View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.5
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Schneider Electric
• Equipment: PowerLogic PM5500 and PowerLogic PM8ECC
• Vulnerabilities: Weak Password Recovery Mechanism for Forgotten Password, Improper Authentication

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in an attacker gaining escalated privileges and obtaining control of the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of PowerLogic PM55xx power metering devices and PowerLogic PM8ECC ethernet communication module are affected:

• PM5560: Versions prior to v2.7.8
• PM5561: Versions prior to v10.7.3
• PM5562: v2.5.4 and prior
• PM5563: Versions prior to v2.7.8
• PM8ECC: All versions

3.2 Vulnerability Overview

3.2.1 WEAK PASSWORD RECOVERY MECHANISM FOR FORGOTTEN PASSWORD CWE-640

The affected product is vulnerable due to weak password recovery mechanisms, which may allow an attacker to gain unauthorized access and potentially deny service to legitimate system users.

CVE-2021-22763 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2021-22763. A base score of 9.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.2 IMPROPER AUTHENTICATION CWE-287

The affected product is vulnerable due to improper authentication, which may provide an attacker with sensitive information or allow an attacker to remotely execute arbitrary code.

CVE-2021-22764 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2021-22764. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Multiple
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Jacob Baines of Dragos reported these vulnerabilities to CISA.

4. MITIGATIONS

Schneider has provided the following remediations:

• Users should consider blocking HTTP access to the device at the firewall level or disable the HTTP web service to reduce the risk of exposure.
• Version 2.8.3 of the PowerLogic PM5560, 5563, 5580 firmware includes fixes for these vulnerabilities.
• Version 10.7.3 of the PowerLogic PM5561 firmware includes fixes for these vulnerabilities.
• Version 4.3.5 of the PowerLogic PM5562 firmware. includes fixes for these vulnerabilities.
• PowerLogic PM8ECC has reached end of service and is no longer supported.

Schneider Electric recommends the following industry cybersecurity best practices:

• Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
• Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
• Place all controllers in locked cabinets and never leave them in the “Program” mode.
• Never connect programming software to any network other than the network intended for that device.
• Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
• Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
• When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version
  available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document and the associated Schneider Electric Security Notification SEVD-2021-159-02 in PDF and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• November 26, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 8.1
• ATTENTION: Exploitable remotely
• Vendor: Schneider Electric
• Equipment: EcoStruxure Control Expert, EcoStruxure Process Expert and Modicon M340, M580 and M580 Safety PLCs
• Vulnerabilities: Improper Enforcement of Message Integrity During Transmission in a Communication Channel, Use of Hard-coded Credentials, Insufficiently Protected Credentials

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a denial of service, a loss of confidentiality, and threaten the integrity of controllers.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Schneider Electric products are affected:

• Modicon M340 CPU (part numbers BMXP34*): Versions prior to sv3.60 (CVE-2023-6408)
• Modicon M580 CPU (part numbers BMEP* and BMEH* excluding M580 CPU Safety): Versions prior to SV4.20 (CVE-2023-6408)
• Modicon M580 CPU Safety: Versions prior to SV4.21 (CVE-2023-6408)
• EcoStruxure Control Expert: Versions prior to v16.0
• EcoStruxure Process Expert: Versions prior to v2023
• Modicon MC80 (part numbers BMKC80): All versions (CVE-2023-6408)
• Modicon Momentum Unity M1E Processor (171CBU*): All versions (CVE-2023-6408)

3.2 Vulnerability Overview

3.2.1 IMPROPER ENFORCEMENT OF MESSAGE INTEGRITY DURING TRANSMISSION IN A COMMUNICATION CHANNEL CWE-924

An improper enforcement of message integrity during transmission in a communication channel vulnerability exists that could cause a denial of service, a loss of confidentiality, and threaten the integrity of controllers through a man-in-the-middle attack.

CVE-2023-6408 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 USE OF HARD-CODED CREDENTIALS CWE-798

A use of hard-coded credentials vulnerability exists that could cause unauthorized access to a project file protected with application password when opening the file with EcoStruxure Control Expert.

CVE-2023-6409 has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

3.2.3 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

An insufficiently protected credentials vulnerability exists that could cause unauthorized access to the project file in EcoStruxure Control Expert when a local user tampers with the memory of the engineering workstation.

CVE-2023-27975 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Gao Jian, Jianshuang Ding, and Kaikai Yang reported these vulnerabilities to Schneider Electric.

