Schneider Electric Modicon M221

Plan Patch8.2ICS-CERT ICSA-18-324-02Nov 20, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Modicon M221 PLC accepts remote configuration changes to its IPv4 settings (IP address, subnet mask, default gateway) via port 502 without authentication. A remote attacker can send a crafted packet to alter network configuration, causing the device to disconnect from the control network and interrupt operations. This affects all versions of the M221 firmware. Schneider Electric has not released a patch and recommends firewall blocking of port 502 and disabling unused protocols including the programming protocol via SoMachine Basic configuration.

What this means

What could happen

An attacker with network access to port 502 could remotely change the Modicon M221's IP address, subnet mask, and gateway, disconnecting the PLC from your network and interrupting industrial process control.

Who's at risk

Power utilities and industrial facilities operating Schneider Electric Modicon M221 programmable logic controllers should be concerned. The M221 is used to control electrical distribution, water treatment, and other critical infrastructure processes. Any facility running a Modicon M221 exposed to untrusted networks is at risk.

How it could be exploited

An attacker sends a specially crafted packet to port 502 (Modbus TCP) on the M221 PLC without needing credentials. The device accepts the remote configuration change, altering its network settings and severing communication with control systems.

Prerequisites

Network access to port 502 on the M221 device
No credentials required
Device reachable from an untrusted network (not air-gapped or behind a firewall)

Remotely exploitableNo authentication requiredLow complexity attackNo patch availableHigh CVSS score (8.2)Affects safety-critical controllers

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

Modicon M221: all versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDBlock all inbound traffic to port 502 on the M221 using a firewall rule

HARDENINGDisable unused protocols in the M221 application, especially the programming protocol (Modbus TCP), via SoMachine Basic configuration

Mitigations - no patch available

0/4

Modicon M221: all versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate the M221 and its network from business networks using physical firewall separation

HARDENINGEnsure the M221 is not accessible from the Internet; place behind firewall with egress filtering

HARDENINGNever leave M221 controllers in Program mode; use Run mode and physical access controls

HARDENINGStore M221 in locked enclosure with restricted physical access

CVEs (1)

CVE-2018-7798

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8723f9f2-d25b-41b2-b602-f8e3ead46aa5