OTPulse
FeedAboutContact

EcoStruxure™ Control Expert, EcoStruxure™ Process Expert and RemoteConnect™

Plan Patch8.6SEVD-2020-343-01Dec 8, 2020
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

A vulnerability in EcoStruxure Control Expert, EcoStruxure Process Expert DCS, and RemoteConnect allows code execution or software crash when a user opens a malicious project file. EcoStruxure Control Expert (formerly Unity Pro) is used to design and maintain applications for Modicon M340, M580, Momentum, Premium, and Quantum PLCs. EcoStruxure Process Expert is a distributed control system (DCS) for plant automation. RemoteConnect is a Windows application for programming SCADAPack x70 RTU series (470, 474, 570, 574, 575). The vulnerability is triggered by opening a crafted project file, which could allow an attacker to crash the software or execute code on the engineering workstation. EcoStruxure Control Expert v15.0 SP1 includes a fix via a file encryption feature. EcoStruxure Process Expert and RemoteConnect have no fix available.

What this means
What could happen
An attacker who tricks an engineer into opening a malicious project file in EcoStruxure Control Expert, Process Expert, or RemoteConnect could crash the software or execute arbitrary code on the engineering workstation, potentially allowing modification of PLC logic or configuration.
Who's at risk
Engineering teams at water utilities, municipalities, and manufacturing plants using Schneider Electric EcoStruxure Control Expert, Process Expert (DCS), or RemoteConnect software on engineering workstations. This impacts anyone responsible for designing, maintaining, or updating applications for Modicon M340, M580, Momentum, Premium, or Quantum PLCs, as well as SCADAPack x70 RTU series (470, 474, 570, 574, 575) configuration.
How it could be exploited
An attacker crafts a malicious project file (.sta, .sce, or other supported format) and sends it to an engineer, either via email, file sharing, or a compromised repository. When the engineer opens the file in EcoStruxure Control Expert, Process Expert, or RemoteConnect, the malicious content triggers code execution or software crash. From the compromised workstation, the attacker could then modify automation project files, alter PLC configuration, or pivot to connected control systems.
Prerequisites
  • User access to EcoStruxure Control Expert, Process Expert, or RemoteConnect on an engineering workstation
  • Social engineering or supply chain compromise to deliver malicious project file to a trusted engineer
  • Engineer must open the malicious file in the vulnerable software
No authentication required to exploit (user interaction via file open)Low complexity attackDefault credentials not requiredFile-based attack vector can bypass network controlsAffects safety-critical systems (M580 Safety PLCs)
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (4)
2 with fix2 EOL
ProductAffected VersionsFix Status
EcoStruxure™ Control Expert prior to v15.0 SP1<15.0 SP115.0 SP1
EcoStruxure™ Process Expert all versionsAll versionsNo fix (EOL)
RemoteConnect™ all versionsAll versionsNo fix (EOL)
Unity Pro (former name of EcoStruxure™ Control Expert) all versionsAll versions15.0 SP1
Remediation & Mitigation
0/6
Do now
0/2
WORKAROUNDStore and exchange project files only through secure channels (encrypted transport, secure repositories) and restrict access to trusted engineers only
WORKAROUNDInstruct engineers to open project files only from trusted sources and verify file integrity before opening
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EcoStruxure Control Expert to version 15.0 SP1 or later
HARDENINGEnable file encryption feature in EcoStruxure Control Expert v15.0 SP1 for all new projects by default and retroactively for existing trusted projects
WORKAROUNDEncrypt project files at rest when stored on shared drives or external media
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: EcoStruxure™ Process Expert all versions, RemoteConnect™ all versions. Apply the following compensating controls:
HARDENINGApply security levels to Derived Function Blocks (DFB) in addition to file encryption for additional protection
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/c71aa9ca-3dea-4eb2-b41c-1b0744b535da
EcoStruxure™ Control Expert, EcoStruxure™ Process Expert and RemoteConnect™ | CVSS 8.6 - OTPulse