← Back to home
ICSA-21-005-01  ·  Published 2021-01-05  ·  View on CISA ICS-CERT ↗

Schneider Electric Web Server on Modicon M340

CVSS 6.3 MEDIUM

Risk Summary

Successful exploitation of these vulnerabilities may allow write access and the execution of commands, which could result in data corruption or a web server crash.

CVEs (3)

Remediations

  • Schneider Electric is establishing a remediation plan to fix these vulnerabilities in current and future versions of Modicon PAC controllers. Schneider Electric will update SEVD-2020-315-01 when the remediation is available.
  • Disable FTP via UnityPro / Ecostruxure Control Expert. This is disabled by default when a new application is created.
  • Configure the access control list via Ecostruxure Control Expert programming tool.
  • Set up network segmentation and implement a firewall to block all unauthorized access to Port 21/TCP.
  • Schneider Electric's Modicon Premium and Modicon Quantum controllers have reached their end of life and are no longer commercially available. They have been replaced by the Modicon M580 ePAC controller.
  • For further information please refer to Modicon Controllers Platform - CyberSecurity, Reference Manual and SEVD-2020-315-01

Affected Vendors

Schneider Electric Software, LLC

Affected Products (12)

Schneider Electric Software, LLC · M340 Communication Ethernet modules BMX NOE 0100 (H) vers:all/*
Schneider Electric Software, LLC · M340 Communication Ethernet modules BMX NOE 0110 (H) vers:all/*
Schneider Electric Software, LLC · Quantum communication modules 140NOC78x00 vers:all/*
Schneider Electric Software, LLC · M340 CPUs BMX P34x vers:all/*
Schneider Electric Software, LLC · Premium processors with integrated Ethernet COPRO TSXP574634 TSXP575634 TSXP576634 vers:all/*
Schneider Electric Software, LLC · Quantum communication modules 140NOE771x1 vers:all/*
Schneider Electric Software, LLC · M340 Communication Ethernet modules BMX NOR 0200H vers:all/*
Schneider Electric Software, LLC · Premium communication modules TSXETY4103 *
Schneider Electric Software, LLC · Premium communication modules TSXETY5103 *
Schneider Electric Software, LLC · M340 Communication Ethernet modules BMX NOC 0401 vers:all/*
Schneider Electric Software, LLC · Quantum processors with integrated Ethernet COPRO 140CPU65xxxxx vers:all/*
Schneider Electric Software, LLC · Quantum communication modules 140NOC77101 vers:all/*

Affected Sectors

Commercial Facilities, Energy, Food and Agriculture, Government Facilities, Transportation Systems, Water and Wastewater Systems

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more