Schneider Electric reports critical flaw in Modicon M580 and Quantum Controllers

Schneider Electric has issued a security advisory for a critical vulnerability affecting multiple communication modules used in their Modicon M580 and Quantum controllers. 

The vulnerability is tracked as CVE-2021-29999 (CVSS score 9.8) - an out-of-bounds write flaw discovered in the DHCP server component of Wind River VxWorks operating system (through version 6.8), which powers these industrial control system modules. If exploited, this vulnerability could lead to stack overflow attacks, complete loss of confidentiality and integrity and denial of service of the affected devices

It can be exploited remotely with low attack complexity and requires no user interaction or special privileges.

The following Schneider Electric communication modules are affected:

• Modicon M580 communication modules BMENOC0321: Versions prior to SV1.10
• Modicon M580 communication modules BMECRA31210: All versions
• Modicon M580/Quantum communication modules BMXCRA31200: All versions
• Modicon M580/Quantum communication modules BMXCRA31210: All versions
• Modicon Quantum communication modules 140CRA31908: All versions
• Modicon Quantum communication modules 140CRA31200: All versions

Schneider Electric has released the following mitigations:

1. For BMENOC0321 modules, an update (Version SV1.10) is available that fixes the vulnerability
2. For other affected modules (BMECRA, BMXCRA, and 140CRA), Schneider is still developing fixes
3. In the interim, users should implement a firewall to allow only authorized traffic on UDP ports 67 and 68.

CISA notes that no known public exploitation of this vulnerability has been reported at this time, but encourages organizations to implement recommended defensive measures promptly.