Schneider Electric Modicon Controllers (Update A)

Risk Summary

Schneider Electric is aware of multiple vulnerabilities in its Modicon Controller products. The [Modicon Programmable Automation controllers](https://www.se.com/ww/en/product-subcategory/3950-pac-programmable-automation-controllers/) are used for complex networked communication, display and control applications Failure to apply the mitigations or remediations provided below may risk execution of unsolicited command on the PLC which could result in a loss of availability of the controller.

CVEs (22)

Remediations

• Version sv4.20 of Modicon M580 includes a fix for this vulnerability and is available for download here: STEP 1: Update software and firmware. • On the engineering workstation, update to EcoStruxure Control Expert v16.0: https://www.se.com/ww/en/product-range/548-ecostruxure-control-expert-unity-pro/#software-and-firmware • On the Modicon M580 controller, update to firmware SV4.20 or above: https://www.se.com/ww/en/product-range/62098-modicon-m580-epac/#software-and-firmware STEP 2: Update projects in EcoStruxure Control Expert by: • Setting up an application password in the project properties • Changing the version of the controller firmware to match the new firmware version of the target controller STEP 3: Rebuild and transfer projects in EcoStruxure Control Expert: • Rebuild all current projects
• Version sv3.60 of Modicon M340 includes a fix for this vulnerability and is available for download here: STEP 1: Update software and firmware • On the engineering workstation, update to EcoStruxure Control Expert v16.0 or later: https://www.se.com/ww/en/product-range/548-ecostruxure-control-expert-unity-pro/#software-and-firmware • On the Modicon M340 controller, update to firmware v3.60 or above: https://www.se.com/ww/en/product-range/1468- modicon-m340/#software-and-firmware STEP 2: Update projects in EcoStruxure Control Expert by: • Setting up an application password in the project properties • Changing the version of the controller firmware to match the new firmware version of the target controller STEP 3: Rebuild and transfer projects in EcoStruxure Control Expert: • Rebuild all current projects • Transfer them to Modicon controllers
• It is recommended to apply the following mitigations to reduce the risk of exploitation: • Set up an application password in the project properties • Set up network segmentation and implement a firewall to block all unauthorized access to port 502/TCP • Configure the Access Control List following the recommendations of the user manuals: https://www.se.com/ww/en/download/document/EIO0000001578/ • Set up a secure communication according to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual,” in chapter “Setup secured communications”: https://www.se.com/ww/en/download/document/EIO0000001999/ NOTE: Use a BMENOC module and follow the instructions to configure IPSEC feature as described in the guideline “Modicon M580 - BMENOC03.1 Ethernet Communications Schneider Electric Security Notification Module, Installation and Configuration Guide” in the chapter “Configuring IPSEC communications”: https://www.se.com/ww/en/download/document/HRB62665/ OR • Use a BMENUA0100 module and follow the instructions to configure IPSEC feature as described in the chapter “Configuring the BMENUA0100 Cybersecurity Settings”: https://www.se.com/ww/en/download/document/PHA83350 OR • Consider using external firewall devices such as EAGLE40-07 from Belden to establish VPN connections for M340 and M580 architectures. For more details refer to the chapter “How to protect M580 and M340 architectures with EAGLE40 using VPN”: https://www.se.com/ww/en/download/document/EIO0000001999/ • Ensure the M580 CPU is running with the memory protection activated by configuring the input bit to a physical input, for more details refer to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual”, “CPU Memory Protection section”: https://www.schneider-electric.com/en/download/document/EIO0000001999/ NOTE: The CPU memory protection cannot be configured with M580 Hot Standby CPUs. In such cases, use IPsec encrypted communication.
• It is recommended to apply the following mitigations to reduce the risk of exploitation: • Set up an application password in the project properties • Set up network segmentation and implement a firewall to block all unauthorized access to port 502/TCP • Configure the Access Control List following the recommendations of the user manuals: o “Modicon M340 for Ethernet Communications Modules and Processors User Manual” in chapter “Messaging Configuration Parameters”: https://www.se.com/ww/en/download/document/31007131K01000/ • Set up a secure communication according to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual,” in chapter “Setup secured communications”: https://www.se.com/ww/en/download/document/EIO0000001999/ • Consider use of external firewall devices such as EAGLE40-07 from Belden to establish VPN connections for M340 & M580 architectures. For more details refer to the chapter “How to protect M580 and M340 architectures with EAGLE40 using VPN”: https://www.se.com/ww/en/download/document/EIO0000001999/
