BadAlloc Vulnerabilities

Act Now9.8SEVD-2021-313-05Nov 9, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

BadAlloc is a series of memory allocation vulnerabilities (CWE-190 integer overflow) in Schneider Electric devices disclosed by Microsoft on April 29, 2021. Successful exploitation allows denial of service (crash) or remote code execution depending on the device context. The vulnerabilities affect Eurotherm PAC and EPC controllers, Easergy relays and meters, Modicon logic controllers and network modules, PacDrive controllers, PowerLogic meters, Vijeo Designer and Harmony HMI panels, TAC I/A systems, Niagara Framework, JACE platforms, Pro-face HMI touchscreens, SCD6000 RTUs, and many others across industrial control and building automation. Patches are available for some products (e.g., Modicon M241/M251, Easergy C5, PowerLogic ION7400/PM8000/ION9000), but many product families including Modicon Quantum/Premium CPUs, M580 series, all Eurotherm 6xxx series, Vijeo Designer, Harmony HMIGTU/HMIGTUX/HMIGK series, and others have no vendor fix available. Niagara Framework 4.10u1 and later versions are affected with no patch.

What this means

What could happen

An attacker who can reach a vulnerable Schneider Electric device over the network could run arbitrary code on it or crash it, disrupting process control and data logging. This affects PLCs, network modules, and data recorders that control heating, power distribution, and facility operations.

Who's at risk

Energy sector operators (utilities, substations), manufacturing facilities, and building automation managers using Schneider Electric PLCs (Modicon M-series), PAC controllers (Eurotherm T-series), logic controllers (PacDrive), network modules, data recorders (nanodac, Versadac), power metering systems (PowerLogic), HMI panels (Vijeo Designer, Harmony/Magelis, Pro-face), and RTUs are affected. Any facility relying on these devices for process control, power management, or data collection is at risk.

How it could be exploited

An attacker sends a specially crafted network request that triggers an integer overflow in memory allocation code on a vulnerable device. This causes the device to allocate incorrect amounts of memory, allowing the attacker to write code into memory and execute it, or to crash the process. No authentication is required; the device must only be reachable on the network.

Prerequisites

Network access to the vulnerable device on its management or operational port
No authentication required

remotely exploitableno authentication requiredlow complexityaffects 100+ product familiesmany products have no patch availablehigh CVSS (9.8)

Exploitability

Moderate exploit probability (EPSS 2.1%)

Affected products (83)

62 with fix21 pending

ProductAffected VersionsFix Status

Harmony/ Magelis HMIGTUX Series<6.2 SP11 Multi HotFix 46.2 SP11 Multi HotFix 4

Harmony/ Magelis HMIGK Series<6.2 SP11 Multi HotFix 46.2 SP11 Multi HotFix 4

HMISCU<6.2 SP126.2 SP12

HMISTU Series<6.3 SP16.3 SP1

MiCOM C264≥ B5.x|<B5.118; ≥ D1.x|<D1.92; ≥ D4.x|<D4.38; ≥ D5.x|<D5.25I; ≥ D6.x|<D6.18B5.118

Remediation & Mitigation

0/5

Do now

0/3

Eurotherm E+PLC400

HOTFIXApply firmware patches to Easergy C5 (<1.0.5), Easergy MiCOM P30 (v660–674), Easergy P5 (<01.401.101), EPC2000 (<4.03), EPC3000 (<5.20), Eurotherm E+PLC400 (<1.4.0.0), Eycon 10/20 Visual Supervisor (<7.3), T2550 PAC (<8.2), T2750 PAC (<6.3), nanodac (<10.02), Versadac (<2.43), Modicon M241/M251/M262/M258/LMC058/MC80 logic controllers, Modicon M340 modules, PacDrive logic controllers, and PowerLogic meters to their latest fixed versions.

MiCOM C264

HARDENINGFor devices with no available patch (E+PLC100, Eurotherm 6100A/6180A/6100XIO/6180XIO/AeroDAQ, Vijeo Designer, Harmony/Magelis HMI series, TAC I/A, JACE-8000, Niagara Framework, MiCOM C264, M580 CPU, M580 Ethernet modules, Premium/Quantum CPUs, Pro-face HMI panels, SCD6000, SAGE RTU, and others), implement network segmentation to restrict access to the device to only authorized engineering workstations and control systems on a dedicated network.

All products

WORKAROUNDIf network segmentation is not feasible, implement firewall rules to block untrusted inbound traffic to the vulnerable devices and restrict access to necessary ports only (e.g., HTTP/HTTPS for web interfaces, Modbus/EtherCAT for control protocols).

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGDisable remote management features on devices that support them if they are not required for operations.

Long-term hardening

0/1

HARDENINGMaintain an inventory of all Schneider Electric devices in your environment and track patch status to ensure no unpatched systems are overlooked.

CVEs (3)

CVE-2020-35198 CVE-2020-28895 CVE-2021-22156

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/450abd9a-a454-4d20-b1a1-cde482b123a2