Schneider Electric Web Server on Modicon M340
Monitor6.3ICS-CERT ICSA-21-005-01Jan 5, 2021
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary
Schneider Electric Modicon PAC controllers (M340, Premium, Quantum lines) contain multiple buffer overflow and out-of-bounds write vulnerabilities (CWE-125, CWE-787, CWE-120) in their web server implementation. Successful exploitation could allow write access and command execution, resulting in data corruption or web server crash. The affected modules include M340 Ethernet communication cards (BMX NOE, BMX NOC, BMX NOR), Premium and Quantum communication modules (TSXETY, 140NOE, 140NOC), and processors with integrated Ethernet. Schneider Electric is developing remediation but has not released patches. The Modicon Premium and Quantum lines have reached end-of-life and are no longer commercially available, with migration to the Modicon M580 ePAC controller recommended.
What this means
What could happen
An authenticated attacker with web server access could corrupt data or crash the PAC controller's web server, potentially disrupting monitoring and control functions for power generation, distribution, or water treatment processes.
Who's at risk
Energy sector operators running Schneider Electric Modicon M340, Premium, or Quantum PAC controllers with Ethernet communication modules (BMX NOE, BMX NOC, BMX NOR, TSXETY, 140NOE, 140NOC) should be concerned. This affects PACs used in power generation, distribution automation, and industrial processes that rely on web-based monitoring and control interfaces.
How it could be exploited
An attacker with valid credentials or access to the web server interface could send malformed requests to trigger buffer overflow or out-of-bounds write vulnerabilities (CWE-125, CWE-787, CWE-120) in the Modicon PAC web server, allowing command execution or data corruption on the controller.
Prerequisites
- Valid web server credentials or authenticated session on the PAC controller
- Network access to the Modicon PAC controller's web server port
- Knowledge of vulnerable web server endpoints
Affects authentication-required web interfacesLow complexity exploitationNo vendor fix available or plannedAffects legacy/end-of-life controllers still in operationBuffer overflow and out-of-bounds write vulnerabilities
Exploitability
Moderate exploit probability (EPSS 1.2%)
Affected products (12)
2 pending10 EOL
ProductAffected VersionsFix Status
Premium communication modules: TSXETY4103 all versionsTSXETY4103 *No fix yet
Premium communication modules: TSXETY5103 all versionsTSXETY5103 *No fix yet
M340 Communication Ethernet modules BMX NOE 0100 (H): all versionsAll versionsNo fix (EOL)
M340 Communication Ethernet modules BMX NOE 0110 (H): all versionsAll versionsNo fix (EOL)
Quantum communication modules 140NOC78x00: all versionsAll versionsNo fix (EOL)
M340 CPUs BMX P34x: all versionsAll versionsNo fix (EOL)
Quantum communication modules 140NOE771x1: all versionsAll versionsNo fix (EOL)
M340 Communication Ethernet modules BMX NOR 0200H: all versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/3HARDENINGDisable FTP via UnityPro or Ecostruxure Control Expert (disabled by default in new applications)
HARDENINGConfigure access control lists using Ecostruxure Control Expert to restrict who can reach the web server
HARDENINGImplement network firewall rules to block all unauthorized access to port 21 (FTP) and web server ports
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGMonitor for and report suspected malicious activity to CISA
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: M340 Communication Ethernet modules BMX NOE 0100 (H): all versions, M340 Communication Ethernet modules BMX NOE 0110 (H): all versions, Quantum communication modules 140NOC78x00: all versions, M340 CPUs BMX P34x: all versions, Quantum communication modules 140NOE771x1: all versions, M340 Communication Ethernet modules BMX NOR 0200H: all versions, M340 Communication Ethernet modules BMX NOC 0401: all versions, Quantum processors with integrated Ethernet COPRO 140CPU65xxxxx: all versions, Quantum communication modules 140NOC77101: all versions, Premium processors with integrated Ethernet COPRO TSXP574634 TSXP575634 TSXP576634: all versions. Apply the following compensating controls:
HARDENINGPlace PAC controller networks behind firewalls and segment them from the business/office network
HARDENINGMinimize direct Internet exposure of control system devices; use VPN with secure authentication if remote access is required
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/43309a0c-8dba-4322-99e7-9d797a3787c4