4. MITIGATIONS

Schneider Electric has identified the following remediations and mitigations users can apply to reduce risk:

Modicon M340 CPU (part numbers BMXP34*):

• Firmware Version SV3.60 includes a fix for this vulnerability and is available for download.
• Set up an application password in the project properties.
• Set up network segmentation and implement a firewall to block all unauthorized access to Port 502/TCP.
• Configure the access control list following the recommendations of the user manuals: “Modicon M340 for Ethernet Communications Modules and Processors User Manual” in chapter “Messaging Configuration Parameters”:
• Set up a secure communication according to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual,” in chapter “Set up secured communications”:
• Consider use of external firewall devices such as EAGLE40-07 from Belden to establish VPN connections for M340 & M580 architectures. For more details refer to the chapter “How to protect M580 and M340 architectures with EAGLE40 using VPN”
• Ensure the M340 CPU is running with the memory protection activated by configuring the input bit to a physical input, for more details refer to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual”, “CPU Memory Protection section”.

Modicon M580 CPU (part numbers BMEP* and BMEH* excluding M580 CPU Safety):

• Firmware Versions SV4.20 includes a fix for this vulnerability and is available for download.
• Set up an application password in the project properties
• Setup network segmentation and implement a firewall to block all unauthorized access to Port 502/TCP.
• Configure the access control list following the recommendations of the user manuals: “Modicon M580, Hardware, Reference Manual”.
• Set up a secure communication according to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual,” in chapter “Set up secured communications”:
• Use a BMENOC module and follow the instructions to configure IPSEC feature as described in the guideline “Modicon M580 – BMENOC03.1 Ethernet Communications Schneider Electric Security Notification Module, Installation and Configuration Guide” in the chapter “Configuring IPSEC communications”:
• Use a BMENUA0100 module and follow the instructions to configure IPSEC feature as described in the chapter “Configuring the BMENUA0100 Cybersecurity Settings”.
• Consider use of external firewall devices such as EAGLE40-07 from Belden to establish VPN connections for M340 & M580 architectures. For more details refer to the chapter “How to protect M580 and M340 architectures with EAGLE40 using VPN”.
• Ensure the M580 CPU is running with the memory protection activated by configuring the input bit to a physical input, for more details refer to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual”, “CPU Memory Protection section”.
• The CPU memory protection cannot be configured with M580 Hot Standby CPUs. In such cases, use IPsec encrypted communication .

Modicon M580 CPU Safety (part numbers BMEP58S and BMEH58S):

• Firmware SV4.21 includes a fix for CVE-2023-6408 and is available for download. Important: users needs to use version of EcoStruxure Control Expert v16.0 HF001 minimum to connect with the latest version of M580 CPU Safety.
• If users choose not to apply the remediation, they are encouraged to immediately apply the following mitigations to reduce the risk of exploit:
• Set up an application password in the project properties.
• Setup network segmentation and implement a firewall to block all unauthorized access to Port 502/TCP.
• Configure the Access Control List following the recommendations of “Modicon M580, Hardware, Reference Manual”
• Set up a secure communication according to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual,” in chapter “Set up secured communications”.
• Use a BMENOC module and follow the instructions to configure IPSEC feature as described in the guideline “Modicon M580 – BMENOC03.1 Ethernet Communications Schneider Electric Security Notification Module, Installation and Configuration Guide” in the chapter “Configuring IPSEC communications”: https://www.se.com/ww/en/download/document/HRB62665/
• Use a BMENUA0100 module and follow the instructions to configure IPSEC feature as described in the chapter “Configuring the BMENUA0100 Cybersecurity Settings”
• Consider use of external firewall devices such as EAGLE40-07 from Belden to establish VPN connections for M340 & M580 architectures. For more details refer to the chapter “How to protect M580 and M340 architectures with EAGLE40 using VPN”
• Ensure the M580 CPU is running with the memory protection activated by configuring the input bit to a physical input, for more details refer to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual”, “CPU Memory Protection section”
• NOTE: The CPU memory protection cannot be configured with M580 Hot Standby CPUs. In such cases, use IPsec encrypted communication.
• To further reduce the attack surface on Modicon M580 CPU Safety: Ensure the CPU is running in Safety mode and maintenance input is configured to maintain this Safety mode during operation – refer to the document Modicon M580 – Safety System Planning Guide – in the chapter “Operating Mode Transitions”.
• Schneider Electric is establishing a remediation plan for all future versions of EcoStruxure Process Expert that will include a fix for CVE-2023-6409 and CVE-2023-27975. They will update SEVD-2024-317-04 when the remediation is available. Until then, users should immediately apply the above mitigations to reduce the risk of exploit.

Modicon MC80 (part numbers BMKC80):

• Set up an application password in the project properties.
• Set up network segmentation and implement a firewall to block all unauthorized access to Port 502/TCP.
• Configure the access control list following the recommendations of “Modicon MC80 Programmable Logic Controller (PLC) manual” in the chapter “Access Control List (ACL)” a secure communication according to “Modicon Controller Systems Cybersecurity, User Guide” in chapter “Set Up Encrypted Communication”.
• (CVE-2023-6408) Schneider Electric Modicon Momentum Unity M1E Processor (171CBU*) All versions: Setup an application password in the project properties
  • Setup network segmentation and implement a firewall to block all unauthorized access to Port 502/TCP
  • Setup a secure communication according to the following guideline “Modicon Controller Systems Cybersecurity, User Guide” in chapter “Set Up Encrypted Communication”:

EcoStruxure Control Expert:

• Version 16.0 includes a fix for these vulnerabilities and is available for download. Reboot the computer after installation is completed.
• Enable encryption on application project and store application files in secure location with restricted access only for legitimate users.
• Schneider Electric recommends using McAfee Application and Change Control software for application control. Refer to the Cybersecurity Application Note.
• Follow workstation, network and site-hardening guidelines in the Recommended Cybersecurity Best Practices.

