Schneider Electric Web Server on Modicon M340

MonitorCVSS 6.3ICS-CERT ICSA-21-005-01Nov 10, 2020

Schneider ElectricEnergyManufacturing

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Schneider Electric Modicon PAC controllers (M340, Premium, Quantum lines) contain multiple buffer overflow and out-of-bounds write vulnerabilities (CWE-125, CWE-787, CWE-120) in their web server implementation. Successful exploitation could allow write access and command execution, resulting in data corruption or web server crash. The affected modules include M340 Ethernet communication cards (BMX NOE, BMX NOC, BMX NOR), Premium and Quantum communication modules (TSXETY, 140NOE, 140NOC), and processors with integrated Ethernet. Schneider Electric is developing remediation but has not released patches. The Modicon Premium and Quantum lines have reached end-of-life and are no longer commercially available, with migration to the Modicon M580 ePAC controller recommended.

What this means

What could happen

An authenticated attacker with web server access could corrupt data or crash the PAC controller's web server, potentially disrupting monitoring and control functions for power generation, distribution, or water treatment processes.

Who's at risk

Energy sector operators running Schneider Electric Modicon M340, Premium, or Quantum PAC controllers with Ethernet communication modules (BMX NOE, BMX NOC, BMX NOR, TSXETY, 140NOE, 140NOC) should be concerned. This affects PACs used in power generation, distribution automation, and industrial processes that rely on web-based monitoring and control interfaces.

How it could be exploited

An attacker with valid credentials or access to the web server interface could send malformed requests to trigger buffer overflow or out-of-bounds write vulnerabilities (CWE-125, CWE-787, CWE-120) in the Modicon PAC web server, allowing command execution or data corruption on the controller.

Prerequisites

Valid web server credentials or authenticated session on the PAC controller
Network access to the Modicon PAC controller's web server port
Knowledge of vulnerable web server endpoints

Affects authentication-required web interfacesLow complexity exploitationNo vendor fix available or plannedAffects legacy/end-of-life controllers still in operationBuffer overflow and out-of-bounds write vulnerabilities

Exploitability

Some exploitation risk — EPSS score 1.2%

Affected products (21)

5 with fix2 pending14 EOL

ProductAffected VersionsFix Status

M340 CPUs BMXP34x <3.40<3.403.40

M340 Communication Ethernet Modules BMXNOR0200H<1.7 IR 231.7 IR 23

M340 X80 Communication Ethernet Modules BMXNOC0401<2.112.11

M340 Communication Ethernet modules<SV03.50SV03.50

M340 Communication Ethernet modules<SV06.70SV03.50

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGDisable FTP via UnityPro or Ecostruxure Control Expert (disabled by default in new applications)

HARDENINGConfigure access control lists using Ecostruxure Control Expert to restrict who can reach the web server

HARDENINGImplement network firewall rules to block all unauthorized access to port 21 (FTP) and web server ports

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor for and report suspected malicious activity to CISA

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: M340 Communication Ethernet modules BMX NOE 0100 (H): all versions, M340 Communication Ethernet modules BMX NOE 0110 (H): all versions, Quantum communication modules 140NOC78x00: all versions, M340 CPUs BMX P34x: all versions, Quantum communication modules 140NOE771x1: all versions, M340 Communication Ethernet modules BMX NOR 0200H: all versions, M340 Communication Ethernet modules BMX NOC 0401: all versions, Quantum processors with integrated Ethernet COPRO 140CPU65xxxxx: all versions, Quantum communication modules 140NOC77101: all versions, Premium processors with integrated Ethernet COPRO all versions, Premium communication modules all versions, Quantum processors with integrated Ethernet COPRO 140CPU65xxxxx all versions, Quantum communication modules all verions, Premium processors with integrated Ethernet COPRO TSXP574634 TSXP575634 TSXP576634: all versions. Apply the following compensating controls:

HARDENINGPlace PAC controller networks behind firewalls and segment them from the business/office network

HARDENINGMinimize direct Internet exposure of control system devices; use VPN with secure authentication if remote access is required

CVEs (3)

CVE-2020-7562 CVE-2020-7563 CVE-2020-7564

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/43309a0c-8dba-4322-99e7-9d797a3787c4

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.