SEVD-2020-080-01
Vulnerability from csaf_se - Published: 2020-03-20 00:00 - Updated: 2021-05-11 00:00Summary
Modicon Controllers, EcoStruxure™ Control Expert and Unity Pro Programming Software
Notes
General Security Recommendations
We strongly recommend the following industry cybersecurity best practices.
https://www.se.com/us/en/download/document/7EN52-0390/
* Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
* Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
* Place all controllers in locked cabinets and never leave them in the “Program” mode.
* Never connect programming software to any network other than the network intended for that device.
* Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
* Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
* Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
* When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.
For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.
For More Information
This document provides an overview of the identified vulnerability or vulnerabilities and actions required to mitigate. For more details and assistance on how to protect your installation, contact your local Schneider Electric representative or Schneider Electric Industrial Cybersecurity Services: https://www.se.com/ww/en/work/solutions/cybersecurity/. These organizations will be fully aware of this situation and can support you through the process.
For further information related to cybersecurity in Schneider Electric’s products, visit the company’s cybersecurity support portal page: https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp
LEGAL DISCLAIMER
THIS NOTIFICATION DOCUMENT, THE INFORMATION CONTAINED HEREIN, AND ANY MATERIALS LINKED FROM IT (COLLECTIVELY, THIS “NOTIFICATION”) ARE INTENDED TO HELP PROVIDE AN OVERVIEW OF THE IDENTIFIED SITUATION AND SUGGESTED MITIGATION ACTIONS, REMEDIATION, FIX, AND/OR GENERAL SECURITY RECOMMENDATIONS AND IS PROVIDED ON AN “AS-IS” BASIS WITHOUT WARRANTY OR GUARANTEE OF ANY KIND. SCHNEIDER ELECTRIC DISCLAIMS ALL WARRANTIES RELATING TO THIS NOTIFICATION, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SCHNEIDER ELECTRIC MAKES NO WARRANTY THAT THE NOTIFICATION WILL RESOLVE THE IDENTIFIED SITUATION. IN NO EVENT SHALL SCHNEIDER ELECTRIC BE LIABLE FOR ANY DAMAGES OR LOSSES WHATSOEVER IN CONNECTION WITH THIS NOTIFICATION, INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF SCHNEIDER ELECTRIC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. YOUR USE OF THIS NOTIFICATION IS AT YOUR OWN RISK, AND YOU ARE SOLELY LIABLE FOR ANY DAMAGES TO YOUR SYSTEMS OR ASSETS OR OTHER LOSSES THAT MAY RESULT FROM YOUR USE OF THIS NOTIFICATION. SCHNEIDER ELECTRIC RESERVES THE RIGHT TO UPDATE OR CHANGE THIS NOTIFICATION AT ANY TIME AND IN ITS SOLE DISCRETION
About Schneider Electric
At Schneider, we believe access to energy and digital is a basic human right. We empower all to do more with less, ensuring Life Is On everywhere, for everyone, at every moment.
We provide energy and automation digital solutions for efficiency and sustainability. We combine world-leading energy technologies, real-time automation, software and services into integrated solutions for Homes, Buildings, Data Centers, Infrastructure and Industries.
We are committed to unleash the infinite possibilities of an open, global, innovative community that is passionate with our Meaningful Purpose, Inclusive and Empowered values.
www.se.com
Overview
Researchers from Airbus Cybersecurity have made Schneider Electric aware of a vulnerability
in two versions of Schneider Electric's Modicon programmable controllers and its EcoStruxure
Control Expert (formerly Unity Pro) programming software.
Since alerting us to the vulnerability, Airbus Cybersecurity and Schneider Electric have
collaborated to validate the research and to assess its true impact. Our mutual findings
demonstrate that while the discovered vulnerability affects Schneider Electric offers, it equally
impacts many other vendors and the global industrial automation market in general, especially
when the baseline assumption of the attack technique Airbus Cybersecurity demonstrated is
considered. Given certain conditions, and assuming an attacker has access to the network,
many devices available from several different industrial control vendors are likewise vulnerable.
Details of the vulnerability and a remediation are included below. However, as a general
guideline, Schneider Electric and Airbus Cybersecurity encourage all industrial companies to
ensure they have implemented cybersecurity best practices across their operations and supply
chains to reduce cyber risks. Where appropriate this includes locating industrial systems and
remotely accessible devices behind firewalls; installing physical controls to prevent unauthorized
access; preventing mission-critical systems and devices from being accessed from outside
networks; systematically applying security patches and activating antivirus software; and
applying whitelisting solutions.
For more detail on Airbus Cybersecurity's research, please visit their blog https://airbus-cyber-security.com/blog/ .
May 2021 Remediation Update: Customers on EcoStruxure™ Control Expert versions prior to
V15.0 are recommended to upgrade to remediate CVE-2020-7475.
Product Specific Recommendations
• Perform a Self-test: o EcoStruxure Control Expert V15 will self-test the integrity of its key components when the software is launched. If the results of the test are incorrect, a Windows warning will appear (“Integrity Check - Severe Warning!”) listing the invalid software components. If this happens, the software must be reinstalled! o This test can be performed at any time by selecting the Help menu, then choosing About EcoStruxure Control Expert/Perform Self-test. • Harden the Engineering Workstation o Follow workstation, network and site-hardening guidelines in the Cybersecurity Best Practices guide available for download here https://www.se.com/ww/en/download/document/7EN52-0390/ . • Enable Application Whitelisting o Schneider Electric strongly recommends applying a whitelisting solution to mitigate the risk of this and other vulnerabilities. For assistance with this step, please contact our Cybersecurity Services team https://www.se.com/us/en/work/services/cybersecurity-services/ .
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "We strongly recommend the following industry cybersecurity best practices.\n\nhttps://www.se.com/us/en/download/document/7EN52-0390/\n* Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.\n* Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.\n* Place all controllers in locked cabinets and never leave them in the \u201cProgram\u201d mode.\n* Never connect programming software to any network other than the network intended for that device.\n* Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.\n* Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.\n* Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.\n* When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.\nFor more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document. \n",
"title": "General Security Recommendations"
},
{
"category": "general",
"text": "This document provides an overview of the identified vulnerability or vulnerabilities and actions required to mitigate. For more details and assistance on how to protect your installation, contact your local Schneider Electric representative or Schneider Electric Industrial Cybersecurity Services: https://www.se.com/ww/en/work/solutions/cybersecurity/. These organizations will be fully aware of this situation and can support you through the process.\nFor further information related to cybersecurity in Schneider Electric\u2019s products, visit the company\u2019s cybersecurity support portal page: https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp",
"title": "For More Information"
},
{
"category": "legal_disclaimer",
