Ethernet and Web server on Modicon M340 controller and Communication Modules

Monitor7.5SEVD-2022-011-01Jan 11, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities exist in Schneider Electric Modicon M340 controllers and communication modules, including resource exhaustion (denial of service), unauthorized web server access, and sensitive information disclosure. The vulnerabilities affect the Ethernet and integrated web server functionality on M340 CPUs, Quantum and Premium CPUs with Ethernet capabilities, M340 Ethernet modules, and factory cast communication modules for Quantum and Premium platforms. No firmware patches are available from Schneider Electric. Remediation requires network isolation, firewall filtering, and physical access controls. Schneider Electric recommends use of the Eagle40 device as a comprehensive security solution for these products.

What this means

What could happen

An attacker with network access to a Modicon M340 controller or communication module could cause a denial of service by exhausting the device's resources, stopping industrial processes. Additionally, attackers could gain unauthorized access to the web server or extract sensitive information from the controller.

Who's at risk

Water authorities, electric utilities, and manufacturing plants operating Modicon M340 automation controllers and Modicon Quantum or Premium CPUs with integrated Ethernet should be concerned. This affects any facility using these controllers for process automation, water treatment, power distribution, or other critical infrastructure operations.

How it could be exploited

An attacker on the network sends malformed or excessive requests to the Ethernet port or web server interface of the M340 controller or communication modules. The devices do not properly validate or rate-limit these requests, allowing the attacker to consume available memory and CPU resources, eventually causing the device to become unresponsive or reboot. No authentication is required for this attack.

Prerequisites

Network access to port 80 (HTTP) or port 502 (Modbus TCP) on the M340 controller or communication module
Device must be reachable from attacker's network segment
No authentication required

Remotely exploitableNo authentication requiredLow complexity attackNo patch availableAffects critical automation controllersDenial of service impact on physical operations

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (5)

5 EOL

ProductAffected VersionsFix Status

Modicon M340 CPUs allallNo fix (EOL)

Modicon Quantum CPUs with integrated Ethernet (Copro) allallNo fix (EOL)

Modicon Premium CPUs with integrated Ethernet (Copro) allallNo fix (EOL)

Modicon M340 ethernet modules allallNo fix (EOL)

Modicon Quantum and Premium factory cast communication modules allallNo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/3

HARDENINGIsolate all M340 controllers and communication modules behind a firewall, blocking unnecessary inbound traffic from business networks and the Internet

WORKAROUNDDisable or restrict access to the web server on M340 controllers unless required for operations, and only allow access from authorized engineering workstations

HARDENINGEnsure M340 controllers are always in "Run" mode, never left in "Program" mode where they are more vulnerable to modification

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDMonitor M340 controllers for signs of resource exhaustion or unexpected denial of service conditions

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: Modicon M340 CPUs all, Modicon Quantum CPUs with integrated Ethernet (Copro) all, Modicon Premium CPUs with integrated Ethernet (Copro) all, Modicon M340 ethernet modules all, Modicon Quantum and Premium factory cast communication modules all. Apply the following compensating controls:

HARDENINGPlace all M340 controllers in locked cabinets to prevent unauthorized physical access

HARDENINGImplement network segmentation to separate control networks from business networks, ensuring OT devices are not routable from IT systems

HARDENINGIf remote access is required, use a VPN with secure authentication and keep it updated to the latest version

CVEs (2)

CVE-2022-22724 CVE-2020-7534

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e906eb87-8fec-4474-a602-9f8b62ddad3a