EcoStruxure Process Expert:

• Version 15.3 HF008 includes the fix for these vulnerabilities and is available for download.
• EcoStruxure Process Expert manages application files within its database in secure way. Do not export & store them outside the application.
• Schneider Electric recommends using McAfee Application and Change Control software for application control. Refer to the Cybersecurity Application Note.
• Follow workstation, network and site-hardening guidelines in the Recommended Cybersecurity Best Practices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices and the associated Schneider Electric Security Notification SEVD-2024-044-01 in PDF and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities have a high attack complexity.

5. UPDATE HISTORY

• November 26, 2024: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.0
• ATTENTION: Low Attack Complexity
• Vendor: Siemens
• Equipment: Siemens Engineering Platforms
• Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a type confusion and execute arbitrary code within the affected application.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• SIMATIC S7-PLCSIM V16: all versions
• SIMATIC S7-PLCSIM V17: all versions
• SIMATIC STEP 7 Safety V16: all versions
• SIMATIC STEP 7 Safety V17: versions prior to V17 Update 8
• SIMATIC STEP 7 Safety V18: versions prior to V18 Update 5
• SIMATIC STEP 7 V16: all versions
• SIMATIC STEP 7 V17: versions prior to V17 Update 8
• SIMATIC STEP 7 V18: versions prior to V18 Update 5
• SIMATIC WinCC Unified V16: all versions
• SIMATIC WinCC Unified V17: versions prior to V17 Update 8
• SIMATIC WinCC Unified V18: versions prior to V18 Update 5
• SIMATIC WinCC V16: all versions
• SIMATIC WinCC V17: versions prior to V17 Update 8
• SIMATIC WinCC V18: versions prior to V18 Update 5
• SIMOCODE ES V16: all versions
• SIMOCODE ES V17: versions prior to V17 Update 8
• SIMOCODE ES V18: all versions
• SIMOTION SCOUT TIA V5.4 SP1: all versions
• SIMOTION SCOUT TIA V5.4 SP3: all versions
• SIMOTION SCOUT TIA V5.5 SP1: all versions
• SINAMICS Startdrive V16: all versions
• SINAMICS Startdrive V17: all versions
• SINAMICS Startdrive V18: all versions
• SIRIUS Safety ES V17: versions prior to V17 Update 8
• SIRIUS Safety ES V18: all versions
• SIRIUS Soft Starter ES V17: versions prior to V17 Update 8
• SIRIUS Soft Starter ES V18: all versions
• TIA Portal Cloud V16: all versions
• TIA Portal Cloud V17: versions prior to V4.6.0.1
• TIA Portal Cloud V18: versions prior to V4.6.1.0

3.2 Vulnerability Overview

3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502

Affected products do not properly sanitize user-controllable input when parsing user settings. This could allow an attacker to cause a type confusion and execute arbitrary code within the affected application.

CVE-2023-32736 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-32736. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has released new versions for several affected products and recommends updating to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available.

• SIMATIC WinCC V17: Update to V17 Update 8 or later version
• SIMATIC STEP 7 Safety V17, SIMATIC STEP 7 V17, SIMATIC WinCC Unified V17: Update to V17 Update 8 or later version
• SIMOCODE ES V17, SIRIUS Safety ES V17, SIRIUS Soft Starter ES V17: Update to V17 Update 8 or later version
• SIMATIC STEP 7 Safety V18, SIMATIC STEP 7 V18, SIMATIC WinCC Unified V18, SIMATIC WinCC V18: Update to V18 Update 5 or later version
• TIA Portal Cloud V18: TIA Portal Cloud V4.6.1.0 or later version updated TIA Portal to V18 Update 5 or later version
• SIMOCODE ES V18, SIMOTION SCOUT TIA V5.5 SP1, SINAMICS Startdrive V18, SIRIUS Safety ES V18, SIRIUS Soft Starter ES V18: Update SIMATIC STEP 7 V18 to V18 Update 5 or later version
• SIMOTION SCOUT TIA V5.4 SP3, SINAMICS Startdrive V17: Update SIMATIC STEP 7 V17 to V17 Update 8 or later version
• TIA Portal Cloud V17: TIA Portal Cloud V4.6.0.1 or later version updated TIA Portal to V17 Update 8 or later version

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Avoid opening untrusted files from unknown sources in affected products

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-871035 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• November 14, 2024: Initial Publication