"text": "THIS NOTIFICATION DOCUMENT, THE INFORMATION CONTAINED HEREIN, AND ANY MATERIALS LINKED FROM IT (COLLECTIVELY, THIS \u201cNOTIFICATION\u201d) ARE INTENDED TO HELP PROVIDE AN OVERVIEW OF THE IDENTIFIED SITUATION AND SUGGESTED MITIGATION ACTIONS, REMEDIATION, FIX, AND/OR GENERAL SECURITY RECOMMENDATIONS AND IS PROVIDED ON AN \u201cAS-IS\u201d BASIS WITHOUT WARRANTY OR GUARANTEE OF ANY KIND. SCHNEIDER ELECTRIC DISCLAIMS ALL WARRANTIES RELATING TO THIS NOTIFICATION, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SCHNEIDER ELECTRIC MAKES NO WARRANTY THAT THE NOTIFICATION WILL RESOLVE THE IDENTIFIED SITUATION. IN NO EVENT SHALL SCHNEIDER ELECTRIC BE LIABLE FOR ANY DAMAGES OR LOSSES WHATSOEVER IN CONNECTION WITH THIS NOTIFICATION, INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF SCHNEIDER ELECTRIC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. YOUR USE OF THIS NOTIFICATION IS AT YOUR OWN RISK, AND YOU ARE SOLELY LIABLE FOR ANY DAMAGES TO YOUR SYSTEMS OR ASSETS OR OTHER LOSSES THAT MAY RESULT FROM YOUR USE OF THIS NOTIFICATION. SCHNEIDER ELECTRIC RESERVES THE RIGHT TO UPDATE OR CHANGE THIS NOTIFICATION AT ANY TIME AND IN ITS SOLE DISCRETION",
"title": "LEGAL DISCLAIMER"
},
{
"category": "general",
"text": "At Schneider, we believe access to energy and digital is a basic human right. We empower all to do more with less, ensuring Life Is On everywhere, for everyone, at every moment.\n\nWe provide energy and automation digital solutions for efficiency and sustainability. We combine world-leading energy technologies, real-time automation, software and services into integrated solutions for Homes, Buildings, Data Centers, Infrastructure and Industries.\n\nWe are committed to unleash the infinite possibilities of an open, global, innovative community that is passionate with our Meaningful Purpose, Inclusive and Empowered values.\n\nwww.se.com ",
"title": "About Schneider Electric"
},
{
"category": "summary",
"text": "Researchers from Airbus Cybersecurity have made Schneider Electric aware of a vulnerability\r\nin two versions of Schneider Electric\u0027s Modicon programmable controllers and its EcoStruxure \r\nControl Expert (formerly Unity Pro) programming software. \r\nSince alerting us to the vulnerability, Airbus Cybersecurity and Schneider Electric have \r\ncollaborated to validate the research and to assess its true impact. Our mutual findings \r\ndemonstrate that while the discovered vulnerability affects Schneider Electric offers, it equally \r\nimpacts many other vendors and the global industrial automation market in general, especially \r\nwhen the baseline assumption of the attack technique Airbus Cybersecurity demonstrated is \r\nconsidered. Given certain conditions, and assuming an attacker has access to the network, \r\nmany devices available from several different industrial control vendors are likewise vulnerable.\r\nDetails of the vulnerability and a remediation are included below. However, as a general \r\nguideline, Schneider Electric and Airbus Cybersecurity encourage all industrial companies to \r\nensure they have implemented cybersecurity best practices across their operations and supply \r\nchains to reduce cyber risks. Where appropriate this includes locating industrial systems and \r\nremotely accessible devices behind firewalls; installing physical controls to prevent unauthorized\r\naccess; preventing mission-critical systems and devices from being accessed from outside \r\nnetworks; systematically applying security patches and activating antivirus software; and \r\napplying whitelisting solutions.\r\nFor more detail on Airbus Cybersecurity\u0027s research, please visit their blog https://airbus-cyber-security.com/blog/ . \r\nMay 2021 Remediation Update: Customers on EcoStruxure\u2122 Control Expert versions prior to \r\nV15.0 are recommended to upgrade to remediate CVE-2020-7475. ",
"title": "Overview"
},
{
"category": "general",
"text": "\u2022 Perform a Self-test: o EcoStruxure Control Expert V15 will self-test the integrity of its key components when the software is launched. If the results of the test are incorrect, a Windows warning will appear (\u201cIntegrity Check - Severe Warning!\u201d) listing the invalid software components. If this happens, the software must be reinstalled! o This test can be performed at any time by selecting the Help menu, then choosing About EcoStruxure Control Expert/Perform Self-test. \u2022 Harden the Engineering Workstation o Follow workstation, network and site-hardening guidelines in the Cybersecurity Best Practices guide available for download here https://www.se.com/ww/en/download/document/7EN52-0390/ . \u2022 Enable Application Whitelisting o Schneider Electric strongly recommends applying a whitelisting solution to mitigate the risk of this and other vulnerabilities. For assistance with this step, please contact our Cybersecurity Services team https://www.se.com/us/en/work/services/cybersecurity-services/ .",
"title": "Product Specific Recommendations"
}
],
"publisher": {
"category": "vendor",
"contact_details": "cpcert@se.com",
"name": "Schneider Electric CPCERT",
"namespace": "https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp"
},
"references": [
{
"category": "self",
"summary": "Modicon Controllers, EcoStruxure\u2122 Control Expert and Unity Pro Programming Software - SEVD-2020-080-01 PDF Version",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2020-080-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2020-080-01_Modicon_EcoStruxure%E2%84%A2_Control%20Expert_UnityPro_V3.0.pdf"
},
{
"category": "self",
"summary": "Modicon Controllers, EcoStruxure\u2122 Control Expert and Unity Pro Programming Software - SEVD-2020-080-01 CSAF Version",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2020-080-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=sevd-2020-080-01.json"
},
{
"category": "external",
"summary": "Recommended Cybersecurity Best Practices",
"url": "https://www.se.com/us/en/download/document/7EN52-0390/"
}
],
"title": "Modicon Controllers, EcoStruxure\u2122 Control Expert and Unity Pro Programming Software",
"tracking": {
"current_release_date": "2021-05-11T00:00:00.000Z",
"generator": {
"date": "2021-05-11T00:00:00Z",
"engine": {
"name": "Schneider Electric CSAF Generator",
"version": "1.2"
}
},
"id": "SEVD-2020-080-01",
"initial_release_date": "2020-03-20T00:00:00.000Z",
"revision_history": [
{
"date": "2020-03-20T00:00:00.000Z",
"number": "1.0.0",
"summary": "Original Release"
},
{
"date": "2020-11-10T00:00:00.000Z",
"number": "2.0.0",
"summary": "Increased robustness of EcoStruxure Control \r\nExpert against the CVE-2020-7475 in software \r\nversion 15.0 by enabling a new verification \r\nmechanism on key components (page 2) \r"
},
{
"date": "2021-05-11T00:00:00.000Z",
"number": "3.0.0",
"summary": "Remediation Update: Customers on \r\nEcoStruxure\u2122 Control Expert versions prior to \r\nV15.0 are recommended to upgrade to remediate \r\nCVE-2020-7475 (page 2)"
}
],
"status": "final",
"version": "3.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c15.0",
"product": {
"name": "Schneider Electric EcoStruxure\u2122 Control Expert all versions prior to V15.0",
"product_id": "1"
}
}
],
"category": "product_name",
"name": "EcoStruxure\u2122 Control Expert"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Schneider Electric Unity Pro all versions",
"product_id": "2"
}
}
],
"category": "product_name",
"name": "Unity Pro"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c3.20",
"product": {
"name": "Schneider Electric Modicon M340 all versions prior to V3.20",
"product_id": "3"
}
}
],
"category": "product_name",
"name": "Modicon M340"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c3.10",
"product": {
"name": "Schneider Electric Modicon M580 all versions prior to V3.10",
"product_id": "4"
}
}
],
"category": "product_name",
"name": "Modicon M580"
},
{
"branches": [
{
"category": "product_version",
"name": "15.0",
"product": {
"name": "Schneider Electric EcoStruxure Control Expert V15.0",
"product_id": "5"
}
}
],
"category": "product_name",
"name": "EcoStruxure Control Expert"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=3.20",
"product": {
"name": "Schneider Electric M340 BMXP3420302 and CL and H V3.20 or above",
"product_id": "6",
"product_identification_helper": {
"model_numbers": [
"BMXP3420302 and CL and H"
]
}
}
}
],
"category": "product_name",