• Schneider Electric’s Modicon Quantum and Quantum Safety controllers have reached their end of life and are no longer commercially available. They have been replaced by the Modicon M580 or M580 Safety ePAC controller, our most current product offer. Customers should strongly consider migrating to the Modicon M580 ePAC. Please contact your local Schneider Electric technical support for more information.
• To mitigate the risks associated with Modbus/ weaknesses, users should immediately: • Set up network segmentation and implement a firewall to block all unauthorized access to port 502/TCP • Configure the Access Control List feature as mentioned in “Quantum using EcoStruxure Control Expert - TCP/IP Configuration, User Manual” in chapter “Software Settings for Ethernet Communication / Messaging / Quantum NOE Ethernet Messaging Configuration”: https://www.se.com/ww/en/download/document/33002467K01000/
• Schneider Electric’s Modicon Premium controllers have reached their end of life and are no longer commercially available. They have been replaced by the Modicon M580 ePAC controller, our most current product offer. Customers should strongly consider migrating to the Modicon M580 ePAC. Please contact your local Schneider Electric technical support for more information.
• To mitigate the risks associated with Modbus/ weaknesses, users should immediately: • Set up network segmentation and implement a firewall to block all unauthorized access to port 502/TCP • Configure the Access Control List following the recommendations of the user manual “Premium and Atrium using EcoStruxure Control Expert - Ethernet Network Modules, User Manual” in chapters “Connection configuration parameters / TCP/IP Services Configuration Parameters / Connection Configuration Parameters”: https://www.se.com/ww/en/download/document/35006192K01000/
• Version v3.60 of Modicon Quantum includes a fix for this vulnerability and is available for download here: 140CPU65150 [C] & 140CPU65160 [C] - https://www.schneider-electric.com/en/download/document/Quantum_140CPU651X0_SV3.60
• Version v3.60 of Modicon Quantum includes a fix for this vulnerability and is available for download here: 140CPU65260 [C] - https://www.schneider-electric.com/en/download/document/Quantum_140CPU65260_SV3.60
• Version v3.60 of Modicon Quantum includes a fix for this vulnerability and is available for download here: 140CPU67261 [C] - https://www.schneider-electric.com/en/download/document/Quantum_140CPU67261_SV3.60
• Version v3.60 of Modicon Quantum includes a fix for this vulnerability and is available for download here: 140CPU67060 [C] - https://www.schneider-electric.com/en/download/document/Quantum_140CPU67060_SV3.60
• Version v3.60 of Modicon Quantum includes a fix for this vulnerability and is available for download here: 140CPU67160 [C] - https://www.schneider-electric.com/en/download/document/Quantum_140CPU67160_SV3.60
• Version v3.60 of Modicon Quantum includes a fix for this vulnerability and is available for download here: 140CPU67261 [C] - https://www.schneider-electric.com/en/download/document/Quantum_140CPU67261_SV3.60
• Version v3.60 of Modicon Quantum includes a fix for this vulnerability and is available for download here: 140CPU67260 [C] - https://www.schneider-electric.com/en/download/document/Quantum_140CPU67260_SV3.60
• Version v3.60 of Modicon Quantum includes a fix for this vulnerability and is available for download here: 140CPU65860 [C] - https://www.schneider-electric.com/en/download/document/Quantum_140CPU65860_SV3.60
• Version v3.60 of Modicon Quantum includes a fix for this vulnerability and is available for download here: 140CPU67861 [C] - https://www.schneider-electric.com/en/download/document/Quantum_140CPU67861_SV3.60
• Please contact your Schneider Electric customer support to get Premium V3.20 firmware. TSXP57104M [C] TSXP57154M [C] TSXP571634M [C] TSXP57204M [C] TSXP572634M [C] TSXP57254M [C] TSXP57304M [C] TSXP573634M [C] TSXP57354M [C] TSXP574634M [C] TSXP57454M [C] TSXP575634M [C] TSXP57554M [C] TSXP576634M [C] TSXH5724M [C] TSXH5744M [C]
