GoAhead Web Server vulnerability

Plan Patch7.5SEVD-2015-344-01Dec 15, 2015

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial-of-service vulnerability exists in the GoAhead web server embedded in Schneider Electric M340 Ethernet and processor modules. The vulnerability allows remote attackers without authentication to crash the web server process via a specially crafted HTTP request, making the device's web interface unavailable. Affected product families include BMXNOC0401, BMXNOE0100/0100H/0110/0110H, BMXNOR0200/0200H, BMXP342020/342020H/342030/3420302/3420302H, and BMXPRA0100.

What this means

What could happen

A remotely accessible denial-of-service vulnerability in the GoAhead web server embedded in Schneider M340 network modules could allow an attacker to crash the device's web interface, interrupting remote access to critical automation control systems and potentially affecting operator visibility and emergency response.

Who's at risk

Energy and utility operators using Schneider Electric M340 automation platforms should assess their use of Ethernet modules (BMXNOC, BMXNOE, BMXNOR families) and processor modules (BMXP family) that run embedded web servers for remote PLC management and monitoring. Any facility with these modules exposed to plant network access is affected.

How it could be exploited

An attacker with network access to the web server port on an affected Ethernet or processor module can send a specially crafted request that causes the GoAhead web server process to stop responding. This renders the device's web-based management interface unavailable, blocking operators and engineers from remotely monitoring or controlling the PLC via the web interface.

Prerequisites

Network-reachable access to the affected module's web server port (typically port 80/443)
No authentication required; the vulnerability is pre-authentication
Module must be running an affected firmware version

Remotely exploitableNo authentication requiredLow complexity attackProof of concept exploit publicly availableAffects operator visibility and remote PLC management

Exploitability

Moderate exploit probability (EPSS 2.9%)

Affected products (13)

12 with fix1 EOL

ProductAffected VersionsFix Status

BMXNOC0401 prior to v2.09<v2.09v2.09

BMXNOE0100 prior to v3.10<v3.10v3.10)

BMXNOE0100H prior to v3.10<v3.10v3.10

BMXNOE0110 prior to v6.30<v6.30No fix (EOL)

BMXNOE0110H prior to v6.30<v6.30v6.30

BMXNOR0200 prior to v1.70<v1.70v1.70

BMXNOR0200H prior to v1.70<v1.70v1.70

BMXP342020 prior to v2.80<v2.80v2.80

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDFor BMXNOE0110 (no fix available), implement network segmentation to restrict web server access to trusted engineering workstations or administrative networks only

HARDENINGImplement firewall rules to limit access to web server ports on affected modules to necessary personnel and systems only

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade BMXNOC0401 firmware to v2.09 or later

HOTFIXUpgrade BMXNOE0100 and BMXNOE0100H firmware to v3.10 or later

HOTFIXUpgrade BMXNOE0110H firmware to v6.30 or later

HOTFIXUpgrade BMXNOR0200 and BMXNOR0200H firmware to v1.70 or later

HOTFIXUpgrade BMXP342020, BMXP342020H, BMXP342030, BMXP3420302, BMXP3420302H, and BMXPRA0100 firmware to v2.80 or later

CVEs (1)

CVE-2015-7937

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/816b65dc-c82b-4bb7-8159-c209b3a328a3