Schneider Electric Modicon Ethernet Serial RTU

Plan Patch8.6ICS-CERT ICSA-20-044-01Feb 13, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The BMXNOR0200H Ethernet/Serial RTU module contains a vulnerability in packet handling that allows a remote attacker to send malformed packets to port 2404/TCP and cause a denial-of-service condition. The module does not properly validate incoming packets, resulting in improper exception handling (CWE-754) and insufficient access controls (CWE-284). Successful exploitation could render the RTU unresponsive, disrupting remote communication and control of connected electrical systems.

What this means

What could happen

An attacker with network access to the RTU module could send specially crafted packets to port 2404/TCP to cause the device to stop responding (denial of service), disrupting real-time monitoring and control of electrical distribution or generation systems.

Who's at risk

This affects energy sector organizations (utilities, generation facilities, substations) operating Schneider Electric Modicon Ethernet/Serial RTU modules (model BMXNOR0200H). These devices are typically used for remote monitoring and control of electrical distribution equipment. Any facility using this RTU model in operational networks is at risk.

How it could be exploited

An attacker sends malformed packets to port 2404/TCP on the Ethernet/Serial RTU module. The module does not properly validate or handle these packets, causing it to crash or become unresponsive. The attacker needs only network-level access to the RTU module; no credentials or user interaction are required.

Prerequisites

Network access to port 2404/TCP on the BMXNOR0200H module
Device must be reachable from attacker's network segment (no authentication required)

remotely exploitableno authentication requiredlow complexityno patch availableaffects critical infrastructure

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

BMXNOR0200H Ethernet/Serial RTU module: all versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGImplement network segmentation to isolate the RTU module and block all inbound traffic to port 2404/TCP and SNMP port 161/UDP using a firewall or access control list

HARDENINGIf remote access to the RTU is required, use a VPN with current security patches and restrict VPN access to authorized engineering staff only

Mitigations - no patch available

0/1

BMXNOR0200H Ethernet/Serial RTU module: all versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGEnsure the RTU module is not directly accessible from the business network or the Internet; place it behind a firewall on a dedicated control network segment

CVEs (3)

CVE-2019-6813 CVE-2019-6831 CVE-2019-6810

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b68b5142-30b9-4caa-a2a7-b0f900699bbb