OTPulse

Modicon M218/M241/M251/M258 Logic Controllers,SoMachine/SoMachine Motion, EcoStruxure™ Machine Expert

MonitorCVSS 5.4SEVD-2020-105-02Apr 14, 2020
Schneider ElectricEnergy
Attack path
Attack VectorAdjacent
Auth RequiredNone
ComplexityHigh
User InteractionRequired
Summary

Schneider Electric has identified multiple vulnerabilities in Modicon M218, M241, M251, M258 logic controllers and associated SoMachine/EcoStruxure Machine Expert programming software. These vulnerabilities are related to insufficient authentication and integrity checking in firmware/configuration handling (CWE-345, CWE-319). Exploitation could result in arbitrary code execution on the controller or denial of service conditions that interrupt process automation. Modicon M218 and SoMachine products have no vendor fix; M241/M251 controllers require firmware update to V5.0.8.4; M258 requires firmware V5.0.4.11 or migration to EcoStruxure Machine Expert v1.2.5.

What this means
What could happen
An attacker with network access to the engineering/programming interface could execute arbitrary code on the controller or cause process shutdown, affecting production control logic and process automation in manufacturing or utility operations.
Who's at risk
Manufacturing and utility operations using Schneider Electric Modicon M218, M241, M251, M258 programmable logic controllers, or SoMachine/EcoStruxure Machine Expert programming software for automation control. This affects production lines, process control systems, and distributed control equipment in energy, pharmaceutical, food processing, and general industrial automation.
How it could be exploited
An attacker on the same network as the programming workstation or engineering interface exploits a lack of proper authentication/integrity checking in the firmware update or configuration mechanism. They can send a specially crafted update or configuration file that bypasses security checks and executes arbitrary code on the controller, or they trigger a denial of service condition that halts process logic execution.
Prerequisites
  • Network access to the programming/engineering interface or update service port on the controller
  • Ability to send or intercept configuration/firmware update traffic
  • User interaction may be required (supervisor must initiate update or accept configuration change)
Remotely exploitable via network interfaceLow complexity attackUser interaction required for exploitationNo fix available for M218 and SoMachine productsAffects safety-critical control logic
Exploitability
Unlikely to be exploited — EPSS score 0.2%
Affected products (6)
4 with fix2 EOL
ProductAffected VersionsFix Status
Modicon M251 Logic Controller all<5.0.8.45.0.8.4
Modicon M258 Logic Controller all<5.0.4.115.0.4.11
Modicon M241 Logic Controller all<5.0.8.45.0.8.4
Modicon M218 Logic Controller all versionsAll versionsNo fix (EOL)
SoMachine, SoMachine Motion all versionsAll versionsNo fix (EOL)
EcoStruxure Machine Expert all<1.21.2+
Remediation & Mitigation
0/6
Do now
0/1
WORKAROUNDRestrict network access to the programming/engineering interface port using firewall rules; only allow connections from authorized engineering workstations on a dedicated maintenance VLAN
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HOTFIXFor Modicon M258: Update firmware to version V5.0.4.11 or later using Schneider Electric Software Update (SESU)
HOTFIXFor Modicon M241 and M251: Update firmware to version V5.0.8.4 or later
HOTFIXFor EcoStruxure Machine Expert: Update to version 1.2 or later
Mitigations - no patch available
0/2
The following products have reached End of Life with no planned fix: Modicon M218 Logic Controller all versions, SoMachine, SoMachine Motion all versions. Apply the following compensating controls:
HARDENINGDisable remote firmware update capability if not required for operations; require local/serial connection for updates only
HARDENINGImplement network segmentation to isolate programming interfaces from general plant network traffic
View full Schneider Electric advisory
API: /api/v1/advisories/7f6b3036-eb3c-400a-ba12-80f8bdcf2bcc

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.