"name": "M340 BMXP3420302 and CL and H"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=3.20",
"product": {
"name": "Schneider Electric M340 BMXP342020 and H V3.20 or above",
"product_id": "7",
"product_identification_helper": {
"model_numbers": [
"BMXP342020 and H"
]
}
}
}
],
"category": "product_name",
"name": "M340 BMXP342020 and H"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=3.20",
"product": {
"name": "Schneider Electric M340 BMXP342000 V3.20 or above",
"product_id": "8",
"product_identification_helper": {
"model_numbers": [
"BMXP342000"
]
}
}
}
],
"category": "product_name",
"name": "M340 BMXP342000"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=3.20",
"product": {
"name": "Schneider Electric M340 BMXP341000 and H V3.20 or above",
"product_id": "9",
"product_identification_helper": {
"model_numbers": [
"BMXP341000 and H"
]
}
}
}
],
"category": "product_name",
"name": "M340 BMXP341000 and H"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=3.20",
"product": {
"name": "Schneider Electric M340 BMXP3420102 and CL V3.20 or above",
"product_id": "10",
"product_identification_helper": {
"model_numbers": [
"BMXP3420102 and CL"
]
}
}
}
],
"category": "product_name",
"name": "M340 BMXP3420102 and CL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=3.20",
"product": {
"name": "Schneider Electric M340 BMXP3420302 V3.20 or above",
"product_id": "11",
"product_identification_helper": {
"model_numbers": [
"BMXP3420302"
]
}
}
}
],
"category": "product_name",
"name": "M340 BMXP3420302"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=3.10",
"product": {
"name": "Schneider Electric M580 BMEP584040 V3.10 or above",
"product_id": "12",
"product_identification_helper": {
"model_numbers": [
"BMEP584040"
]
}
}
}
],
"category": "product_name",
"name": "M580 BMEP584040"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=3.10",
"product": {
"name": "Schneider Electric M580 BMEH584040 and C V3.10 or above",
"product_id": "13",
"product_identification_helper": {
"model_numbers": [
"BMEH584040 and C"
]
}
}
}
],
"category": "product_name",
"name": "M580 BMEH584040 and C"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=3.10",
"product": {
"name": "Schneider Electric M580 BMEP586040 and C V3.10 or above",
"product_id": "14",
"product_identification_helper": {
"model_numbers": [
"BMEP586040 and C"
]
}
}
}
],
"category": "product_name",
"name": "M580 BMEP586040 and C"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=3.10",
"product": {
"name": "Schneider Electric M580 BMEH586040 and C V3.10 or above",
"product_id": "15",
"product_identification_helper": {
"model_numbers": [
"BMEH586040 and C"
]
}
}
}
],
"category": "product_name",
"name": "M580 BMEH586040 and C"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=3.10",
"product": {
"name": "Schneider Electric M580 BMEP581020 and H V3.10 or above",
"product_id": "16",
"product_identification_helper": {
"model_numbers": [
"BMEP581020 and H"
]
}
}
}
],
"category": "product_name",
"name": "M580 BMEP581020 and H"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=3.10",
"product": {
"name": "Schneider Electric M580 BMEP582020 and H V3.10 or above",
"product_id": "17",
"product_identification_helper": {
"model_numbers": [
"BMEP582020 and H"
]
}
}
}
],
"category": "product_name",
"name": "M580 BMEP582020 and H"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=3.10",
"product": {
"name": "Schneider Electric M580 BMEP582040 and H V3.10 or above",
"product_id": "18",
"product_identification_helper": {
"model_numbers": [
"BMEP582040 and H"
]
}
}
}
],
"category": "product_name",
"name": "M580 BMEP582040 and H"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=3.10",
"product": {
"name": "Schneider Electric M580 BMEP583020 V3.10 or above",
"product_id": "19",
"product_identification_helper": {
"model_numbers": [
"BMEP583020"
]
}
}
}
],
"category": "product_name",
"name": "M580 BMEP583020"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=3.10",
"product": {
"name": "Schneider Electric M580 BMEP583040 V3.10 or above",
"product_id": "20",
"product_identification_helper": {
"model_numbers": [
"BMEP583040"
]
}
}
}
],
"category": "product_name",
"name": "M580 BMEP583040"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=3.10",
"product": {
"name": "Schneider Electric M580 BMEP584020 V3.10 or above",
"product_id": "21",
"product_identification_helper": {
"model_numbers": [
"BMEP584020"
]
}
}
}
],
"category": "product_name",
"name": "M580 BMEP584020"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=3.10",
"product": {
"name": "Schneider Electric M580 BMEP585040 and C V3.10 or above",
"product_id": "22",
"product_identification_helper": {
"model_numbers": [
"BMEP585040 and C"
]
}
}
}
],
"category": "product_name",
"name": "M580 BMEP585040 and C"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=3.10",
"product": {
"name": "Schneider Electric M580 BMEH582040 and C V3.10 or above",
"product_id": "23",
"product_identification_helper": {
"model_numbers": [
"BMEH582040 and C"
]
}
}
}
],
"category": "product_name",
"name": "M580 BMEH582040 and C"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=3.10",
"product": {
"name": "Schneider Electric M580 BMEP584040S BMEH584040S BMEH586040S BMEP582040S V3.10 or above",
"product_id": "24",
"product_identification_helper": {
"model_numbers": [
"BMEP584040S",
"BMEH584040S",
"BMEH586040S",
"BMEP582040S"
]
}
}
}
],
"category": "product_name",
"name": "M580 BMEP584040S BMEH584040S BMEH586040S BMEP582040S"
}
],
"category": "vendor",
"name": "Schneider Electric"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Flavian Dola"
],
"organization": "Airbus Cybersecurity"
}
],
"cve": "CVE-2020-7475",
"cwe": {
"id": "CWE-74",
"name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
},
"notes": [
{
"category": "description",
"text": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream \r\nComponent (\u0027Injection\u0027), reflective DLL, vulnerability exists, which, if exploited, could allow \r\nattackers to transfer malicious code to the controller.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15",
"16",
"17",
"18",
"19",
"20",
"21",
"22",
"23",
"24"
],
"known_affected": [
"1",
"2",
"3",
"4"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "After downloading the new version, found in the Download Links section below, all of the \r\nfollowing steps are required to remediate the vulnerability: \r\nSTEP 1: Update software and firmware:\r\n\u2022 On the engineering workstation: \r\no Recommended remediation: update to EcoStruxure Control Expert V15.0 \r\n(Available in the Download Links section)\r\n\u2022 On the Modicon M340 controller: update to firmware V3.20 or above\r\n(Available in the Download Links section) \r\n\u2022 On the Modicon M580 controller: update to firmware V3.10 or above \r\n(Available in the Download Links section) \r\nSTEP 2: Update projects in Ecostruxure Control Expert by: \r\n\u2022 Setting up an application password in the project properties\r\n\u2022 Changing the version of the controller firmware to match the new firmware version of the\r\ntarget controller\r\nSTEP 3: Rebuild and transfer projects in EcoStruxure Control Expert:\r\n\u2022 Rebuild all current projects \r\n\u2022 Transfer them to Modicon controllers\r\nSTEP 4: Configure the Access Controls on Modicon controllers:\r\n\u2022 Setup network segmentation and implement a firewall to block all unauthorized access \r\nto port 502/TCP",
"product_ids": [
"1"
],
"restart_required": {
"category": "none"
},
"url": "https://www.se.com/ww/en/download/document/EcoStruxure_ControlExpert_V150/"
},
{
"category": "vendor_fix",