• Schneider Electric’s Modicon Quantum and Quantum Safety controllers have reached their end of life and are no longer commercially available. They have been replaced by the Modicon M580 or M580 Safety ePAC controller, our most current product offer. Customers should strongly consider migrating to the Modicon M580 ePAC. Please contact your local Schneider Electric technical support for more information. To mitigate the risks associated with Modbus/ weaknesses, users should immediately: • Set up network segmentation and implement a firewall to block all unauthorized access to port 502/TCP • Configure the Access Control List feature as mentioned in “Quantum using EcoStruxure Control Expert - TCP/IP Configuration, User Manual” in chapter “Software Settings for Ethernet Communication / Messaging / Quantum NOE Ethernet Messaging Configuration”: https://www.se.com/ww/en/download/document/33002467K01000/
• Schneider Electric’s Modicon Premium controllers have reached their end of life and are no longer commercially available. They have been replaced by the Modicon M580 ePAC controller, our most current product offer. Customers should strongly consider migrating to the Modicon M580 ePAC. Please contact your local Schneider Electric technical support for more information. To mitigate the risks associated with Modbus/ weaknesses, users should immediately: • Set up network segmentation and implement a firewall to block all unauthorized access to port 502/TCP • Configure the Access Control List following the recommendations of the user manual “Premium and Atrium using EcoStruxure Control Expert - Ethernet Network Modules, User Manual” in chapters “Connection configuration parameters / TCP/IP Services Configuration Parameters / Connection Configuration Parameters”: https://www.se.com/ww/en/download/document/35006192K01000/
• Schneider Electric's Modicon Quantum and Quantum Safety controllers have reached their end of life and are no longer commercially available. They have been replaced by the Modicon M580 or M580 Safety ePAC controller, our most current product offer. Customers should strongly consider migrating to the Modicon M580 ePAC. Please contact your local Schneider Electric technical support for more information. To mitigate the risks associated with Modbus/ weaknesses, users should immediately: • Set up network segmentation and implement a firewall to block all unauthorized access to port 502/TCP • Configure the Access Control List feature as mentioned in “Quantum using EcoStruxure Control Expert - TCP/IP Configuration, User Manual” in chapter “Software Settings for Ethernet Communication / Messaging / Quantum NOE Ethernet Messaging Configuration”: https://www.se.com/ww/en/download/document/33002467K01000/
• Version sv2.90 of Modicon Momentum includes a fix for this vulnerability and is available for download here: STEP 1: Update software and firmware. • On the engineering workstation, update to EcoStruxure Control Expert v16.2 HF003 (https://www.se.com/ww/en/product-range/548-ecostruxure-control-expert-unity-pro/#software-and-firmware). • On the Modicon Momentum CPU, update to firmware v2.90: https://www.se.com/ww/en/product-range/535-modicon-momentum/#software-and-firmware STEP 2: Update projects in EcoStruxure Control Expert by: • Setting up an application password in the project properties • Changing the version of the controller firmware to match the new firmware version of the target controller STEP 3: Rebuild and transfer projects in EcoStruxure Control Expert: • Rebuild all current projects • Transfer them to Modicon controllers
• To mitigate the risks associated with CVE-2018-7855, users should immediately apply the following steps: • Set up an application password in the project properties • Set up network segmentation and implement a firewall to block all unauthorized access to port 502/TCP • Configure the Access Control List following the recommendations of the user manuals: • “Modicon MC80 Programmable Logic Controller (PLC) manual” in the chapter “Access Control List (ACL)”: https://www.se.com/ww/en/download/document/EIO0000002071/ • Setup a secure communication according to the following guideline “Modicon Controller Systems Cybersecurity, User Guide” in chapter “Set Up Encrypted Communication”: https://www.se.com/ww/en/download/document/EIO0000001999/
