NicheStack TCP/IP Vulnerabilities (INFRA:HALT) in Lexium ILE, ILA, ILS, and Communication Option Boards for Altivar and Lexium32 drives

Low RiskSEVD-2021-217-01Aug 5, 2021

Schneider ElectricEnergy

Summary

Multiple vulnerabilities in HCC Embedded's NicheStack TCP/IP component integrated into Schneider Electric Lexium and Altivar drive communication modules and cards. These flaws can be exploited to cause denial of service of the affected drives. Lexium ILE, ILA, ILS modules are fixed in V01.111. Altivar 32/320/340/600/900 Profinet module (VW3A3627) is fixed in V1.10.1. Altivar 32/320 and Lexium 32 Ethernet module (VW3A3616) is fixed in V1.20IE01. Altivar 61/71 Profinet card (VW3A3327) has no fix available in all versions.

What this means

What could happen

These vulnerabilities in NicheStack TCP/IP components could allow an attacker on the network to cause denial of service against variable frequency drives (VFDs) and motor controllers, interrupting production or critical operations like pumping and power distribution.

Who's at risk

Water authorities and electric utilities operating Schneider Electric variable frequency drives (VFDs) should assess their Lexium and Altivar drive inventory. Impact affects Lexium ILE/ILA/ILS communication modules, Altivar 32/320/340/600/900 Profinet modules, Altivar 32/320 and Lexium 32 Ethernet modules, and Altivar 61/71 Profinet cards used to control pumps, motors, and power distribution equipment.

How it could be exploited

An attacker with network access to the Ethernet or Profinet communication modules could send crafted TCP/IP packets or Profinet requests to trigger a denial of service condition, causing the drive to become unresponsive and stop executing control commands from the PLC.

Prerequisites

Network access to the Ethernet or Profinet port of the affected communication module
No authentication required

remotely exploitableno authentication requiredaffects critical infrastructure drivesmultiple products with no patch available

Exploitability

Unlikely to be exploited — EPSS score 0.7%

Affected products (4)

3 with fix1 EOL

ProductAffected VersionsFix Status

Lexium ILE ILA ILS communication drive≤ 01.11101.111

Altivar 32/320 and Lexium 32 Ethernet TCP/IP communication module (VW3A3616)<V1.20IE01V1.20IE01

Altivar 61/71 Profinet communication card (VW3A3327) All versionsAll versionsNo fix (EOL)

Altivar 32/320/340/600/900 Profinet communication module (VW3A3627)1.10.11.10.1

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDImplement network segmentation or firewall rules to restrict access to affected communication module ports from untrusted network segments

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

Altivar 32/320/340/600/900 Profinet communication module (VW3A3627)

HOTFIXUpdate Altivar 32/320/340/600/900 Profinet communication module (VW3A3627) to V1.10.1 or later

Altivar 32/320 and Lexium 32 Ethernet TCP/IP communication module (VW3A3616)

HOTFIXUpdate Altivar 32/320 and Lexium 32 Ethernet TCP/IP communication module (VW3A3616) to V1.20IE01 or later

All products

HOTFIXUpdate Lexium ILE, ILA, ILS communication module firmware to V01.111 or later and reboot the module

Mitigations - no patch available

0/1

Altivar 61/71 Profinet communication card (VW3A3327) All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGFor Altivar 61/71 Profinet communication card (VW3A3327) with no patch available, isolate the drive from direct network access and implement strict network access controls

CVEs (5)

CVE-2021-31400 CVE-2021-31401 CVE-2020-35683 CVE-2020-35685 CVE-2020-35684

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4f55a383-c7a1-4988-92b7-01ca9349db7f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.