"details": "After downloading the new version, found in the Download Links section below, all of the \r\nfollowing steps are required to remediate the vulnerability: \r\nSTEP 1: Update software and firmware:\r\n\u2022 On the engineering workstation: \r\no Recommended remediation: update to EcoStruxure Control Expert V15.0 \r\n(Available in the Download Links section)\r\n\u2022 On the Modicon M340 controller: update to firmware V3.20 or above\r\n(Available in the Download Links section) \r\n\u2022 On the Modicon M580 controller BMEP584040: update to firmware V3.10 or above \r\n(Available in the Download Links section) \r\nSTEP 2: Update projects in Ecostruxure Control Expert by: \r\n\u2022 Setting up an application password in the project properties\r\n\u2022 Changing the version of the controller firmware to match the new firmware version of the\r\ntarget controller\r\nSTEP 3: Rebuild and transfer projects in EcoStruxure Control Expert:\r\n\u2022 Rebuild all current projects \r\n\u2022 Transfer them to Modicon controllers\r\nSTEP 4: Configure the Access Controls on Modicon controllers:\r\n\u2022 Setup network segmentation and implement a firewall to block all unauthorized access \r\nto port 502/TCP\r\nModicon M580:\r\n\u2022 Setup a secure communication according to the following guideline \u201cModicon Controllers \r\nPlatform Cyber Security Reference Manual,\u201d in chapter \u201cSetup secured\r\ncommunications\u201d: https://download.schneider-electric.com/files?p_enDocType=User+guide\u0026p_File_Name=EIO0000001999.06.pdf\u0026p_Doc_Ref=EIO0000001999\r\n\u2022 Optional: Additional countermeasure to protect the controller:\r\nUse a BMENOC module and follow the instructions to configure IPSEC feature \r\ndescribed in the guideline \u201cModicon M580 - BMENOC03.1 Ethernet Communications \r\nModule, Installation, and Configuration Guide\u201d in the chapter \u201cConfiguring IPSEC \r\ncommunications\u201d:\r\nhttps://www.schneider\u0002electric.com/en/download/document/HRB62665/#page=1\u0026toolbar=1\u0026scrollbar=1\u0026status\r\nbar=1\u0026view=fit\r\n",
"product_ids": [
"4"
],
"restart_required": {
"category": "none"
},
"url": "https://www.schneider-electric.com/en/download/document/M580_BMEP584040_SV3.10/"
},
{
"category": "vendor_fix",
"details": "After downloading the new version, found in the Download Links section below, all of the \r\nfollowing steps are required to remediate the vulnerability: \r\nSTEP 1: Update software and firmware:\r\n\u2022 On the engineering workstation: \r\no Recommended remediation: update to EcoStruxure Control Expert V15.0 \r\n(Available in the Download Links section)\r\n\u2022 On the Modicon M340 controller: update to firmware V3.20 or above\r\n(Available in the Download Links section) \r\n\u2022 On the Modicon M580 controller BMEH584040 and C: update to firmware V3.10 or above \r\n(Available in the Download Links section) \r\nSTEP 2: Update projects in Ecostruxure Control Expert by: \r\n\u2022 Setting up an application password in the project properties\r\n\u2022 Changing the version of the controller firmware to match the new firmware version of the\r\ntarget controller\r\nSTEP 3: Rebuild and transfer projects in EcoStruxure Control Expert:\r\n\u2022 Rebuild all current projects \r\n\u2022 Transfer them to Modicon controllers\r\nSTEP 4: Configure the Access Controls on Modicon controllers:\r\n\u2022 Setup network segmentation and implement a firewall to block all unauthorized access \r\nto port 502/TCP\r\nModicon M580:\r\n\u2022 Setup a secure communication according to the following guideline \u201cModicon Controllers \r\nPlatform Cyber Security Reference Manual,\u201d in chapter \u201cSetup secured\r\ncommunications\u201d: https://download.schneider-electric.com/files?p_enDocType=User+guide\u0026p_File_Name=EIO0000001999.06.pdf\u0026p_Doc_Ref=EIO0000001999\r\n\u2022 Optional: Additional countermeasure to protect the controller:\r\nUse a BMENOC module and follow the instructions to configure IPSEC feature \r\ndescribed in the guideline \u201cModicon M580 - BMENOC03.1 Ethernet Communications \r\nModule, Installation, and Configuration Guide\u201d in the chapter \u201cConfiguring IPSEC \r\ncommunications\u201d:\r\nhttps://www.schneider\u0002electric.com/en/download/document/HRB62665/#page=1\u0026toolbar=1\u0026scrollbar=1\u0026status\r\nbar=1\u0026view=fit",
"product_ids": [
"4"
],
"restart_required": {
"category": "none"
},
"url": "https://www.schneider-electric.com/en/download/document/M580_BMEH584040_SV3.10/"
},
{
"category": "vendor_fix",
"details": "After downloading the new version, found in the Download Links section below, all of the \r\nfollowing steps are required to remediate the vulnerability: \r\nSTEP 1: Update software and firmware:\r\n\u2022 On the engineering workstation: \r\no Recommended remediation: update to EcoStruxure Control Expert V15.0 \r\n(Available in the Download Links section)\r\n\u2022 On the Modicon M340 controller: update to firmware V3.20 or above\r\n(Available in the Download Links section) \r\n\u2022 On the Modicon M580 controller BMEP586040 and C: update to firmware V3.10 or above \r\n(Available in the Download Links section) \r\nSTEP 2: Update projects in Ecostruxure Control Expert by: \r\n\u2022 Setting up an application password in the project properties\r\n\u2022 Changing the version of the controller firmware to match the new firmware version of the\r\ntarget controller\r\nSTEP 3: Rebuild and transfer projects in EcoStruxure Control Expert:\r\n\u2022 Rebuild all current projects \r\n\u2022 Transfer them to Modicon controllers\r\nSTEP 4: Configure the Access Controls on Modicon controllers:\r\n\u2022 Setup network segmentation and implement a firewall to block all unauthorized access \r\nto port 502/TCP\r\nModicon M580:\r\n\u2022 Setup a secure communication according to the following guideline \u201cModicon Controllers \r\nPlatform Cyber Security Reference Manual,\u201d in chapter \u201cSetup secured\r\ncommunications\u201d: https://download.schneider-electric.com/files?p_enDocType=User+guide\u0026p_File_Name=EIO0000001999.06.pdf\u0026p_Doc_Ref=EIO0000001999\r\n\u2022 Optional: Additional countermeasure to protect the controller:\r\nUse a BMENOC module and follow the instructions to configure IPSEC feature \r\ndescribed in the guideline \u201cModicon M580 - BMENOC03.1 Ethernet Communications \r\nModule, Installation, and Configuration Guide\u201d in the chapter \u201cConfiguring IPSEC \r\ncommunications\u201d:\r\nhttps://www.schneider\u0002electric.com/en/download/document/HRB62665/#page=1\u0026toolbar=1\u0026scrollbar=1\u0026status\r\nbar=1\u0026view=fit",
"product_ids": [
"4"
],
"restart_required": {
"category": "none"
},
"url": "https://www.schneider-electric.com/en/download/document/M580_BMEP586040_SV3.10/"
},
{
"category": "vendor_fix",
"details": "After downloading the new version, found in the Download Links section below, all of the \r\nfollowing steps are required to remediate the vulnerability: \r\nSTEP 1: Update software and firmware:\r\n\u2022 On the engineering workstation: \r\no Recommended remediation: update to EcoStruxure Control Expert V15.0 \r\n(Available in the Download Links section)\r\n\u2022 On the Modicon M340 controller: update to firmware V3.20 or above\r\n(Available in the Download Links section) \r\n\u2022 On the Modicon M580 controller BMEH586040 and C: update to firmware V3.10 or above \r\n(Available in the Download Links section) \r\nSTEP 2: Update projects in Ecostruxure Control Expert by: \r\n\u2022 Setting up an application password in the project properties\r\n\u2022 Changing the version of the controller firmware to match the new firmware version of the\r\ntarget controller\r\nSTEP 3: Rebuild and transfer projects in EcoStruxure Control Expert:\r\n\u2022 Rebuild all current projects \r\n\u2022 Transfer them to Modicon controllers\r\nSTEP 4: Configure the Access Controls on Modicon controllers:\r\n\u2022 Setup network segmentation and implement a firewall to block all unauthorized access \r\nto port 502/TCP\r\nModicon M580:\r\n\u2022 Setup a secure communication according to the following guideline \u201cModicon Controllers \r\nPlatform Cyber Security Reference Manual,\u201d in chapter \u201cSetup secured\r\ncommunications\u201d: https://download.schneider-electric.com/files?p_enDocType=User+guide\u0026p_File_Name=EIO0000001999.06.pdf\u0026p_Doc_Ref=EIO0000001999\r\n\u2022 Optional: Additional countermeasure to protect the controller:\r\nUse a BMENOC module and follow the instructions to configure IPSEC feature \r\ndescribed in the guideline \u201cModicon M580 - BMENOC03.1 Ethernet Communications \r\nModule, Installation, and Configuration Guide\u201d in the chapter \u201cConfiguring IPSEC \r\ncommunications\u201d:\r\nhttps://www.schneider\u0002electric.com/en/download/document/HRB62665/#page=1\u0026toolbar=1\u0026scrollbar=1\u0026status\r\nbar=1\u0026view=fit",
