0/3

HARDENINGIsolate M221 PLCs and SoMachine Basic systems on a dedicated OT network segment with restricted access from IT networks and the Internet.

HARDENINGDisable remote engineering access (Modbus TCP and other remote protocols) on M221 devices if not required for operations. Configure local engineering access only.

HARDENINGImplement network monitoring and IDS/IPS rules to detect suspicious Modbus TCP traffic patterns to M221 devices.

CVEs (2)

CVE-2017-7574 CVE-2017-7575

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9ffeda22-f73d-49e3-b11d-88375103d7a4