• If customers choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploitation: To mitigate the risks associated with Modbus weaknesses, users should immediately: • Set up an application password in the project properties • Set up network segmentation and implement a firewall to block all unauthorized access to port 502/TCP • Configure the Access Control List following the recommendations of the user manual, “Momentum for EcoStruxure Control Expert - 171 CBU 78090, 171 CBU 98090, 171 CBU 98091 Processors” manual in the chapter “Modbus Messaging and Access Control”: https://download.schneider-electric.com/files?p_enDocType=User+guide&p_Doc_Ref=HRB44124 • Set up a secure communication according to the following guideline “Modicon Controller Systems Cybersecurity, User Guide” in chapter “Set Up Encrypted Communication”: https://www.se.com/ww/en/download/document/EIO0000001999/ • Set up a VPN between the Modicon PLC controllers and the engineering workstation containing EcoStruxure Control Expert or Process Expert. Note: this functionality may be provided by an external IPSEC compatible firewall located close to the controller.
• Version v1.80 of Modicon MC80 includes a fix for this vulnerability and is available for download here: STEP 1: Update software and firmware. • On the engineering workstation, update to EcoStruxure Control Expert v16.0 or later: https://www.se.com/ww/en/product-range/548-ecostruxure-control-expert-unity-pro/#software-and-firmware • On the Modicon MC80 controller, update to firmware V1.80 or above: https://www.se.com/ww/en/product-range/62396-modicon-mc80/#software-and-firmware STEP 2: Update projects in EcoStruxure Control Expert by: • Setting up an application password in the project properties • Changing the version of the controller firmware to match the new firmware version of the target controller STEP 3: Rebuild and transfer projects in EcoStruxure Control Expert: • Rebuild all current projects • Transfer them to Modicon controllers
• To mitigate the risks, users should immediately apply the following steps: • Set up an application password in the project properties • Set up network segmentation and implement a firewall to block all unauthorized access to port 502/TCP • Configure the Access Control List following the recommendations of the user manuals: • “Modicon MC80 Programmable Logic Controller (PLC) manual” in the chapter “Access Control List (ACL)”: https://www.se.com/ww/en/download/document/EIO0000002071/ • Setup a secure communication according to the following guideline “Modicon Controller Systems Cybersecurity, User Guide” in chapter “Set Up Encrypted Communication”: https://www.se.com/ww/en/download/document/EIO0000001999/
• To mitigate the risks associated with Modbus weaknesses, users should immediately: • Set up an application password in the project properties • Set up network segmentation and implement a firewall to block all unauthorized access to port 502/TCP • Configure the Access Control List following the recommendations of the user manual, “Momentum for EcoStruxure Control Expert - 171 CBU 78090, 171 CBU 98090, 171 CBU 98091 Processors” manual in the chapter “Modbus Messaging and Access Control”: https://download.schneider-electric.com/files?p_enDocType=User+guide&p_Doc_Ref=HRB44124 • Set up a secure communication according to the following guideline “Modicon Controller Systems Cybersecurity, User Guide” in chapter “Set Up Encrypted Communication”: https://www.se.com/ww/en/download/document/EIO0000001999/ • Set up a VPN between the Modicon PLC controllers and the engineering workstation containing EcoStruxure Control Expert or Process Expert. Note: this functionality may be provided by an external IPSEC compatible firewall located close to the controller.
• Version v15.1 of EcoStruxure Control Expert includes a fix for this vulnerability and is available for download here: https://www.se.com/ww/en/product-range/548-ecostruxure-control-expert-unity-pro/#software-and-firmware
• Customers should immediately apply the following mitigations to reduce the risk of exploit: • Ensure to use simulator default panel option to make PLC simulator accessible only locally. • Modbus network connections are disabled by default on the PLC Simulator present in EcoStruxure Control Expert, mitigating the risk associated to this vulnerability. Note: The PLC Simulator feature is part of the EcoStruxure Control Expert software, and it helps users to review and test their configurations files in a simulation environment. It is not intended to be used as a controller CPU in a production environment.
• Schneider Electric's Modicon Quantum and Quantum Safety controllers have reached their end of life and are no longer commercially available. They have been replaced by the Modicon M580 or M580 Safety ePAC controller, our most current product offer. Customers should strongly consider migrating to the Modicon M580 ePAC. Please contact your local Schneider Electric technical support for more information.

Affected Vendors

Affected Products (25)

Affected Sectors

Commercial Facilities, Critical Manufacturing, Energy