"product_ids": [
"4"
],
"restart_required": {
"category": "none"
},
"url": "https://www.schneider-electric.com/en/download/document/M580_BMEH586040_SV3.10/"
},
{
"category": "vendor_fix",
"details": "After downloading the new version, found in the Download Links section below, all of the \r\nfollowing steps are required to remediate the vulnerability: \r\nSTEP 1: Update software and firmware:\r\n\u2022 On the engineering workstation: \r\no Recommended remediation: update to EcoStruxure Control Expert V15.0 \r\n(Available in the Download Links section)\r\n\u2022 On the Modicon M340 controller: update to firmware V3.20 or above\r\n(Available in the Download Links section) \r\n\u2022 On the Modicon M580 controller BMEP581020 and H: update to firmware V3.10 or above \r\n(Available in the Download Links section) \r\nSTEP 2: Update projects in Ecostruxure Control Expert by: \r\n\u2022 Setting up an application password in the project properties\r\n\u2022 Changing the version of the controller firmware to match the new firmware version of the\r\ntarget controller\r\nSTEP 3: Rebuild and transfer projects in EcoStruxure Control Expert:\r\n\u2022 Rebuild all current projects \r\n\u2022 Transfer them to Modicon controllers\r\nSTEP 4: Configure the Access Controls on Modicon controllers:\r\n\u2022 Setup network segmentation and implement a firewall to block all unauthorized access \r\nto port 502/TCP\r\nModicon M580:\r\n\u2022 Setup a secure communication according to the following guideline \u201cModicon Controllers \r\nPlatform Cyber Security Reference Manual,\u201d in chapter \u201cSetup secured\r\ncommunications\u201d: https://download.schneider-electric.com/files?p_enDocType=User+guide\u0026p_File_Name=EIO0000001999.06.pdf\u0026p_Doc_Ref=EIO0000001999\r\n\u2022 Optional: Additional countermeasure to protect the controller:\r\nUse a BMENOC module and follow the instructions to configure IPSEC feature \r\ndescribed in the guideline \u201cModicon M580 - BMENOC03.1 Ethernet Communications \r\nModule, Installation, and Configuration Guide\u201d in the chapter \u201cConfiguring IPSEC \r\ncommunications\u201d:\r\nhttps://www.schneider\u0002electric.com/en/download/document/HRB62665/#page=1\u0026toolbar=1\u0026scrollbar=1\u0026status\r\nbar=1\u0026view=fit",
"product_ids": [
"4"
],
"restart_required": {
"category": "none"
},
"url": "https://www.schneider-electric.com/en/download/document/M580_BMEP581020_SV3.10/"
},
{
"category": "vendor_fix",
"details": "After downloading the new version, found in the Download Links section below, all of the \r\nfollowing steps are required to remediate the vulnerability: \r\nSTEP 1: Update software and firmware:\r\n\u2022 On the engineering workstation: \r\no Recommended remediation: update to EcoStruxure Control Expert V15.0 \r\n(Available in the Download Links section)\r\n\u2022 On the Modicon M340 controller: update to firmware V3.20 or above\r\n(Available in the Download Links section) \r\n\u2022 On the Modicon M580 controller BMEP582020 and H: update to firmware V3.10 or above \r\n(Available in the Download Links section) \r\nSTEP 2: Update projects in Ecostruxure Control Expert by: \r\n\u2022 Setting up an application password in the project properties\r\n\u2022 Changing the version of the controller firmware to match the new firmware version of the\r\ntarget controller\r\nSTEP 3: Rebuild and transfer projects in EcoStruxure Control Expert:\r\n\u2022 Rebuild all current projects \r\n\u2022 Transfer them to Modicon controllers\r\nSTEP 4: Configure the Access Controls on Modicon controllers:\r\n\u2022 Setup network segmentation and implement a firewall to block all unauthorized access \r\nto port 502/TCP\r\nModicon M580:\r\n\u2022 Setup a secure communication according to the following guideline \u201cModicon Controllers \r\nPlatform Cyber Security Reference Manual,\u201d in chapter \u201cSetup secured\r\ncommunications\u201d: https://download.schneider-electric.com/files?p_enDocType=User+guide\u0026p_File_Name=EIO0000001999.06.pdf\u0026p_Doc_Ref=EIO0000001999\r\n\u2022 Optional: Additional countermeasure to protect the controller:\r\nUse a BMENOC module and follow the instructions to configure IPSEC feature \r\ndescribed in the guideline \u201cModicon M580 - BMENOC03.1 Ethernet Communications \r\nModule, Installation, and Configuration Guide\u201d in the chapter \u201cConfiguring IPSEC \r\ncommunications\u201d:\r\nhttps://www.schneider\u0002electric.com/en/download/document/HRB62665/#page=1\u0026toolbar=1\u0026scrollbar=1\u0026status\r\nbar=1\u0026view=fit",
"product_ids": [
"4"
],
"restart_required": {
"category": "none"
},
"url": "https://www.schneider-electric.com/en/download/document/M580_BMEP582020_SV3.10/"
},
{
"category": "vendor_fix",
"details": "After downloading the new version, found in the Download Links section below, all of the \r\nfollowing steps are required to remediate the vulnerability: \r\nSTEP 1: Update software and firmware:\r\n\u2022 On the engineering workstation: \r\no Recommended remediation: update to EcoStruxure Control Expert V15.0 \r\n(Available in the Download Links section)\r\n\u2022 On the Modicon M340 controller: update to firmware V3.20 or above\r\n(Available in the Download Links section) \r\n\u2022 On the Modicon M580 controller BMEP582040 and H: update to firmware V3.10 or above \r\n(Available in the Download Links section) \r\nSTEP 2: Update projects in Ecostruxure Control Expert by: \r\n\u2022 Setting up an application password in the project properties\r\n\u2022 Changing the version of the controller firmware to match the new firmware version of the\r\ntarget controller\r\nSTEP 3: Rebuild and transfer projects in EcoStruxure Control Expert:\r\n\u2022 Rebuild all current projects \r\n\u2022 Transfer them to Modicon controllers\r\nSTEP 4: Configure the Access Controls on Modicon controllers:\r\n\u2022 Setup network segmentation and implement a firewall to block all unauthorized access \r\nto port 502/TCP\r\nModicon M580:\r\n\u2022 Setup a secure communication according to the following guideline \u201cModicon Controllers \r\nPlatform Cyber Security Reference Manual,\u201d in chapter \u201cSetup secured\r\ncommunications\u201d: https://download.schneider-electric.com/files?p_enDocType=User+guide\u0026p_File_Name=EIO0000001999.06.pdf\u0026p_Doc_Ref=EIO0000001999\r\n\u2022 Optional: Additional countermeasure to protect the controller:\r\nUse a BMENOC module and follow the instructions to configure IPSEC feature \r\ndescribed in the guideline \u201cModicon M580 - BMENOC03.1 Ethernet Communications \r\nModule, Installation, and Configuration Guide\u201d in the chapter \u201cConfiguring IPSEC \r\ncommunications\u201d:\r\nhttps://www.schneider\u0002electric.com/en/download/document/HRB62665/#page=1\u0026toolbar=1\u0026scrollbar=1\u0026status\r\nbar=1\u0026view=fit",
"product_ids": [
"4"
],
"restart_required": {
"category": "none"
},
"url": "https://www.schneider-electric.com/en/download/document/M580_BMEP582040_SV3.10/"
},
{
"category": "vendor_fix",
