Wind River VxWorks Vulnerabilities (URGENT/11)
Low RiskSESB-2019-214-01Aug 2, 2019
Summary
Wind River VxWorks TCP/IP stack contains critical vulnerabilities (URGENT/11 group) that affect numerous Schneider Electric industrial control products. These vulnerabilities allow remote code execution on affected devices over TCP/IP networks. The vulnerabilities stem from flaws in VxWorks' network stack implementation and impact PLCs (Modicon M580, M241, M251, M262, MC80, Momentum), RTU controllers (SCADAPack, Nanodac, SCD6000, Tricon), protective relays (Easergy series), human-machine interfaces (Magelis, Pro-face), and network infrastructure (ConneXium firewalls). Many products do not have patches available, particularly older or end-of-life product lines. Schneider Electric is working to remediate current and future products and recommends implementing network segmentation, firewall restrictions, and physical access controls for at-risk systems.
What this means
What could happen
Multiple Schneider Electric PLCs, RTUs, HMIs, and industrial controllers using Wind River VxWorks are vulnerable to TCP/IP stack exploits that could allow an attacker to run code on critical automation devices. An attacker could alter process parameters, stop operations, or compromise safety-critical controllers if they reach these devices over the network.
Who's at risk
This advisory affects water utilities, electric utilities, and manufacturing plants that use Schneider Electric industrial automation equipment, including: Modicon M580 safety-critical PLCs, Modicon Quantum RTU controllers, Modicon M241/M251/M262 micro PLCs, Tricon control modules, Nanodac data recorders, SCADAPack RTUs, Easergy power quality relays, Magelis HMI touchscreens, Pro-face industrial displays, ConneXium industrial firewalls and switches, and various I/O modules. The vulnerability is in the underlying Wind River VxWorks TCP/IP stack used across these product lines.
How it could be exploited
An attacker with network access to a vulnerable device's IP address and open TCP/IP ports (typically 502 for Modbus, 80 for HTTP, or other standard ports) can send malformed packets or crafted requests to the VxWorks TCP/IP stack to trigger remote code execution. No authentication is required if the device is exposed on an accessible network segment.
Prerequisites
- Network access to the device's IP address and listening TCP/IP port
- Device must be running vulnerable VxWorks version (no authentication required)
- Device must be on a network segment reachable from attacker (not air-gapped)
remotely exploitableno authentication requiredactively exploited (URGENT/11 exploits are known)affects multiple safety-critical controllerswidespread impact across product portfoliomajority of products have no patch availablelow network access complexity
Affected products (78)
12 with fix66 pending
ProductAffected VersionsFix Status
Modicon M580 ePAC CPUs including Safety CPUs BMEH584040S V2.90 and prior≤ 2.90No fix yet
CANopen X80 Communication Module (BMECXM0100) All versionsAll versionsNo fix yet
ConneXium Industrial Firewall/Router - TCSEFEC2CF3F21(MM/TX) - TCSEFEC23FCF21 (TX/MM) - TCSEFEC23F3F21 (TX/TX) V5.33 and prior≤ 5.33No fix yet
ConneXium Industrial Firewall- TCSEFEC2CF3F20 (MM/TX) - TCSEFEC23FCF20 (TX/MM)- TCSEFEC23F3F20 (TX/TX)≤ 5.24No fix yet
E+PLC100 Combination PLC firmware V1.2.0.4 and prior≤ 1.2.0.41.3.0.0
Remediation & Mitigation
0/17
Do now
0/2WORKAROUNDPlace firewall rules or access control lists to restrict inbound connections to Modicon, Momentum, and other affected controllers to only authorized engineering workstations or SCADA servers
WORKAROUNDDisable or restrict remote access to affected devices that lack available patches until patches can be deployed
Schedule — requires maintenance window
0/13Patching may require device reboot — plan for process interruption
Easergy T300 (SC150 & LV150) Firmware 1.5.2 and earlier
HOTFIXUpdate Easergy T300 (SC150 & LV150) to firmware 2.7 or later
PM8000 MID (METSEPM82401) V002.100.000 firmware
HOTFIXUpdate PM8000 MID (METSEPM82401) to firmware 002.002.001 or later
TeSys island
HOTFIXUpdate TeSys island to firmware 02.0100 or later (TeSysisland_002.100.013.sedp or newer)
ConneXium Industrial Firewall/Router - TCSEFEC2CF3F21(MM/TX) - TCSEFEC23FCF21 (TX/MM) - TCSEFEC23F3F21 (TX/TX) V5.33 and prior
HOTFIXUpdate ConneXium Industrial Firewall/Router TCSEFEC2CF3F21 (MM/TX), TCSEFEC23FCF21 (TX/MM), TCSEFEC23F3F21 (TX/TX) to firmware version 5.37 or later
All products
HOTFIXUpdate E+PLC100 firmware to version 1.3.0.0 or later
HOTFIXUpdate E+PLC400 firmware to version 1.3.0.0 or later
HOTFIXUpdate Modicon M580 IEC 61850 module (BMENOP0300) to firmware 2.2 or later
HOTFIXUpdate Modicon MC80 PLC to firmware version 1.5 or later
HOTFIXUpdate Modicon Momentum Unity to SV2.10 or later
HOTFIXUpdate Nanodac Recorder/Controller to firmware 8.16 or later
HOTFIXUpdate SCD6000 Industrial RTU to firmware 7.0.36 SY-1101207_G18 or later
HOTFIXUpdate versadac Scalable Data Recorder to firmware 2.41 or later
HOTFIXUpdate Easergy P5 to firmware 01
Long-term hardening
0/2HARDENINGSegment industrial control networks so that PLCs, RTUs, and HMIs are not directly reachable from corporate networks or the internet
HARDENINGFor devices with no fix available, implement network access controls to limit exposure until vendor provides guidance or replacement timeline
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/0f9c493e-e330-4743-8b68-9d002e330d73