Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules

Plan PatchCVSS 8.2SEVD-2020-343-04Dec 8, 2020

Schneider ElectricEnergyManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric has identified a vulnerability in the web server component of Modicon M340, Modicon Quantum, and Modicon Premium controllers and their associated communication modules. The vulnerability allows unauthenticated remote execution of arbitrary commands via the web server, potentially leading to loss of availability and integrity of the affected controller. Firmware patches are available for most affected modules, though Modicon M340 CPUs and certain Quantum communication modules will not receive patches.

What this means

What could happen

An unauthenticated attacker with network access to the web server could execute arbitrary commands on Modicon controllers, potentially disrupting process control and compromising the availability and integrity of industrial automation systems.

Who's at risk

This vulnerability affects Schneider Electric Modicon programmable logic controllers and communication modules used in energy and manufacturing sectors. Specifically impacted are: Modicon M340 CPUs and Ethernet communication modules (BMXNOE0100, BMXNOE0110, BMXNOC0401), Modicon Quantum processors and communication modules (140CPU65xx0, 140NOE771x1, 140NOC78x00, 140NOC77101), Modicon Premium processors and communication modules (TSXETY4103, integrated Ethernet COPRO), and Modicon X80 RTU modules. Any organization using these controllers for process automation, water treatment, power distribution, or manufacturing should assess their inventory.

How it could be exploited

An attacker on the network sends a crafted HTTP request to the web server port of a Modicon M340, Quantum, or Premium controller (typically port 80 or 443). The web server processes the request without requiring authentication and executes the embedded command, gaining command execution on the controller itself.

Prerequisites

Network access to the Modicon controller's web server port (HTTP/HTTPS)
The web server on the affected controller must be enabled and accessible from the attacker's network position
No valid credentials required

remotely exploitableno authentication requiredlow complexityno patch available for M340 CPUs and some Quantum modulesaffects industrial process control

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (12)

8 with fix4 EOL

ProductAffected VersionsFix Status

Modicon M340 CPUs all<3.30No fix (EOL)

Modicon Quantum communication modules 140NOE771x1, prior to V7.1<7.1No fix (EOL)

Modicon Quantum communication modules 140NOC78x00, prior to V1.74<1.74No fix (EOL)

Modicon Quantum communication modules 140NOC77101, prior to V1.08<1.08No fix (EOL)

Modicon M340 Ethernet Communication modules BMXNOE0100 (H) all<3.33.3

Modicon M340 Ethernet Communication modules BMXNOE0110 (H) all<6.53.3

Modicon M340 Ethernet Communication modules BMXNOC0401 (H) all<2.103.3

Modicon Premium communication modules TSXETY4103 prior to V6.2<6.26.2

Remediation & Mitigation

0/13

Do now

0/2

HARDENINGImplement network segmentation to restrict access to the web server port on Modicon controllers from untrusted networks

WORKAROUNDDisable the web server on Modicon controllers if it is not required for operational needs

Schedule — requires maintenance window

0/11

Patching may require device reboot — plan for process interruption

CVEs (1)

CVE-2020-7540

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6d4791cd-de7f-4322-8819-991b85b2d634

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.