Search by:
20 May 2022
KLCERT-20-061 / KLCERT-20-068: Schneider Electric Modicon M340/M580 Authentication Bypass by Spoofing
CVE
KLCERT
KLCERT-20-061 / KLCERT-20-068
Timeline
Timeline
Kaspersky ICS CERT advisory updated
28 August 2024
Kaspersky ICS CERT advisory published
20 May 2022
Advisory published
July 2021
Kaspersky ICS CERT has discovered an authentication bypass vulnerability in Schneider Electric Modicon M340/M580 controllers.
CVSS v3
Exploitability
Remotely
Existence of exploit
Proof-of-Concept
Affected products
The following Schneider Electric products:
Mitigation
Vendor mitigation
Upgrading to EcoStruxure™ Control Expert V15.1 version and EcoStruxure™ Process Expert V2021 version is the first step in a two-step process to fully address this vulnerability. To fully address this issue, follow the mitigation recommendations provided below.
EcoStruxure™ Control Expert versions prior to V15.1 Including all versions of Unity Pro (former name of EcoStruxure™ Control Expert):
EcoStruxure™ Process Expert versions prior to V2021, including all versions of EcoStruxure™ Hybrid DCS (former name of EcoStruxure™ Process Expert):
SCADAPack RemoteConnect, all versions:
Modicon M580 CPU (part numbers BMEP* and BMEH*), all versions:
Modicon M580 CPU (part numbers BMEP* and BMEH*, excluding M580 CPU Safety):
Modicon M580 CPU Safety (BMEP58*S and BMEH58*S)
Modicon M340 CPU (part numbers BMXP34*), versions prior to V3.50:
Set up a VPN connection between impacted Modicon PLC modules and the engineering workstation with EcoStruxure™ Control Expert or Process Expert.
Kaspersky publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.
Timeline
Kaspersky ICS CERT advisory updated
28 August 2024
Kaspersky ICS CERT advisory published
20 May 2022
Advisory published
July 2021