Detections
Analytics

Schneider Electric EcoStruxure Control Expert, EcoStruxure Process Expert, and Modicon M340, M580 and M580 Safety PLCs Improper Enforcement of Message Integrity During Transmission in a Communication Channel (CVE-2023-6408)

high Tenable OT Security Plugin ID 502835

Synopsis

The remote OT asset is affected by a vulnerability.

Description

CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability exists that could cause a denial of service and loss of confidentiality, integrity of controllers when conducting a Man in the Middle attack.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Schneider Electric has identified the following remediations and mitigations users can apply to reduce risk:

Modicon M340 CPU (part numbers BMXP34*):

- Firmware Version SV3.60 includes a fix for this vulnerability and is available for download.
- Set up an application password in the project properties.
- Set up network segmentation and implement a firewall to block all unauthorized access to Port 502/TCP.
- Configure the access control list following the recommendations of the user manuals: "Modicon M340 for Ethernet Communications Modules and Processors User Manual" in chapter "Messaging Configuration Parameters":
- Set up a secure communication according to the following guideline "Modicon Controllers Platform Cyber Security Reference Manual," in chapter "Set up secured communications":
- Consider use of external firewall devices such as EAGLE40-07 from Belden to establish VPN connections for M340 & M580 architectures. For more details refer to the chapter "How to protect M580 and M340 architectures with EAGLE40 using VPN"
- Ensure the M340 CPU is running with the memory protection activated by configuring the input bit to a physical input, for more details refer to the following guideline "Modicon Controllers Platform Cyber Security Reference Manual", "CPU Memory Protection section".

Modicon M580 CPU (part numbers BMEP* and BMEH* excluding M580 CPU Safety):

- Firmware Versions SV4.20 includes a fix for this vulnerability and is available for download.
- Set up an application password in the project properties
- Setup network segmentation and implement a firewall to block all unauthorized access to Port 502/TCP.
- Configure the access control list following the recommendations of the user manuals: "Modicon M580, Hardware, Reference Manual".
- Set up a secure communication according to the following guideline "Modicon Controllers Platform Cyber Security Reference Manual," in chapter "Set up secured communications":
- Use a BMENOC module and follow the instructions to configure IPSEC feature as described in the guideline "Modicon M580
- BMENOC03.1 Ethernet Communications Schneider Electric Security Notification Module, Installation and Configuration Guide" in the chapter "Configuring IPSEC communications":
- Use a BMENUA0100 module and follow the instructions to configure IPSEC feature as described in the chapter "Configuring the BMENUA0100 Cybersecurity Settings".
- Consider use of external firewall devices such as EAGLE40-07 from Belden to establish VPN connections for M340 & M580 architectures. For more details refer to the chapter "How to protect M580 and M340 architectures with EAGLE40 using VPN".
- Ensure the M580 CPU is running with the memory protection activated by configuring the input bit to a physical input, for more details refer to the following guideline "Modicon Controllers Platform Cyber Security Reference Manual", "CPU Memory Protection section".
- The CPU memory protection cannot be configured with M580 Hot Standby CPUs. In such cases, use IPsec encrypted communication .

Modicon M580 CPU Safety (part numbers BMEP58S and BMEH58S):

- Firmware SV4.21 includes a fix for CVE-2023-6408 and is available for download. Important: users needs to use version of EcoStruxure Control Expert v16.0 HF001 minimum to connect with the latest version of M580 CPU Safety.
- If users choose not to apply the remediation, they are encouraged to immediately apply the following mitigations to reduce the risk of exploit:
- Set up an application password in the project properties.
- Setup network segmentation and implement a firewall to block all unauthorized access to Port 502/TCP.
- Configure the Access Control List following the recommendations of "Modicon M580, Hardware, Reference Manual"
- Set up a secure communication according to the following guideline "Modicon Controllers Platform Cyber Security Reference Manual," in chapter "Set up secured communications".
- Use a BMENOC module and follow the instructions to configure IPSEC feature as described in the guideline "Modicon M580
- BMENOC03.1 Ethernet Communications Schneider Electric Security Notification Module, Installation and Configuration Guide" in the chapter "Configuring IPSEC communications": https://www.se.com/ww/en/download/document/HRB62665/
- Use a BMENUA0100 module and follow the instructions to configure IPSEC feature as described in the chapter "Configuring the BMENUA0100 Cybersecurity Settings"
- Consider use of external firewall devices such as EAGLE40-07 from Belden to establish VPN connections for M340 & M580 architectures. For more details refer to the chapter "How to protect M580 and M340 architectures with EAGLE40 using VPN"
- Ensure the M580 CPU is running with the memory protection activated by configuring the input bit to a physical input, for more details refer to the following guideline "Modicon Controllers Platform Cyber Security Reference Manual", "CPU Memory Protection section"
- NOTE: The CPU memory protection cannot be configured with M580 Hot Standby CPUs. In such cases, use IPsec encrypted communication.
- To further reduce the attack surface on Modicon M580 CPU Safety: Ensure the CPU is running in Safety mode and maintenance input is configured to maintain this Safety mode during operation – refer to the document Modicon M580 - Safety System Planning Guide - in the chapter "Operating Mode Transitions".
- Schneider Electric is establishing a remediation plan for all future versions of EcoStruxure Process Expert that will include a fix for CVE-2023-6409 and CVE-2023-27975. They will update SEVD-2024-317-04 when the remediation is available.
Until then, users should immediately apply the above mitigations to reduce the risk of exploit.

