Schneider Electric Modicon Controllers are vulnerable to unauthorized access, potentially leading to denial of service, confidentiality breaches, and integrity compromise.
Modicon M340 CPUs with versions prior to SV3.65 are vulnerable to critical vulnerabilities CVE-2024-8936, CVE-2024-8937, and CVE-2024-8938, while Modicon MC80 and Momentum Unity M1E processors are not affected by these vulnerabilities.
An Improper Input Validation vulnerability in the controller allows an attacker to exploit a Man-In-The-Middle attack to send crafted Modbus function calls, potentially leading to the exposure of sensitive memory contents.
The vulnerability CVE-2024-8937 allows attackers to execute arbitrary code on a system by exploiting a buffer overflow in the Modbus protocol, potentially leading to system compromise after a successful MITM attack and crafted Modbus function call.
While vulnerability CVE-2024-8938 allows attackers to exploit a memory buffer overflow, potentially leading to arbitrary code execution, which is achieved by manipulating a Modbus function call during a Man-in-the-Middle attack to corrupt memory used for size calculations.
It has been recommended updating Modicon M340 CPU firmware (BMXP34*) to version SV3.65 to address vulnerabilities, where patching should be done cautiously with backups and testing in a separate environment, as mitigations exist for those unable to update.
Before version SV3.65, the security measures for the Modicon M340 (BMXP34*) placed an emphasis on network segmentation, firewalls that blocked port 502/TCP, and access control list configuration.
Utilizing external firewalls that are equipped with virtual private network (VPN) capabilities and memory protection activation is another recommendation that should be taken into consideration.
Schneider Electric is developing a patch for vulnerabilities CVE-2024-8937 and CVE-2024-8938 in Modicon MC80 PLCs. Until then, mitigate by segmenting the network, blocking port 502/TCP with a firewall, and configuring access control lists.
To enhance industrial cybersecurity, isolate control and safety systems from business networks, implement physical access controls, secure controllers, and restrict network connections for programming software and mobile devices.
Network-segregated safety and control systems should be protected from unauthorized access. Remote access, if necessary, should be strictly controlled via secure VPNs with devices and VPN software kept up-to-date.
