Web Server on Modicon M340, Legacy Offers Modicon Quantum and Premium and Associated Communication Modules

Plan Patch7.5SEVD-2021-257-02Sep 14, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities exist in the web server component of Schneider Electric Modicon M340, Quantum, and Premium PLCs and their associated Ethernet communication modules. These vulnerabilities could allow disclosure of sensitive information from memory or cause denial of service of the controller. The vulnerabilities are exploitable over the network without authentication if the web server is enabled. Several Modicon Premium and Quantum product lines (integrated Ethernet processors TSXP574634, TSXP575634, TSXP576634, 140CPU65xxxxx, and communication modules 140NOE771x1, 140NOC78x00, 140NOC77101, TSXETY4103, TSXETY5103) have no vendor fix planned. Modicon M340 products have fixes available.

What this means

What could happen

An unauthenticated attacker on the network could read sensitive information from the PLC's web server (such as configuration or network details) or cause the device to become unresponsive, disrupting control of industrial processes.

Who's at risk

This affects water utilities, electric utilities, and manufacturing plants that use Schneider Electric Modicon M340, Quantum, or Premium programmable logic controllers (PLCs) and their Ethernet communication modules. The vulnerability is in the built-in web server, which is off by default but may be enabled by operators for remote monitoring or engineering access.

How it could be exploited

An attacker sends a specially crafted HTTP request to the web server on port 80 of an affected Modicon PLC or communication module. No valid credentials are required. The vulnerability in the web server could allow reading memory contents or triggering a denial of service that stops the device from responding to control commands.

Prerequisites

Network access to port 80/HTTP on the affected device
Device must have the web server enabled (HTTP is disabled by default, so must be explicitly turned on)
No authentication credentials required

remotely exploitableno authentication requiredlow complexityhigh CVSS score (7.5)affects critical infrastructure controllersmany products have no fix available

Exploitability

Moderate exploit probability (EPSS 1.5%)

Affected products (14)

5 with fix9 EOL

ProductAffected VersionsFix Status

Modicon M340 CPUs BMXP34*<V3.40Firmware V3.40

Modicon M340 X80 Ethernet Communication modules BMXNOE0100 (H)<SV03.50SV03.50

Modicon M340 X80 Ethernet Communication modules BMXNOE0110 (H)<SV06.70SV06.70

Modicon M340 X80 Ethernet Communication modules BMXNOC0401 prior to V2.11<V2.11V2.11

Modicon M340 X80 Ethernet Communication Modules BMXNOR0200H RTU<V1.7 IR24V1.70 IR24

Modicon Premium processors with integrated Ethernet COPRO TSXP574634 all versionsvers:all/*No fix (EOL)

Modicon Premium processors with integrated Ethernet COPRO TSXP575634 all versionsAll versionsNo fix (EOL)

Modicon Premium processors with integrated Ethernet COPRO TSXP576634 all versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/9

Do now

0/2

WORKAROUNDBlock all unauthorized access to port 80/HTTP at the firewall; verify HTTP is disabled by default on M340 CPUs

WORKAROUNDConfigure Access Control Lists on communication modules following the Modicon M340 Ethernet Communications Modules and Processors User Manual

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Modicon M340 CPU firmware to version V3.40 or later

HOTFIXUpdate BMXNOE0100 (H) communication module to firmware version SV03.50 or later

HOTFIXUpdate BMXNOE0110 (H) communication module to firmware version SV06.70 or later

HOTFIXUpdate BMXNOC0401 communication module to firmware version V2.11 or later

HOTFIXUpdate BMXNOR0200H RTU module to firmware version V1.70 IR24 or later

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: Modicon Premium processors with integrated Ethernet COPRO TSXP574634 all versions, Modicon Premium processors with integrated Ethernet COPRO TSXP575634 all versions, Modicon Premium processors with integrated Ethernet COPRO TSXP576634 all versions, Modicon Quantum processors with integrated Ethernet COPRO 140CPU65xxxxx all versions, Modicon Quantum communication modules 140NOE771x1 all versions, Modicon Quantum communication modules 140NOC78x00 all versions, Modicon Quantum communication modules 140NOC77101 all versions, Modicon Premium communication modules TSXETY4103 all versions, Modicon Premium communication modules TSXETY5103 all versions. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate affected PLCs and communication modules from untrusted networks

HARDENINGSet up a VPN between the Modicon devices and engineering workstations running EcoStruxure Control Expert or Process Expert

CVEs (3)

CVE-2021-22785 CVE-2021-22788 CVE-2021-22787

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c752df82-798b-422d-8ca0-0d02faf71efd