Modicon PAC Controllers and PLC Simulator for EcoStruxure™ Control Expert and EcoStruxure™ Process Expert

MonitorCVSS 6.5SEVD-2021-222-04Aug 10, 2021

Schneider ElectricEnergyManufacturing

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities (CWE-119, CWE-125, CWE-787, CWE-476) in Modicon PAC Controllers and PLC Simulator allow an attacker to craft a malicious project file that, when downloaded to the controller, causes a buffer overflow or memory access violation resulting in loss of availability. The PLC Simulator is not intended for production use. Affected products include Modicon M580, M580 Safety, M340, MC80, Momentum, Legacy Modicon Premium and Quantum, and PLC Simulator for EcoStruxure Control Expert and Process Expert.

What this means

What could happen

An attacker with access to upload a malicious project file could stop a Modicon controller or PLC simulator, causing loss of availability for industrial operations like power distribution or manufacturing processes.

Who's at risk

Energy utilities and manufacturing plants using Schneider Electric Modicon M580, M580 Safety, M340, MC80, or Momentum CPU controllers, as well as engineering teams using PLC Simulator in EcoStruxure Control Expert or Process Expert software. Legacy Modicon Premium and Quantum systems are also affected.

How it could be exploited

An attacker obtains a valid project file (either legitimate or by compromising a workstation), modifies it maliciously, and uploads it to the target Modicon PLC or PLC Simulator. The controller processes the malicious file, triggering a buffer overflow or memory access violation that crashes the device and stops all operations it controls.

Prerequisites

Ability to upload a project file to the controller (requires engineering access via EcoStruxure Control Expert / Process Expert software or direct project file transfer capability
Knowledge of the target controller model and firmware version
A crafted or modified project file

Remotely exploitable (via project file upload)Requires valid engineering accessLow complexity attack once access is gainedNo patch available for legacy Modicon Premium, Quantum, and Modicon Premium CPUNo patch available for PLC SimulatorAffects availability of industrial control systems

Exploitability

Unlikely to be exploited — EPSS score 0.5%

Affected products (9)

5 with fix2 pending2 EOL

ProductAffected VersionsFix Status

Modicon M580 CPU <SV4.10<SV4.10SV4.10

Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S)< SV4.21SV4.21

Modicon M340 CPU <3.50<3.503.50

Modicon MC80 <SV1.90< SV1.90All versions

PLC Simulator for EcoStruxure™ Control Expert All versionsAll versionsNo fix yet

PLC Simulator for EcoStruxure™ Process Expert All versionsAll versionsNo fix yet

Legacy Modicon Premium and Quantum All versionsAll versionsNo fix (EOL)

Modicon Premium CPU All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/8

Do now

0/2

HARDENINGRestrict access to upload project files to the controller to authorized engineering personnel only (network access controls, role-based access)

WORKAROUNDDo not use PLC Simulator for EcoStruxure Control Expert and Process Expert in production environments; use only in isolated test/development systems

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Modicon M580 CPU to firmware version SV4.10 or later

HOTFIXUpdate Modicon M580 CPU Safety (BMEP58*S, BMEH58*S) to firmware version SV4.21 or later and EcoStruxure Control Expert to V16.0 HF001 or later

HOTFIXUpdate Modicon M340 CPU to firmware version 3.50 or later

HOTFIXUpdate Modicon MC80 to firmware version SV1.90 or later

HOTFIXUpdate Modicon Momentum CPU to firmware version V2.6 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Legacy Modicon Premium and Quantum All versions, Modicon Premium CPU All versions. Apply the following compensating controls:

HARDENINGDisable or isolate legacy Modicon Premium, Quantum, and Modicon Premium CPU controllers from network access where possible, and monitor for suspicious project file uploads

CVEs (4)

CVE-2021-22789 CVE-2021-22790 CVE-2021-22791 CVE-2021-22792

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/908a2203-f958-4a2c-be51-69f20dea8a50

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.