Schneider Electric Modicon Controllers and Software (Update A)

Plan PatchCVSS 9.8ICS-CERT ICSA-21-194-02Sep 8, 2020

Schneider ElectricEnergyManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Schneider Electric Modicon controllers and EcoStruxure software allow arbitrary code execution and compromise of project file confidentiality and integrity. Affected products include Modicon M340 and M580 CPUs (all versions), EcoStruxure Process Expert (all versions), EcoStruxure Control Expert (versions prior to and including 15.0 SP1), and SCADAPack RemoteConnect for x70 (all versions). The vulnerabilities involve improper authentication (CWE-290), insecure deserialization (CWE-502), and insufficient cryptographic protection (CWE-311, CWE-522).

What this means

What could happen

An attacker with network access could execute arbitrary code on your Modicon PLC controllers or engineering workstations, potentially altering process logic, changing setpoints, stopping operations, or stealing your proprietary automation project files. This affects both control of industrial processes and the integrity of your engineering designs.

Who's at risk

Water utilities and municipal electric utilities operating Schneider Electric Modicon control systems should prioritize this advisory. Specifically: operators of M340 and M580 PLCs used in SCADA systems, water treatment automation, power distribution control, and pump/motor control stations; engineering staff using EcoStruxure Control Expert or Process Expert for programming and monitoring; and any facility with remote monitoring via SCADAPack RemoteConnect for x70 systems.

How it could be exploited

An attacker on your network (or with access through an exposed internet connection) can send a specially crafted message to a vulnerable Modicon controller or connect to an EcoStruxure software instance to trigger code execution. No user interaction or valid credentials are required. The attacker could then modify running processes or extract project files containing proprietary process logic.

Prerequisites

Network access to the Modicon controller or EcoStruxure software (port and protocol depend on specific product, but typically Modbus TCP or proprietary protocols)
No authentication required
Controller or software must be reachable from attacker's network location

Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS (9.8)No patch availableAffects safety-critical control systems

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (16)

10 with fix6 EOL

ProductAffected VersionsFix Status

SCADAPack x70 Security Administrator V1.2.0 and prior≤ 1.2.01.6.2

SCADAPack x70 Remote Connect V3.6.3.574 and prior≤ 3.6.3.5743.7.3.904

EcoStruxure Process Expert: allAll versionsNo fix (EOL)

EcoStruxure Control Expert: v15.0 SP115.0 SP1No fix (EOL)

EcoStruxure Control Expert: all< 15.0 SP1No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGIsolate all Modicon controllers and EcoStruxure software from direct internet exposure. Verify no port forwarding or direct routes exist from external networks to these devices.

WORKAROUNDImplement firewall rules to block unauthorized network access to Modicon controllers and EcoStruxure systems. Restrict access to only authorized engineering workstations and HMI systems on the control network.

HARDENINGReview all remote access accounts and credentials for EcoStruxure software and Modicon systems. Disable any unused or default accounts.

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGIf remote access is required, deploy a VPN with strict access controls and keep all VPN software and underlying operating systems patched to the latest versions. Verify VPN is not directly connecting external users to the control network.

HARDENINGMonitor for suspicious network traffic to Modicon controllers and EcoStruxure systems. Log and alert on unexpected connections or unusual command sequences.

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: EcoStruxure Process Expert: all, EcoStruxure Control Expert: v15.0 SP1, EcoStruxure Control Expert: all, Modicon M580 CPU (part numbers BMEP* and BMEH*): all versions, SCADAPack RemoteConnect for x70: all versions, Modicon M340 CPU (part numbers BMXP34*): all versions. Apply the following compensating controls:

HARDENINGPhysically or logically segment your control network from your business/IT network using a demilitarized zone (DMZ) or air-gapped network design.

CVEs (10)

CVE-2020-7530 CVE-2020-7531 CVE-2020-7529 CVE-2020-7532 CVE-2021-22778 CVE-2021-22779 CVE-2020-12525 CVE-2021-22780 CVE-2021-22781 CVE-2021-22782

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2c941f31-643f-4a6e-a8d2-192687ebcf0b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.