Modicon M100/M200/M221 Programmable Logic Controller

Monitor7.1SEVD-2020-315-05Nov 10, 2020

Attack VectorAdjacent

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

The Modicon M100, M200, and M221 Nano Programmable Logic Controllers contain multiple vulnerabilities related to weak cryptographic practices and insufficient authentication mechanisms (CWE-326, CWE-334, CWE-311, CWE-200, CWE-760). These devices are susceptible to authentication replay attacks, whereby an attacker who captures network traffic between a programming workstation and the PLC can replay the authentication sequence to gain unauthorized control. This could allow an attacker to reprogram the PLC or alter its operation without legitimate credentials. Schneider Electric has not released patches for any of the affected product lines and does not plan to address these vulnerabilities with firmware updates.

What this means

What could happen

An attacker who gains network access to a Modicon M100, M200, or M221 PLC could replay captured authentication sequences to bypass authentication and take control of the controller, potentially altering automation logic or stopping critical machine processes.

Who's at risk

Facilities operating Modicon M100, M200, or M221 Nano PLCs for machine automation should be concerned. These are commonly found in manufacturing plants, water/wastewater treatment facilities, and power generation environments controlling critical automation tasks. Any organization using these PLCs for process control or safety functions is affected.

How it could be exploited

An attacker captures authentication traffic between a programming workstation and the PLC (e.g., via network sniffing or man-in-the-middle position on the local network). The attacker then replays the captured authentication sequence to authenticate as a legitimate user and send commands to reprogram the PLC or alter its operation.

Prerequisites

Network access to the PLC on the same local network segment or via a routed connection
Ability to capture or intercept network traffic between programming workstation and PLC
Knowledge of the PLC's network address and communication protocol

No patch availableWeak authentication mechanism (susceptible to replay attacks)Affects critical control logic in operational equipment

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

Modicon M100 all references all versionsAll versionsNo fix (EOL)

Modicon M200 all references all versionsAll versionsNo fix (EOL)

Modicon M221 all references all versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/8

Do now

0/4

HARDENINGPlace all Modicon M100/M200/M221 controllers in locked cabinets and never leave them in 'Program' mode

HARDENINGLocate control and safety system networks behind firewalls and isolate them completely from the business network

HARDENINGMinimize network exposure for all Modicon M100/M200/M221 devices and ensure they are not accessible from the Internet

HARDENINGNever connect programming software to any network other than the network intended for that device

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDWhen remote access is required, use secure methods such as Virtual Private Networks (VPNs) and maintain VPNs at the most current version available

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: Modicon M100 all references all versions, Modicon M200 all references all versions, Modicon M221 all references all versions. Apply the following compensating controls:

HARDENINGInstall physical controls to prevent unauthorized personnel access to industrial control systems, components, and networks

HARDENINGScan all methods of mobile data exchange (CDs, USB drives) with the isolated network before use on any node connected to control networks

HARDENINGNever allow mobile devices that have connected to other networks to connect to safety or control networks without proper sanitation

CVEs (5)

CVE-2020-7565 CVE-2020-7566 CVE-2020-7567 CVE-2020-7568 CVE-2020-28214

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d5785375-c1ce-430b-886b-44b6f723a693