SNMP Service on Modicon M340 and Associated Communication Modules

Plan Patch7.5SEVD-2020-343-07Dec 8, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in the SNMP service on Modicon M340 CPUs and associated X80 Ethernet communication modules allows unauthenticated network attackers to modify network configuration parameters. Affected products include M340 CPU BMXP34* series and five models of communication modules (BMXNOE0100, BMXNOE0110, BMXNOR0200H, BMXNOC0401). The vulnerability could result in unexpected modification of network parameters, making targeted devices unreachable and disrupting industrial process control.

What this means

What could happen

An attacker with network access could modify network configuration parameters on affected Modicon M340 controllers or communication modules, potentially making the device unreachable and disrupting control over industrial processes such as power generation, distribution, or manufacturing operations.

Who's at risk

Energy utilities and manufacturing facilities using Schneider Electric Modicon M340 programmable automation controllers (PACs) and M340 X80 Ethernet communication modules for process control, power generation, power distribution, or industrial manufacturing. The vulnerability affects CPU modules and all five models of Ethernet communication modules used for remote monitoring and management.

How it could be exploited

An attacker sends unauthenticated SNMP packets over the network to port 161 on the affected M340 CPU or communication module. The SNMP service improperly validates input, allowing the attacker to modify network settings (IP address, gateway, DNS) without authentication, causing the device to become unreachable and stop responding to control commands.

Prerequisites

Network access to UDP port 161 (SNMP) on the affected device
Device must be running vulnerable firmware version (M340 CPU <3.30, BMXNOE0100 <3.4, BMXNOE0110 <6.6, BMXNOR0200H <1.7 IR22, BMXNOC0401 <2.11)
No authentication required

remotely exploitableno authentication requiredlow complexityaffects critical industrial control infrastructure

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

Modicon M340 CPUs BMXP34*<3.303.30

Modicon M340 X80 Communication Ethernet modules BMXNOE0100 (H)<3.43.4

Modicon M340 X80 Communication Ethernet modules BMXNOE0110 (H)<6.66.6

Modicon M340 X80 Communication Ethernet modules BMXNOR0200H<1.7 IR221.7 IR22

Modicon M340 X80 Communication Ethernet modules BMXNOC0401<2.112.11

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDRestrict network access to UDP port 161 (SNMP) using firewall rules; allow only from trusted engineering workstations and management networks

WORKAROUNDDisable SNMP service on the device if not required for monitoring or management

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Modicon M340 CPU firmware to version 3.30 or later

HOTFIXUpdate BMXNOE0100 (H) communication module firmware to version 3.4 or later

HOTFIXUpdate BMXNOE0110 (H) communication module firmware to version 6.6 or later

HOTFIXUpdate BMXNOR0200H communication module firmware to version 1.7 IR22 or later

HOTFIXUpdate BMXNOC0401 communication module firmware to version 2.11 or later

CVEs (1)

CVE-2020-7536

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9f0cb114-feb0-4d75-93e9-86b71d70295e