Schneider Electric Modicon M340 Controller and Communication Modules

CVEs (1)

Remediations

• Version 3.60 of BMXNOE0100 includes a fix for this vulnerability and is available for download here: https://www.se.com/ww/en/product/BMXNOE0100/networkmodule-modicon-m340-modbus-tcp-1-x-rj45-flash-memorycard/ Reboot is needed to complete the firmware upgrade
• Version 6.80 of BMXNOE0110 includes a fix for this vulnerability and is available for download here: https://www.se.com/ww/en/product/BMXNOE0110/ethernettcp-ip-network-module-modicon-m340-automation-platformflash-memory-card-internal-ram-16-mb-1-x-rj45-10-100/ Reboot is needed to complete the firmware upgrade
• If customers choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit: • FTP service is disabled by default • Ensure to disable FTP service when not in use • Setup network segmentation and implement a firewall to block all unauthorized access to ports 21/FTP • Use VPN (Virtual Private Networks) tunnels if remote access is required
• Schneider Electric is establishing a remediation plan for all future versions of • Modicon M340 • BMXNOR0200H • BMXNGD0100 • BMXNOC401 We will update this document when the remediation is available. Until then, customers should immediately apply the following mitigations to reduce the risk of exploit: • FTP service is disabled by default • Ensure to disable FTP service when not in use • Setup network segmentation and implement a firewall to block all unauthorized access to ports 21/FTP • Use VPN (Virtual Private Networks) tunnels if remote access is required

Affected Vendors

Affected Products (8)

Affected Sectors

Critical Manufacturing, Energy