Schneider Electric Modicon Controllers M241, M251, M258, and LMC058

CVEs (1)

Remediations

• Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/ On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/ Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/EIO0000003059/
• Modicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/ On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/ Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/us/en/download/document/EIO0000003089/
• If customers choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit: • Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from public internet or untrusted networks. • Ensure usage of user management and password features. User rights are enabled by default and forced to create a strong password at first use. • Deactivate the Webserver after use when not needed. • Use encrypted communication links. • Setup network segmentation and implement a firewall to block all unauthorized access to ports 80/HTTP and 443/HTTPS. • Use VPN (Virtual Private Networks) tunnels if remote access is required. • The “Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment” provide product specific hardening guidelines.
• • Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from public internet or untrusted networks. • Ensure usage of user management and password features. User rights are enabled by default and forced to create a strong password at first use. • Deactivate the Webserver after use when not needed. • Use encrypted communication links. • Setup network segmentation and implement a firewall to block all unauthorized access to ports 80/HTTP and 443/HTTPS. • Use VPN (Virtual Private Networks) tunnels if remote access is required. • The “Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment” provide product specific hardening guidelines.

Affected Vendors

Affected Products (6)

Affected Sectors

Commercial Facilities, Critical Manufacturing, Energy