"details": "After downloading the new version, found in the Download Links section below, all of the \r\nfollowing steps are required to remediate the vulnerability: \r\nSTEP 1: Update software and firmware:\r\n\u2022 On the engineering workstation: \r\no Recommended remediation: update to EcoStruxure Control Expert V15.0 \r\n(Available in the Download Links section)\r\n\u2022 On the Modicon M340 controller: update to firmware V3.20 or above\r\n(Available in the Download Links section) \r\n\u2022 On the Modicon M580 controller BMEP583020: update to firmware V3.10 or above \r\n(Available in the Download Links section) \r\nSTEP 2: Update projects in Ecostruxure Control Expert by: \r\n\u2022 Setting up an application password in the project properties\r\n\u2022 Changing the version of the controller firmware to match the new firmware version of the\r\ntarget controller\r\nSTEP 3: Rebuild and transfer projects in EcoStruxure Control Expert:\r\n\u2022 Rebuild all current projects \r\n\u2022 Transfer them to Modicon controllers\r\nSTEP 4: Configure the Access Controls on Modicon controllers:\r\n\u2022 Setup network segmentation and implement a firewall to block all unauthorized access \r\nto port 502/TCP\r\nModicon M580:\r\n\u2022 Setup a secure communication according to the following guideline \u201cModicon Controllers \r\nPlatform Cyber Security Reference Manual,\u201d in chapter \u201cSetup secured\r\ncommunications\u201d: https://download.schneider-electric.com/files?p_enDocType=User+guide\u0026p_File_Name=EIO0000001999.06.pdf\u0026p_Doc_Ref=EIO0000001999\r\n\u2022 Optional: Additional countermeasure to protect the controller:\r\nUse a BMENOC module and follow the instructions to configure IPSEC feature \r\ndescribed in the guideline \u201cModicon M580 - BMENOC03.1 Ethernet Communications \r\nModule, Installation, and Configuration Guide\u201d in the chapter \u201cConfiguring IPSEC \r\ncommunications\u201d:\r\nhttps://www.schneider\u0002electric.com/en/download/document/HRB62665/#page=1\u0026toolbar=1\u0026scrollbar=1\u0026status\r\nbar=1\u0026view=fit",
"product_ids": [
"4"
],
"restart_required": {
"category": "none"
},
"url": "https://www.schneider-electric.com/en/download/document/M580_BMEP583020_SV3.10/"
},
{
"category": "vendor_fix",
"details": "After downloading the new version, found in the Download Links section below, all of the \r\nfollowing steps are required to remediate the vulnerability: \r\nSTEP 1: Update software and firmware:\r\n\u2022 On the engineering workstation: \r\no Recommended remediation: update to EcoStruxure Control Expert V15.0 \r\n(Available in the Download Links section)\r\n\u2022 On the Modicon M340 controller: update to firmware V3.20 or above\r\n(Available in the Download Links section) \r\n\u2022 On the Modicon M580 controller BMEP583040: update to firmware V3.10 or above \r\n(Available in the Download Links section) \r\nSTEP 2: Update projects in Ecostruxure Control Expert by: \r\n\u2022 Setting up an application password in the project properties\r\n\u2022 Changing the version of the controller firmware to match the new firmware version of the\r\ntarget controller\r\nSTEP 3: Rebuild and transfer projects in EcoStruxure Control Expert:\r\n\u2022 Rebuild all current projects \r\n\u2022 Transfer them to Modicon controllers\r\nSTEP 4: Configure the Access Controls on Modicon controllers:\r\n\u2022 Setup network segmentation and implement a firewall to block all unauthorized access \r\nto port 502/TCP\r\nModicon M580:\r\n\u2022 Setup a secure communication according to the following guideline \u201cModicon Controllers \r\nPlatform Cyber Security Reference Manual,\u201d in chapter \u201cSetup secured\r\ncommunications\u201d: https://download.schneider-electric.com/files?p_enDocType=User+guide\u0026p_File_Name=EIO0000001999.06.pdf\u0026p_Doc_Ref=EIO0000001999\r\n\u2022 Optional: Additional countermeasure to protect the controller:\r\nUse a BMENOC module and follow the instructions to configure IPSEC feature \r\ndescribed in the guideline \u201cModicon M580 - BMENOC03.1 Ethernet Communications \r\nModule, Installation, and Configuration Guide\u201d in the chapter \u201cConfiguring IPSEC \r\ncommunications\u201d:\r\nhttps://www.schneider\u0002electric.com/en/download/document/HRB62665/#page=1\u0026toolbar=1\u0026scrollbar=1\u0026status\r\nbar=1\u0026view=fit",
"product_ids": [
"4"
],
"restart_required": {
"category": "none"
},
"url": "https://www.schneider-electric.com/en/download/document/M580_BMEP583040_SV3.10/"
},
{
"category": "vendor_fix",
"details": "After downloading the new version, found in the Download Links section below, all of the \r\nfollowing steps are required to remediate the vulnerability: \r\nSTEP 1: Update software and firmware:\r\n\u2022 On the engineering workstation: \r\no Recommended remediation: update to EcoStruxure Control Expert V15.0 \r\n(Available in the Download Links section)\r\n\u2022 On the Modicon M340 controller: update to firmware V3.20 or above\r\n(Available in the Download Links section) \r\n\u2022 On the Modicon M580 controller BMEP584020: update to firmware V3.10 or above \r\n(Available in the Download Links section) \r\nSTEP 2: Update projects in Ecostruxure Control Expert by: \r\n\u2022 Setting up an application password in the project properties\r\n\u2022 Changing the version of the controller firmware to match the new firmware version of the\r\ntarget controller\r\nSTEP 3: Rebuild and transfer projects in EcoStruxure Control Expert:\r\n\u2022 Rebuild all current projects \r\n\u2022 Transfer them to Modicon controllers\r\nSTEP 4: Configure the Access Controls on Modicon controllers:\r\n\u2022 Setup network segmentation and implement a firewall to block all unauthorized access \r\nto port 502/TCP\r\nModicon M580:\r\n\u2022 Setup a secure communication according to the following guideline \u201cModicon Controllers \r\nPlatform Cyber Security Reference Manual,\u201d in chapter \u201cSetup secured\r\ncommunications\u201d: https://download.schneider-electric.com/files?p_enDocType=User+guide\u0026p_File_Name=EIO0000001999.06.pdf\u0026p_Doc_Ref=EIO0000001999\r\n\u2022 Optional: Additional countermeasure to protect the controller:\r\nUse a BMENOC module and follow the instructions to configure IPSEC feature \r\ndescribed in the guideline \u201cModicon M580 - BMENOC03.1 Ethernet Communications \r\nModule, Installation, and Configuration Guide\u201d in the chapter \u201cConfiguring IPSEC \r\ncommunications\u201d:\r\nhttps://www.schneider\u0002electric.com/en/download/document/HRB62665/#page=1\u0026toolbar=1\u0026scrollbar=1\u0026status\r\nbar=1\u0026view=fit",
"product_ids": [
"4"
],
"restart_required": {
"category": "none"
},
"url": "https://www.schneider-electric.com/en/download/document/M580_BMEP584020_SV3.10/"
},
{
"category": "vendor_fix",
"details": "After downloading the new version, found in the Download Links section below, all of the \r\nfollowing steps are required to remediate the vulnerability: \r\nSTEP 1: Update software and firmware:\r\n\u2022 On the engineering workstation: \r\no Recommended remediation: update to EcoStruxure Control Expert V15.0 \r\n(Available in the Download Links section)\r\n\u2022 On the Modicon M340 controller: update to firmware V3.20 or above\r\n(Available in the Download Links section) \r\n\u2022 On the Modicon M580 controller BMEP585040 and C: update to firmware V3.10 or above \r\n(Available in the Download Links section) \r\nSTEP 2: Update projects in Ecostruxure Control Expert by: \r\n\u2022 Setting up an application password in the project properties\r\n\u2022 Changing the version of the controller firmware to match the new firmware version of the\r\ntarget controller\r\nSTEP 3: Rebuild and transfer projects in EcoStruxure Control Expert:\r\n\u2022 Rebuild all current projects \r\n\u2022 Transfer them to Modicon controllers\r\nSTEP 4: Configure the Access Controls on Modicon controllers:\r\n\u2022 Setup network segmentation and implement a firewall to block all unauthorized access \r\nto port 502/TCP\r\nModicon M580:\r\n\u2022 Setup a secure communication according to the following guideline \u201cModicon Controllers \r\nPlatform Cyber Security Reference Manual,\u201d in chapter \u201cSetup secured\r\ncommunications\u201d: https://download.schneider-electric.com/files?p_enDocType=User+guide\u0026p_File_Name=EIO0000001999.06.pdf\u0026p_Doc_Ref=EIO0000001999\r\n\u2022 Optional: Additional countermeasure to protect the controller:\r\nUse a BMENOC module and follow the instructions to configure IPSEC feature \r\ndescribed in the guideline \u201cModicon M580 - BMENOC03.1 Ethernet Communications \r\nModule, Installation, and Configuration Guide\u201d in the chapter \u201cConfiguring IPSEC \r\ncommunications\u201d:\r\nhttps://www.schneider\u0002electric.com/en/download/document/HRB62665/#page=1\u0026toolbar=1\u0026scrollbar=1\u0026status\r\nbar=1\u0026view=fit",
"product_ids": [
"4"
],
"restart_required": {
"category": "none"
},
"url": "https://www.schneider-electric.com/en/download/document/M580_BMEP585040_SV3.10/"
},
{
"category": "vendor_fix",
