20 May 2022
KLCERT-20-061 / KLCERT-20-068: Schneider Electric Modicon M340/M580 Authentication Bypass by Spoofing
-
CVE
-
KLCERT
KLCERT-20-061 / KLCERT-20-068
Timeline
Timeline
-
Kaspersky ICS CERT advisory updated
28 August 2024
-
Kaspersky ICS CERT advisory published
20 May 2022
-
Advisory published
July 2021
Description
Kaspersky ICS CERT has discovered an authentication bypass vulnerability in Schneider Electric Modicon M340/M580 controllers.
CVSS v3
Exploitability
Remotely
Attack complexity
User interaction
Impact
Existence of exploit
Proof-of-Concept
Affected products
The following Schneider Electric products:
- Modicon M580 CPU (part numbers BMEP* and BMEH*, excluding M580 CPU Safety), firmware versions prior to 4.10
- Modicon M580 Safety with firmware versions before 4.21
- Modicon M340 CPU (part numbers BMXP34*), < V3.50
Mitigation
Vendor mitigation
Upgrading to EcoStruxure™ Control Expert V15.1 version and EcoStruxure™ Process Expert V2021 version is the first step in a two-step process to fully address this vulnerability. To fully address this issue, follow the mitigation recommendations provided below.
EcoStruxure™ Control Expert versions prior to V15.1 Including all versions of Unity Pro (former name of EcoStruxure™ Control Expert):
- Update EcoStruxure™ Control Expert to V15.1
- It is strongly recommended that customers using Unity Pro should consider migrating to EcoStruxure™ Control Expert. Please contact your local Schneider Electric technical support for more information.
- Store project files in a secure storage and restrict access to trusted users only
- When exchanging files over the network, use secure communication protocols
- Encrypt project files when stored
- Only open project files received from trusted sources
- Compute a hash of each project file and regularly check the consistency of this hash to verify the integrity before usage
- Harden the workstation running EcoStruxure™ Control Expert or Unity Pro
EcoStruxure™ Process Expert versions prior to V2021, including all versions of EcoStruxure™ Hybrid DCS (former name of EcoStruxure™ Process Expert):
- Update EcoStruxure™ Process Expert to V2021
- Store project files in a secure storage and restrict access to trusted users only
- When exchanging files over the network, use secure communication protocols
- Encrypt project files when stored
- Only open project files received from trusted sources
- Compute a hash of each project files and regularly check the consistency of this hash to verify the integrity before usage
- Harden the workstation running EcoStruxure™ Process Expert
SCADAPack RemoteConnect, all versions:
- Store project files in a secure storage and restrict access to trusted users only
- When exchanging files over the network, use secure communication protocols
- Encrypt project files when stored
- Only open project files received from trusted sources
- Compute a hash of each project file and regularly check the consistency of this hash to verify the integrity before usage
- Harden the workstation running SCADAPack RemoteConnect™
Modicon M580 CPU (part numbers BMEP* and BMEH*), all versions:
- Setup network segmentation and implement a firewall to block all unauthorized access to port 502/TCP
- Configure the Access Control List following the recommendations provided in the following user manual: “Modicon M580, Hardware, Reference Manual”
- Set up secure communications according to the following guideline: “Modicon Controllers Platform Cyber Security Reference Manual” in chapter “Setup secured communications”
- Use a BMENOC module and follow the instructions to configure IPSEC feature as described in the following guideline: “Modicon M580 – BMENOC03.1 Ethernet Communications Schneider Electric Security Notification Module, Installation and Configuration Guide” in chapter “Configuring IPSEC communications”
- Set up a VPN connection between impacted Modicon PLC modules and the engineering workstation with EcoStruxure™ Control Expert or Process Expert.
Modicon M580 CPU (part numbers BMEP* and BMEH*, excluding M580 CPU Safety):
- Firmware SV4.10 includes a fix for this vulnerability and is available for download here.
Note: It is recommended to follow the remediation provided for EcoStruxure Control Expert and make use of application password to ensure complete remediation of this issue.
Modicon M580 CPU Safety (BMEP58*S and BMEH58*S)
- Update to SV4.21. Customer needs to use version of EcoStruxure Control Expert v16.0 HF001 minimum to connect with the latest version of M580 CPU Safety. The software is available for download here.
Modicon M340 CPU (part numbers BMXP34*), versions prior to V3.50:
- Update Modicon M340 firmware to version 3.50 or higher
- Using application passwords is recommended in addition to following the remediation recommendations provided for EcoStruxure™ Control Expert to ensure the complete remediation of this issue
- Set up network segmentation and implement a firewall to block all unauthorized access to port 502/TCP
- Configure the Access Control List following the recommendations provided in the following user manual: “Modicon M340 for Ethernet Communications Modules and Processors User Manual” in chapter “Messaging Configuration Parameters”
Set up a VPN connection between impacted Modicon PLC modules and the engineering workstation with EcoStruxure™ Control Expert or Process Expert.
Kaspersky publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.
Timeline
-
Kaspersky ICS CERT advisory updated
28 August 2024
-
Kaspersky ICS CERT advisory published
20 May 2022
-
Advisory published
July 2021