Schneider Electric devices using CODESYS Runtime

CVEs (37)

Remediations

• Version 6.3.1 of Vijeo Designer includes a fix for this vulnerability and can be updated through the Schneider Electric Software Update (SESU) application. https://www.se.com/ww/en/product-range/1054-vijeodesigner-hmi-software/#software-and-firmware On the engineering workstation, update to v6.3.1 of Vijeo Designer. In order to complete the update, connect to Harmony HMI and download the project file using Vijeo Designer v6.3.1.
• Modicon Controller M241 Firmware delivered with Machine Expert v2.2 includes a fix for this vulnerability and can be updated through the Schneider Electric Software Update (SESU) application. https://www.se.com/ww/en/product-range/2226-ecostruxure-machine-expert-software/ On the engineering workstation, update to v2.2 of Machine Expert. Update Modicon Controller M241 to the latest Firmware and preform reboot.
• Schneider Electric’s Magelis XBT series have reached their end of commercialization. Magelis XBTGT/XBTGK offers have been replaced by HMIGTO/HMIGTU/HMIGK. We recommend our customers to migrate to the latest offers. For Magelis XBT series that haven't been replaced, please contact your local Schneider Electric technical support for more information.
• Modicon Controller M251 Firmware delivered with Machine Expert v2.2 includes a fix for this vulnerability and can be updated through the Schneider Electric Software Update (SESU) application. https://www.se.com/ww/en/product-range/2226-ecostruxure-machine-expert-software/ On the engineering workstation, update to v2.2 of Machine Expert. Update Modicon Controller M251 to the latest Firmware and preform reboot.
• Modicon Controller M262 Firmware delivered with Machine Expert v2.2 includes a fix for this vulnerability and can be updated through the Schneider Electric Software Update (SESU) application. https://www.se.com/ww/en/product-range/2226-ecostruxure-machine-expert-software/ On the engineering workstation, update to v2.2 of Machine Expert. Update Modicon Controller M262 to the latest firmware and preform reboot.
• PacDrive 3 Controllers LMC Eco/Pro/Pro2 Firmware delivered with Machine Expert V2.2 includes a fix for this vulnerability and can be updated through the Schneider Electric Software Update (SESU) application. https://www.se.com/ww/en/product-range/2226-ecostruxure-machine-expert-software/ On the engineering workstation, update to V2.2 of Machine Expert. Update PacDrive 3 Controllers: LMC Eco/Pro/Pro2 to the latest Firmware and preform reboot.
• Version 6.3.1 of Vijeo Designer includes a fix for this vulnerability and can be updated through the Schneider Electric Software Update (SESU) application. https://www.se.com/ww/en/product-range/1054-vijeodesigner-hmi-software/#software-and-firmware On the engineering workstation, update to v6.3.1 of Vijeo Designer.
• SoftSPS component has been removed from Machine Expert V2.2. Machine Expert can be updated through the Schneider Electric Software Update (SESU) application.
• Schneider Electric´s Modicon LMC078 controllers have reached end of their life and are no longer commercially available. They have been replaced by the Modicon M262 controllers. We recommend our customers to migrate to the latest offer. Please contact your local Schneider Electric technical support for more information.
• Schneider Electric’s Modicon M218 controllers have reached their end of life and are no longer commercially available. They have been replaced by the Modicon Easy M200 and Modicon M241 controllers. We recommend our customers to migrate to the latest offer. Please contact your local Schneider Electric technical support for more information.
• • Ensure usage of user management and password features. User rights are enabled by default and forced to create a strong password at first use. • Use encrypted communication links. • The “Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment” provide mitigations through the activation of project encryption in the Enhanced Security Settings, chapter https://download.schneiderelectric.com/files?p_enDocType=User+guide&p_File_Name=EIO0000004242.00.pdf&p_Doc_Ref=EIO0000004242. • Restrict access to programming ports, typically UDP/1740, TCP/11740 and TCP/1105.
• • Enable the optional ‘Implicit Checks’ on logic applications. • Avoid use of the POINTER data type and MEMMOVE instructions, especially on untrusted inputs. • Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside. • Use firewalls to protect and separate the control system network from other networks. • Use VPN (Virtual Private Networks) tunnels if remote access is required. • Limit the access to both development and control system by physical means, operating system features, etc. • Protect both development and control system by using up to date malware protection. To ensure you are informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric’s security notification service here: https://www.se.com/en/work/support/cybersecurity/securitynotifications.jsp
• Version 6.3 HF3 of Vijeo Designer includes a fix for this vulnerability and can be updated through the Schneider Electric Software Update (SESU) application. As an alternative, please contact your Schneider Electric Customer Care Center to obtain the Hot Fix. For additional detail please refer to the supplied help file in Hot Fix. On the engineering workstation, update to v6.3 HF3 of Vijeo Designer.
• Vijeo Designer Basic v2.0 HotFix 2 includes a fix for this vulnerability. Please contact your Schneider Electric Customer Care Center to obtain the installer. To complete the update, connect to Harmony HMI and download the firmware using Vijeo Designer Basic.
• Version 6.3 SP2 of Vijeo Designer includes a fix for this vulnerability and can be updated through the Schneider Electric Software Update (SESU) application. https://www.se.com/ww/en/product-range/1054-vijeo-designer-hmi-software/#software-and-firmware As an alternative, please contact your Schneider Electric Customer Care Center to obtain the Fix. For additional details, please refer to the supplied help file in Hot Fix. On the engineering workstation, update to v6.3 SP2 of Vijeo Designer.
• Customers should immediately apply the following mitigations to reduce the risk of exploitation: • Ensure usage of user management and password features. User rights are enabled by default and forced to create a strong password at first use.• Restrict access to programming ports, typically UDP/1740, TCP/11740 and TCP/484.• Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside.• Use firewalls to protect and separate the control system network from other networks.• Use VPN (Virtual Private Networks) tunnels if remote access is required. • Limit the access to both development and control system by physical means, operating system features, etc. • Protect both development and control system by using up to date malware protection.
• Version 3.1.5.82 includes a fix for this vulnerability and can be download here: https://www.se.com/ww/en/product-range/268959560-easy-modicon-m310 As an alternative, contact your Schneider Electric Customer Care Center to obtain the firmware. To complete the update, connect to M310 and download the firmware using EcoStruxureTM Motion Expert.

Affected Vendors

Affected Products (27)

Affected Sectors

Commercial Facilities, Critical Manufacturing, Energy