"details": "After downloading the new version, found in the Download Links section below, all of the \r\nfollowing steps are required to remediate the vulnerability: \r\nSTEP 1: Update software and firmware:\r\n\u2022 On the engineering workstation: \r\no Recommended remediation: update to EcoStruxure Control Expert V15.0 \r\n(Available in the Download Links section)\r\n\u2022 On the Modicon M340 controller: update to firmware V3.20 or above\r\n(Available in the Download Links section) \r\n\u2022 On the Modicon M580 controller BMEH582040 and C: update to firmware V3.10 or above \r\n(Available in the Download Links section) \r\nSTEP 2: Update projects in Ecostruxure Control Expert by: \r\n\u2022 Setting up an application password in the project properties\r\n\u2022 Changing the version of the controller firmware to match the new firmware version of the\r\ntarget controller\r\nSTEP 3: Rebuild and transfer projects in EcoStruxure Control Expert:\r\n\u2022 Rebuild all current projects \r\n\u2022 Transfer them to Modicon controllers\r\nSTEP 4: Configure the Access Controls on Modicon controllers:\r\n\u2022 Setup network segmentation and implement a firewall to block all unauthorized access \r\nto port 502/TCP\r\nModicon M580:\r\n\u2022 Setup a secure communication according to the following guideline \u201cModicon Controllers \r\nPlatform Cyber Security Reference Manual,\u201d in chapter \u201cSetup secured\r\ncommunications\u201d: https://download.schneider-electric.com/files?p_enDocType=User+guide\u0026p_File_Name=EIO0000001999.06.pdf\u0026p_Doc_Ref=EIO0000001999\r\n\u2022 Optional: Additional countermeasure to protect the controller:\r\nUse a BMENOC module and follow the instructions to configure IPSEC feature \r\ndescribed in the guideline \u201cModicon M580 - BMENOC03.1 Ethernet Communications \r\nModule, Installation, and Configuration Guide\u201d in the chapter \u201cConfiguring IPSEC \r\ncommunications\u201d:\r\nhttps://www.schneider\u0002electric.com/en/download/document/HRB62665/#page=1\u0026toolbar=1\u0026scrollbar=1\u0026status\r\nbar=1\u0026view=fit",
"product_ids": [
"4"
],
"restart_required": {
"category": "none"
},
"url": "https://www.schneider-electric.com/en/download/document/M580_BMEH582040_SV3.10/"
},
{
"category": "vendor_fix",
"details": "After downloading the new version, found in the Download Links section below, all of the \r\nfollowing steps are required to remediate the vulnerability: \r\nSTEP 1: Update software and firmware:\r\n\u2022 On the engineering workstation: \r\no Recommended remediation: update to EcoStruxure Control Expert V15.0 \r\n(Available in the Download Links section)\r\n\u2022 On the Modicon M340 controller: update to firmware V3.20 or above\r\n(Available in the Download Links section) \r\n\u2022 On the Modicon M580 controller BMEP584040S \r\nBMEH584040S \r\nBMEH586040S\r\nBMEP582040S: update to firmware V3.10 or above \r\n(Available in the Download Links section) Please contact Schneider Electric Support to receive the firmware \r\nversion 3.10\r\nSTEP 2: Update projects in Ecostruxure Control Expert by: \r\n\u2022 Setting up an application password in the project properties\r\n\u2022 Changing the version of the controller firmware to match the new firmware version of the\r\ntarget controller\r\nSTEP 3: Rebuild and transfer projects in EcoStruxure Control Expert:\r\n\u2022 Rebuild all current projects \r\n\u2022 Transfer them to Modicon controllers\r\nSTEP 4: Configure the Access Controls on Modicon controllers:\r\n\u2022 Setup network segmentation and implement a firewall to block all unauthorized access \r\nto port 502/TCP\r\nModicon M580:\r\n\u2022 Setup a secure communication according to the following guideline \u201cModicon Controllers \r\nPlatform Cyber Security Reference Manual,\u201d in chapter \u201cSetup secured\r\ncommunications\u201d: https://download.schneider-electric.com/files?p_enDocType=User+guide\u0026p_File_Name=EIO0000001999.06.pdf\u0026p_Doc_Ref=EIO0000001999\r\n\u2022 Optional: Additional countermeasure to protect the controller:\r\nUse a BMENOC module and follow the instructions to configure IPSEC feature \r\ndescribed in the guideline \u201cModicon M580 - BMENOC03.1 Ethernet Communications \r\nModule, Installation, and Configuration Guide\u201d in the chapter \u201cConfiguring IPSEC \r\ncommunications\u201d:\r\nhttps://www.schneider\u0002electric.com/en/download/document/HRB62665/#page=1\u0026toolbar=1\u0026scrollbar=1\u0026status\r\nbar=1\u0026view=fit",
"product_ids": [
"4"
],
"restart_required": {
"category": "none"
}
},
{
"category": "vendor_fix",
"details": "After downloading the new version, found in the Download Links section below, all of the \r\nfollowing steps are required to remediate the vulnerability: \r\nSTEP 1: Update software and firmware:\r\n\u2022 On the engineering workstation: \r\no Recommended remediation: update to EcoStruxure Control Expert V15.0 \r\n(Available in the Download Links section)\r\n\u2022 On the Modicon M340 controller BMXP3420302 and CL and H: update to firmware V3.20 or above\r\n(Available in the Download Links section) \r\n\u2022 On the Modicon M580 controller: update to firmware V3.10 or above \r\n(Available in the Download Links section) \r\nSTEP 2: Update projects in Ecostruxure Control Expert by: \r\n\u2022 Setting up an application password in the project properties\r\n\u2022 Changing the version of the controller firmware to match the new firmware version of the\r\ntarget controller\r\nSTEP 3: Rebuild and transfer projects in EcoStruxure Control Expert:\r\n\u2022 Rebuild all current projects \r\n\u2022 Transfer them to Modicon controllers\r\nSTEP 4: Configure the Access Controls on Modicon controllers:\r\n\u2022 Setup network segmentation and implement a firewall to block all unauthorized access \r\nto port 502/TCP\r\nModicon M340:\r\n\u2022 Configure the Access Control List following the recommendations of the user manual \r\n\u201cModicon M340 for Ethernet Communications Modules and Processors User Manual\u201d in \r\nchapter \u201cMessaging Configuration Parameters\u201d:\r\nhttps://download.schneider\u0002electric.com/files?p_enDocType=User+guide\u0026p_File_Name=31007131_K01_000_16.pd\r\nf\u0026p_Doc_Ref=31007131K01000\r\nFor assistance enabling the hotfix or to apply these steps, please contact our Customer Care \r\nCenter.",
"product_ids": [
"3"
],
"restart_required": {
"category": "none"
},
"url": "https://www.schneider-electric.com/en/download/document/BMXP3420302_Firmwares/"
},
{
"category": "vendor_fix",
"details": "After downloading the new version, found in the Download Links section below, all of the \r\nfollowing steps are required to remediate the vulnerability: \r\nSTEP 1: Update software and firmware:\r\n\u2022 On the engineering workstation: \r\no Recommended remediation: update to EcoStruxure Control Expert V15.0 \r\n(Available in the Download Links section)\r\n\u2022 On the Modicon M340 controller BMXP342020 and H: update to firmware V3.20 or above\r\n(Available in the Download Links section) \r\n\u2022 On the Modicon M580 controller: update to firmware V3.10 or above \r\n(Available in the Download Links section) \r\nSTEP 2: Update projects in Ecostruxure Control Expert by: \r\n\u2022 Setting up an application password in the project properties\r\n\u2022 Changing the version of the controller firmware to match the new firmware version of the\r\ntarget controller\r\nSTEP 3: Rebuild and transfer projects in EcoStruxure Control Expert:\r\n\u2022 Rebuild all current projects \r\n\u2022 Transfer them to Modicon controllers\r\nSTEP 4: Configure the Access Controls on Modicon controllers:\r\n\u2022 Setup network segmentation and implement a firewall to block all unauthorized access \r\nto port 502/TCP\r\nModicon M340:\r\n\u2022 Configure the Access Control List following the recommendations of the user manual \r\n\u201cModicon M340 for Ethernet Communications Modules and Processors User Manual\u201d in \r\nchapter \u201cMessaging Configuration Parameters\u201d:\r\nhttps://download.schneider\u0002electric.com/files?p_enDocType=User+guide\u0026p_File_Name=31007131_K01_000_16.pd\r\nf\u0026p_Doc_Ref=31007131K01000\r\nFor assistance enabling the hotfix or to apply these steps, please contact our Customer Care \r\nCenter. ",