Modicon MC80 (part numbers BMKC80):

- Set up an application password in the project properties.
- Set up network segmentation and implement a firewall to block all unauthorized access to Port 502/TCP.
- Configure the access control list following the recommendations of "Modicon MC80 Programmable Logic Controller (PLC) manual" in the chapter "Access Control List (ACL)" a secure communication according to "Modicon Controller Systems Cybersecurity, User Guide" in chapter "Set Up Encrypted Communication".
- (CVE-2023-6408) Schneider Electric Modicon Momentum Unity M1E Processor (171CBU*) All versions: Setup an application password in the project properties
 - Setup network segmentation and implement a firewall to block all unauthorized access to Port 502/TCP
 - Setup a secure communication according to the following guideline "Modicon Controller Systems Cybersecurity, User Guide" in chapter "Set Up Encrypted Communication":

EcoStruxure Control Expert:

- Version 16.0 includes a fix for these vulnerabilities and is available for download. Reboot the computer after installation is completed.
- Enable encryption on application project and store application files in secure location with restricted access only for legitimate users.
- Schneider Electric recommends using McAfee Application and Change Control software for application control. Refer to the Cybersecurity Application Note.
- Follow workstation, network and site-hardening guidelines in the Recommended Cybersecurity Best Practices.

EcoStruxure Process Expert:

- Version 15.3 HF008 includes the fix for these vulnerabilities and is available for download.
- EcoStruxure Process Expert manages application files within its database in secure way. Do not export & store them outside the application.
- Schneider Electric recommends using McAfee Application and Change Control software for application control. Refer to the Cybersecurity Application Note.
- Follow workstation, network and site-hardening guidelines in the Recommended Cybersecurity Best Practices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices and the associated Schneider Electric Security Notification SEVD-2024-044-01 in PDF and CSAF.

See Also

http://www.nessus.org/u?5e696d1f

https://www.cisa.gov/news-events/ics-advisories/icsa-24-331-03

Plugin Details

Severity: High

ID: 502835

Version: 1.4

Type: remote

Family: Tenable.ot

Published: 2/5/2025

Updated: 2/25/2025

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-6408

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:schneider-electric:modicon_m580_bmep584040_firmware, cpe:/o:schneider-electric:modicon_m340_bmxp3420102_firmware, cpe:/o:schneider-electric:modicon_m340_bmxp3420302cl_firmware, cpe:/o:schneider-electric:modicon_mc80_bmkc8020310_firmware, cpe:/o:schneider-electric:modicon_m580_bmep582020h_firmware, cpe:/o:schneider-electric:modicon_m580_bmep583020_firmware, cpe:/o:schneider-electric:modicon_m580_bmeh584040_firmware, cpe:/o:schneider-electric:modicon_mc80_bmkc8020301_firmware, cpe:/o:schneider-electric:modicon_m580_bmep585040c_firmware, cpe:/o:schneider-electric:modicon_m580_bmep582040_firmware, cpe:/h:schneider-electric:modicon_mc80_bmkc8030311, cpe:/o:schneider-electric:modicon_m340_bmxp3420302h_firmware, cpe:/o:schneider-electric:modicon_m580_bmeh586040s_firmware, cpe:/o:schneider-electric:modicon_m340_bmxp342010_firmware, cpe:/o:schneider-electric:modicon_m580_bmeh582040c_firmware, cpe:/o:schneider-electric:modicon_m340_bmxp342030h_firmware, cpe:/o:schneider-electric:modicon_momentum_171cbu98090_firmware, cpe:/o:schneider-electric:modicon_m580_bmeh582040_firmware, cpe:/o:schneider-electric:modicon_m340_bmxp342030_firmware, cpe:/o:schneider-electric:modicon_m580_bmep582040h_firmware, cpe:/o:schneider-electric:modicon_m580_bmep586040c_firmware, cpe:/o:schneider-electric:modicon_m340_bmxp341000h_firmware, cpe:/o:schneider-electric:modicon_m580_bmep582040s_firmware, cpe:/o:schneider-electric:modicon_momentum_171cbu78090_firmware, cpe:/o:schneider-electric:modicon_m340_bmxp3420102cl_firmware, cpe:/o:schneider-electric:modicon_m580_bmep581020_firmware, cpe:/o:schneider-electric:modicon_m580_bmep586040_firmware, cpe:/o:schneider-electric:modicon_m580_bmeh586040_firmware, cpe:/o:schneider-electric:modicon_m580_bmeh584040c_firmware, cpe:/o:schneider-electric:modicon_m340_bmxp342020_firmware, cpe:/o:schneider-electric:modicon_m580_bmeh584040s_firmware, cpe:/o:schneider-electric:modicon_m580_bmep583040_firmware, cpe:/o:schneider-electric:modicon_m340_bmxp3420302_firmware, cpe:/o:schneider-electric:modicon_m580_bmep582020_firmware, cpe:/o:schneider-electric:modicon_m580_bmeh582040s_firmware, cpe:/o:schneider-electric:modicon_m580_bmep581020h_firmware, cpe:/o:schneider-electric:modicon_m580_bmep584040s_firmware, cpe:/o:schneider-electric:modicon_m580_bmeh586040c_firmware, cpe:/o:schneider-electric:modicon_m580_bmep584020_firmware, cpe:/o:schneider-electric:modicon_m340_bmxp341000_firmware, cpe:/o:schneider-electric:modicon_m580_bmep585040_firmware, cpe:/o:schneider-electric:modicon_momentum_171cbu98091_firmware, cpe:/o:schneider-electric:modicon_m340_bmxp342020h_firmware, cpe:/o:schneider-electric:modicon_m340_bmxp342000_firmware

Required KB Items: Tenable.ot/Schneider

Exploit Ease: No known exploits are available

Patch Publication Date: 2/14/2024

Vulnerability Publication Date: 2/14/2024

Reference Information

CVE: CVE-2023-6408

CWE: 924

ICSA: 24-331-03