Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules

Monitor6.3SEVD-2020-315-01Nov 10, 2020

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Schneider Electric Modicon M340, Quantum, and Premium controllers and their Ethernet communication modules contain multiple vulnerabilities in the embedded web server. The flaws include buffer overflow and out-of-bounds memory access issues (CWE-125, CWE-787, CWE-120) that could allow an authenticated attacker to corrupt data in the controller or crash the web server. The vulnerabilities affect the integrated Ethernet communication interfaces and dedicated communication modules used for remote management and monitoring of industrial control systems.

What this means

What could happen

An attacker with user-level access to the web server could corrupt data in the controller's memory or crash the web server, potentially disrupting industrial processes or causing equipment to stop responding.

Who's at risk

Water utilities and municipal electric utilities that use Schneider Electric Modicon M340, Quantum, or Premium controllers with integrated or separate Ethernet communication modules for SCADA systems, process automation, or networked control applications. Also affects manufacturing facilities using these controllers for industrial process control.

How it could be exploited

An attacker must first gain user-level authentication to the web server interface (port 80/443) on the M340, Quantum, or Premium controller or communication module. Once authenticated, the attacker can send specially crafted requests that exploit buffer overflow or out-of-bounds memory access flaws to write arbitrary data or execute commands on the device.

Prerequisites

Network access to the web server port (typically 80 or 443)
Valid user credentials to authenticate to the web server
Knowledge of the affected device model and firmware version

remotely exploitablerequires authenticationmedium CVSS score (6.3)affects process automation controllersno patches available for Premium and Quantum product linesbuffer overflow vulnerability

Exploitability

Moderate exploit probability (EPSS 1.2%)

Affected products (9)

5 with fix4 EOL

ProductAffected VersionsFix Status

M340 CPUs BMXP34x <3.40<3.403.40

M340 Communication Ethernet Modules BMXNOR0200H<1.7 IR 231.7 IR 23

M340 X80 Communication Ethernet Modules BMXNOC0401<2.112.11

M340 Communication Ethernet modules<SV03.50SV03.50

M340 Communication Ethernet modules<SV06.70SV03.50

Premium processors with integrated Ethernet COPRO all versionsAll versionsNo fix (EOL)

Premium communication modules all versionsAll versionsNo fix (EOL)

Quantum processors with integrated Ethernet COPRO 140CPU65xxxxx all versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/8

Do now

0/3

HARDENINGRestrict network access to the web server ports on Modicon controllers to trusted engineering workstations and management networks only

WORKAROUNDDisable the web server interface if not required for operations

HARDENINGEnforce strong, unique passwords for all web server user accounts

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpdate M340 CPUs to firmware version 3.40 or later

HOTFIXUpdate M340 Communication Ethernet Module BMXNOR0200H to firmware version 1.7 IR 23 or later

HOTFIXUpdate M340 X80 Communication Ethernet Module BMXNOC0401 to firmware version 2.11 or later

HOTFIXUpdate M340 Communication Ethernet Module BMXNOE0100(H) to firmware version SV03.50 or later

HOTFIXUpdate M340 Communication Ethernet Module BMXNOE0110(H) to firmware version SV06.70 or later

CVEs (3)

CVE-2020-7562 CVE-2020-7563 CVE-2020-7564

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/adc3f05b-0a05-40b5-a124-ee5529de34e8