Analysis Summary
# Vulnerability: Schneider Electric Modicon M340/M580 Authentication Bypass by Spoofing
## CVE Details
- **CVE ID:** CVE-2021-22779
- **CVSS Score:** 9.8 (Critical) *(Note: The article text contains a typo "0.0" but the provided vector string and impact description confirm a Critical rating)*
- **CVSS Vector:** AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- **CWE:** CWE-290 (Authentication Bypass by Spoofing)
## Affected Systems
- **Products:** Schneider Electric Modicon Controllers
- **Versions:**
- **Modicon M580 CPU (BMEP* and BMEH*, non-Safety):** Prior to firmware v4.10
- **Modicon M580 Safety:** Prior to firmware v4.21
- **Modicon M340 CPU (BMXP34*):** Prior to firmware v3.50
- **EcoStruxure™ Control Expert (including Unity Pro):** Prior to v15.1
- **EcoStruxure™ Process Expert (including Hybrid DCS):** Prior to v2021
- **SCADAPack RemoteConnect:** All versions
- **Configurations:** Systems utilizing default authentication or lacking application-level passwords.
## Vulnerability Description
A vulnerability exists in the authentication mechanism of Modicon M340 and M580 controllers. An attacker can bypass authentication by spoofing identity or session credentials. This flaw allows an unauthorized actor to gain access to the controller's management interface without providing valid credentials.
## Exploitation
- **Status:** Proof-of-Concept (PoC) available.
- **Complexity:** Low
- **Attack Vector:** Network (Remotely exploitable)
## Impact
- **Confidentiality:** High (Unauthorized access to controller data and project files)
- **Integrity:** High (Ability to send unauthorized control commands and modify logic)
- **Availability:** High (Potential to disrupt industrial processes or stop the controller)
## Remediation
### Patches
- **Modicon M580 (Standard):** Upgrade to Firmware SV4.10 or higher.
- **Modicon M580 (Safety):** Upgrade to Firmware v4.21 or higher.
- **Modicon M340:** Upgrade to Firmware v3.50 or higher.
- **EcoStruxure™ Control Expert:** Upgrade to v15.1.
- **EcoStruxure™ Process Expert:** Upgrade to v2021.
### Workarounds
- **Application Passwords:** Implement application-level passwords within the programming software to ensure complete remediation.
- **Network Segmentation:** Use firewalls to block unauthorized access to TCP port 502.
- **Access Control:** Enable Access Control Lists (ACLs) as defined in the Modicon hardware reference manuals.
- **Secure Communication:** Implement IPSEC via BMENOC modules and utilize VPNs for all engineering workstation-to-PLC communications.
- **Integrity Checking:** Manually compute and verify hashes of project files before usage.
## Detection
- **Indicators of Compromise:** Unusual traffic on TCP Port 502; unauthorized control commands; unexpected logic changes or project file uploads/downloads.
- **Detection Methods:** Monitor network logs for spoofed identities and unauthorized IP addresses attempting to communicate with PLC management ports.
## References
- **Vendor Advisory:** hxxps://www[.]se[.]com/ww/en/download/document/BMEx58x0x0_SV04[.]10/
- **Kaspersky Advisory:** hxxps://ics-cert[.]kaspersky[.]com/advisories/2022/05/20/klcert-20-061-klcert-20-068-schneider-electric-modicon-m340-m580-authentication-bypass-by-spoofing/
- **NVD Detail:** hxxps://nvd[.]nist[.]gov/vuln/detail/CVE-2021-22779