Treck TCP/IP Vulnerabilities (Ripple20)

Act Nowsevd-2020-175-01Jun 23, 2020

Summary

Schneider Electric products contain multiple vulnerabilities in the embedded Treck TCP/IP stack (Ripple20 family of flaws disclosed June 2020). These vulnerabilities affect Altivar variable frequency drives (machine and process models), TM3BC bus couplers, SCADAPack 32 RTU, Acti9 smart metering and building control modules, PowerLogic gateways, circuit breaker Ethernet interfaces, and motor controllers. Affected firmware versions range from legacy releases through recent versions depending on product line. Ripple20 flaws include out-of-bounds writes, DNS rebinding, and TCP option parsing defects that can result in remote code execution or denial of service. The vulnerabilities are actively exploited in the wild and require no authentication to attack.

What this means

What could happen

Ripple20 TCP/IP stack vulnerabilities could allow attackers to remotely execute code on network-connected Schneider Electric devices, potentially altering drive setpoints, stopping motors or process equipment, or disrupting SCADA communications in energy and manufacturing facilities.

Who's at risk

Energy utilities and manufacturing facilities using Schneider Electric Altivar drives (machine and process variants), TM3BC bus couplers, SCADAPack RTUs, Acti9 smart metering modules, PowerLogic gateways, circuit breaker interfaces, and building controls. Anyone operating these devices on networks reachable from the internet or untrusted network segments should prioritize immediate action.

How it could be exploited

An attacker who reaches one of the affected devices over the network (via Ethernet or Modbus TCP) can craft malicious packets targeting known TCP/IP stack flaws to execute arbitrary code or cause denial of service. No authentication is required. The device needs only to be reachable on the network segment.

Prerequisites

Network reachability to affected device on Ethernet or Modbus TCP port
No authentication required to exploit the TCP/IP stack vulnerabilities

remotely exploitableno authentication requiredlow complexity attackactively exploited (KEV)high EPSS score (58%)affects multiple critical OT device categoriesmajority of affected products have no vendor fix availableaffects energy sector safety-related equipment

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (36)

12 with fix24 pending

ProductAffected VersionsFix Status

TM3BC bus coupler module - SL prior to V2.1.1.1<2.1.1.12.1.1.1

TM3BC bus coupler module - CANOpen prior to V2.1.1.1<2.1.1.12.1.1.1

VW3A3310 Altivar 61/71 Modbus TCP option≤ 2.1IE09No fix yet

VW3A3310D Altivar 61/71 Ethernet daisy chain option≤ 3.0IE11No fix yet

VW3A3320 Altivar 61/71 Ethernet IP RSTP option≤ V1.1IE19No fix yet

Remediation & Mitigation

0/15

Do now

0/14

Long-term hardening

0/1

HARDENINGImplement physical controls to prevent unauthorized access to affected devices

CVEs (19)

CVE-2020-11896 CVE-2020-11897 CVE-2020-11898 CVE-2020-11899 CVE-2020-11900 CVE-2020-11901 CVE-2020-11902 CVE-2020-11903 CVE-2020-11904 CVE-2020-11905 CVE-2020-11906 CVE-2020-11907 CVE-2020-11908 CVE-2020-11909 CVE-2020-11910 CVE-2020-11911 CVE-2020-11912 CVE-2020-11913 CVE-2020-11914

View full Schneider Electric advisory

↑↓ Navigate · Esc Close