"product_ids": [
"3"
],
"restart_required": {
"category": "none"
},
"url": "https://www.schneider-electric.com/en/download/document/BMXP342020_Firmwares/"
},
{
"category": "vendor_fix",
"details": "After downloading the new version, found in the Download Links section below, all of the \r\nfollowing steps are required to remediate the vulnerability: \r\nSTEP 1: Update software and firmware:\r\n\u2022 On the engineering workstation: \r\no Recommended remediation: update to EcoStruxure Control Expert V15.0 \r\n(Available in the Download Links section)\r\n\u2022 On the Modicon M340 controller: update to firmware V3.20 or above\r\n(Available in the Download Links section) \r\n\u2022 On the Modicon M580 controller BMXP342000: update to firmware V3.10 or above \r\n(Available in the Download Links section) \r\nSTEP 2: Update projects in Ecostruxure Control Expert by: \r\n\u2022 Setting up an application password in the project properties\r\n\u2022 Changing the version of the controller firmware to match the new firmware version of the\r\ntarget controller\r\nSTEP 3: Rebuild and transfer projects in EcoStruxure Control Expert:\r\n\u2022 Rebuild all current projects \r\n\u2022 Transfer them to Modicon controllers\r\nSTEP 4: Configure the Access Controls on Modicon controllers:\r\n\u2022 Setup network segmentation and implement a firewall to block all unauthorized access \r\nto port 502/TCP\r\nModicon M340:\r\n\u2022 Configure the Access Control List following the recommendations of the user manual \r\n\u201cModicon M340 for Ethernet Communications Modules and Processors User Manual\u201d in \r\nchapter \u201cMessaging Configuration Parameters\u201d:\r\nhttps://download.schneider\u0002electric.com/files?p_enDocType=User+guide\u0026p_File_Name=31007131_K01_000_16.pd\r\nf\u0026p_Doc_Ref=31007131K01000\r\nFor assistance enabling the hotfix or to apply these steps, please contact our Customer Care \r\nCenter. ",
"product_ids": [
"3"
],
"restart_required": {
"category": "none"
},
"url": "https://www.schneider-electric.com/en/download/document/BMXP342000_Firmwares/"
},
{
"category": "vendor_fix",
"details": "After downloading the new version, found in the Download Links section below, all of the \r\nfollowing steps are required to remediate the vulnerability: \r\nSTEP 1: Update software and firmware:\r\n\u2022 On the engineering workstation: \r\no Recommended remediation: update to EcoStruxure Control Expert V15.0 \r\n(Available in the Download Links section)\r\n\u2022 On the Modicon M340 controller BMXP341000 and H: update to firmware V3.20 or above\r\n(Available in the Download Links section) \r\n\u2022 On the Modicon M580 controller: update to firmware V3.10 or above \r\n(Available in the Download Links section) \r\nSTEP 2: Update projects in Ecostruxure Control Expert by: \r\n\u2022 Setting up an application password in the project properties\r\n\u2022 Changing the version of the controller firmware to match the new firmware version of the\r\ntarget controller\r\nSTEP 3: Rebuild and transfer projects in EcoStruxure Control Expert:\r\n\u2022 Rebuild all current projects \r\n\u2022 Transfer them to Modicon controllers\r\nSTEP 4: Configure the Access Controls on Modicon controllers:\r\n\u2022 Setup network segmentation and implement a firewall to block all unauthorized access \r\nto port 502/TCP\r\nModicon M340:\r\n\u2022 Configure the Access Control List following the recommendations of the user manual \r\n\u201cModicon M340 for Ethernet Communications Modules and Processors User Manual\u201d in \r\nchapter \u201cMessaging Configuration Parameters\u201d:\r\nhttps://download.schneider\u0002electric.com/files?p_enDocType=User+guide\u0026p_File_Name=31007131_K01_000_16.pd\r\nf\u0026p_Doc_Ref=31007131K01000\r\nFor assistance enabling the hotfix or to apply these steps, please contact our Customer Care \r\nCenter. ",
"product_ids": [
"3"
],
"restart_required": {
"category": "none"
},
"url": "https://www.schneider-electric.com/en/download/document/BMXP341000_Firmwares/"
},
{
"category": "vendor_fix",
"details": "After downloading the new version, found in the Download Links section below, all of the \r\nfollowing steps are required to remediate the vulnerability: \r\nSTEP 1: Update software and firmware:\r\n\u2022 On the engineering workstation: \r\no Recommended remediation: update to EcoStruxure Control Expert V15.0 \r\n(Available in the Download Links section)\r\n\u2022 On the Modicon M340 controller BMXP3420102 and CL: update to firmware V3.20 or above\r\n(Available in the Download Links section) \r\n\u2022 On the Modicon M580 controller: update to firmware V3.10 or above \r\n(Available in the Download Links section) \r\nSTEP 2: Update projects in Ecostruxure Control Expert by: \r\n\u2022 Setting up an application password in the project properties\r\n\u2022 Changing the version of the controller firmware to match the new firmware version of the\r\ntarget controller\r\nSTEP 3: Rebuild and transfer projects in EcoStruxure Control Expert:\r\n\u2022 Rebuild all current projects \r\n\u2022 Transfer them to Modicon controllers\r\nSTEP 4: Configure the Access Controls on Modicon controllers:\r\n\u2022 Setup network segmentation and implement a firewall to block all unauthorized access \r\nto port 502/TCP\r\nModicon M340:\r\n\u2022 Configure the Access Control List following the recommendations of the user manual \r\n\u201cModicon M340 for Ethernet Communications Modules and Processors User Manual\u201d in \r\nchapter \u201cMessaging Configuration Parameters\u201d:\r\nhttps://download.schneider\u0002electric.com/files?p_enDocType=User+guide\u0026p_File_Name=31007131_K01_000_16.pd\r\nf\u0026p_Doc_Ref=31007131K01000\r\nFor assistance enabling the hotfix or to apply these steps, please contact our Customer Care \r\nCenter. ",
"product_ids": [
"3"
],
"restart_required": {
"category": "none"
},
"url": "https://www.schneider-electric.com/en/download/document/BMXP3420102_Firmwares/"
},
{
"category": "vendor_fix",
"details": "After downloading the new version, found in the Download Links section below, all of the \r\nfollowing steps are required to remediate the vulnerability: \r\nSTEP 1: Update software and firmware:\r\n\u2022 On the engineering workstation: \r\no Recommended remediation: update to EcoStruxure Control Expert V15.0 \r\n(Available in the Download Links section)\r\n\u2022 On the Modicon M340 controllerBMXP3420302: update to firmware V3.20 or above\r\n(Available in the Download Links section) \r\n\u2022 On the Modicon M580 controller: update to firmware V3.10 or above \r\n(Available in the Download Links section) \r\nSTEP 2: Update projects in Ecostruxure Control Expert by: \r\n\u2022 Setting up an application password in the project properties\r\n\u2022 Changing the version of the controller firmware to match the new firmware version of the\r\ntarget controller\r\nSTEP 3: Rebuild and transfer projects in EcoStruxure Control Expert:\r\n\u2022 Rebuild all current projects \r\n\u2022 Transfer them to Modicon controllers\r\nSTEP 4: Configure the Access Controls on Modicon controllers:\r\n\u2022 Setup network segmentation and implement a firewall to block all unauthorized access \r\nto port 502/TCP\r\nModicon M340:\r\n\u2022 Configure the Access Control List following the recommendations of the user manual \r\n\u201cModicon M340 for Ethernet Communications Modules and Processors User Manual\u201d in \r\nchapter \u201cMessaging Configuration Parameters\u201d:\r\nhttps://download.schneider\u0002electric.com/files?p_enDocType=User+guide\u0026p_File_Name=31007131_K01_000_16.pd\r\nf\u0026p_Doc_Ref=31007131K01000\r\nFor assistance enabling the hotfix or to apply these steps, please contact our Customer Care \r\nCenter. ",
"product_ids": [
"3"
],
"restart_required": {
"category": "none"
},
"url": "https://www.schneider-electric.com/en/download/document/BMXP3420302_Firmwares/"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:H",
"version": "3.0"
},
"products": [
"1",
"2",
"3",
"4"
]
}
],
"title": "CVE-2020-7475"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…