NicheStack TCP/IP Vulnerabilities (INFRA:HALT) in Lexium ILE, ILA, ILS, and Communication Option Boards for Altivar and Lexium32 drives
Low RiskSEVD-2021-217-01Aug 5, 2021
Summary
Multiple vulnerabilities in HCC Embedded's NicheStack TCP/IP component integrated into Schneider Electric Lexium and Altivar drive communication modules and cards. These flaws can be exploited to cause denial of service of the affected drives. Lexium ILE, ILA, ILS modules are fixed in V01.111. Altivar 32/320/340/600/900 Profinet module (VW3A3627) is fixed in V1.10.1. Altivar 32/320 and Lexium 32 Ethernet module (VW3A3616) is fixed in V1.20IE01. Altivar 61/71 Profinet card (VW3A3327) has no fix available in all versions.
What this means
What could happen
These vulnerabilities in NicheStack TCP/IP components could allow an attacker on the network to cause denial of service against variable frequency drives (VFDs) and motor controllers, interrupting production or critical operations like pumping and power distribution.
Who's at risk
Water authorities and electric utilities operating Schneider Electric variable frequency drives (VFDs) should assess their Lexium and Altivar drive inventory. Impact affects Lexium ILE/ILA/ILS communication modules, Altivar 32/320/340/600/900 Profinet modules, Altivar 32/320 and Lexium 32 Ethernet modules, and Altivar 61/71 Profinet cards used to control pumps, motors, and power distribution equipment.
How it could be exploited
An attacker with network access to the Ethernet or Profinet communication modules could send crafted TCP/IP packets or Profinet requests to trigger a denial of service condition, causing the drive to become unresponsive and stop executing control commands from the PLC.
Prerequisites
- Network access to the Ethernet or Profinet port of the affected communication module
- No authentication required
remotely exploitableno authentication requiredaffects critical infrastructure drivesmultiple products with no patch available
Exploitability
Low exploit probability (EPSS 0.7%)
Affected products (4)
3 with fix1 EOL
ProductAffected VersionsFix Status
Lexium ILE ILA ILS communication drive≤ 01.11101.111
Altivar 32/320 and Lexium 32 Ethernet TCP/IP communication module (VW3A3616)<V1.20IE01V1.20IE01
Altivar 61/71 Profinet communication card (VW3A3327) All versionsAll versionsNo fix (EOL)
Altivar 32/320/340/600/900 Profinet communication module (VW3A3627)1.10.11.10.1
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDImplement network segmentation or firewall rules to restrict access to affected communication module ports from untrusted network segments
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
Altivar 32/320/340/600/900 Profinet communication module (VW3A3627)
HOTFIXUpdate Altivar 32/320/340/600/900 Profinet communication module (VW3A3627) to V1.10.1 or later
Altivar 32/320 and Lexium 32 Ethernet TCP/IP communication module (VW3A3616)
HOTFIXUpdate Altivar 32/320 and Lexium 32 Ethernet TCP/IP communication module (VW3A3616) to V1.20IE01 or later
All products
HOTFIXUpdate Lexium ILE, ILA, ILS communication module firmware to V01.111 or later and reboot the module
Mitigations - no patch available
0/1Altivar 61/71 Profinet communication card (VW3A3327) All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGFor Altivar 61/71 Profinet communication card (VW3A3327) with no patch available, isolate the drive from direct network access and implement strict network access controls
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4f55a383-c7a1-4988-92b7-01ca9349db7f