22 Jul 2024


Password vulnerability found in Schneider PLCs

A password vulnerablity has been found in Schneider Electric's M340 PLC

Schneider Electric is issuing firmware updates for more than a dozen Ethernet communications modules and CPUs in its Modicon M340 PLC family after a vulnerability was found that could be exploited to stop a device or execute code on it remotely.

The vulnerability, discovered by the US industrial cyber-security specialist, CyberX, is triggered by entering a long password (of at least 65 characters) when logging into the device’s Web server. No username is needed, and simply clicking on an OK button can cause the device to crash.

Schneider has issued a security notice acknowledging that it may be possible to construct a password to pass to the server that could execute code remotely in memory on the device, although this possibility has not been verified. The notice lists the affected devices.

The US Industrial Control Systems Cyber Emergency Response Team (ICS-Cert) has issued an advisory on the vulnerability, stating that it could be exploited by an attacker “with a low skill”.

CyberX, which reported the vulnerability to Schneider in October 2015, describes its potential effect as “very extensive”.

Schneider has already issued firmware updates for some of the affected products and is planning to release a further series of updates later this month. The company also recommends blocking Port 80 on the affected devices.

♦  Schneider Electric in the UK has issued the following statement:

Schneider Electric has always regarded the security of our customers’ systems as of paramount importance and has, for many years, had security guidelines available for our customers to ensure their systems are protected from attack.

We recognise that the threat environment is changing rapidly, and so are ramping up our investments accordingly. Along with focusing on key features such as performance, reliability, ease-of-use and ease-of-integration, security is changing the way we think about the development and design of our products.

An example of this is the Modicon M580 – a revolutionary ePAC controller which uses open Ethernet standards to enable a whole new level of process efficiency and flexibility, while providing the highest level of Cyber Security with its Achilles Level 2 certification, one of the highest cyber-security certifications available. Level 2 certification demands rigorous testing for example for unauthorised access, password authentication, pass/fail requirements, protocol states and denial-of-service storm rates. The Achilles certification program has become a de facto cyber-security standard for critical infrastructure sectors and is already adopted by the world’s largest suppliers and end-users of industrial control and safety systems.

Our cyber-security experts across our businesses keep up-to-date on potential and identified vulnerabilities with our solutions. They work with cyber-security researchers to analyse our systems on a continual basis. We are committed to helping our customers protect the security of their installations with a combination of secure designs, patches for legacy products, and mitigation recommendations.

When a vulnerability is identified, we work quickly to provide our customers with an explanation of these vulnerabilities, a mitigation action plan, and a schedule for planned software patches. We strongly recommend customers take note of the actions we recommend to minimise their exposure to the vulnerabilities.

In the case of the recently published vulnerability on Modicon M340, our customers had already been informed via cyber-security notification alerts via our global cyber-security Web page where customers are informed about workarounds and the availability of updated firmware. Customers can also subscribe to receive future notifications, as well as access additional information including cyber-security news and white papers.