CVE-2020-7477

Q: What is the severity of CVE-2020-7477?

CVE-2020-7477 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to cause a Denial of Service (DoS) on Schneider Electric Quantum and Premium PLCs by sending specially crafted Modbus commands. The flaw exists in improper checking for unusual conditions in Ethernet network modules and processors. Organizations using affected Schneider Electric industrial control systems are at risk.

7.5 HIGH

Denial of Service

📋 TL;DR

This vulnerability allows attackers to cause a Denial of Service (DoS) on Schneider Electric Quantum and Premium PLCs by sending specially crafted Modbus commands. The flaw exists in improper checking for unusual conditions in Ethernet network modules and processors. Organizations using affected Schneider Electric industrial control systems are at risk.

💻 Affected Systems

Products:

Quantum Ethernet Network module 140NOE771x1
Quantum processors with integrated Ethernet 140CPU65xxxxx
Premium processors with integrated Ethernet

Versions: 140NOE771x1: Versions 7.0 and prior; 140CPU65xxxxx: All versions; Premium processors: All versions

Operating Systems: Embedded firmware on PLCs

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems using Modbus protocol over Ethernet. Requires network access to the PLC's Modbus port (typically TCP 502).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete disruption of industrial processes controlled by vulnerable PLCs, potentially causing production downtime, safety hazards, or environmental impacts in critical infrastructure.

🟠

Likely Case

Temporary DoS affecting specific PLCs, requiring manual restart and causing production interruptions in manufacturing or industrial environments.

🟢

If Mitigated

Limited impact with network segmentation and proper access controls, potentially causing isolated device restarts without broader system effects.

🌐 Internet-Facing: MEDIUM - While Modbus is often internal, exposed OT networks could be targeted if improperly segmented from IT networks.

🏢 Internal Only: HIGH - Industrial networks often have flat architectures where internal attackers or malware could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted Modbus packets to vulnerable devices. No authentication needed if network access is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Contact Schneider Electric for specific firmware updates

Vendor Advisory: https://www.se.com/ww/en/download/document/SEVD-2020-070-02/

Restart Required: Yes

Instructions:

1. Review Schneider Electric advisory SEVD-2020-070-02. 2. Contact Schneider Electric support for firmware updates. 3. Schedule maintenance window. 4. Backup PLC configuration. 5. Apply firmware update following vendor instructions. 6. Restart affected devices. 7. Verify normal operation.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate PLC networks from business networks using firewalls

Access Control Lists

linux

Restrict Modbus TCP access to authorized IP addresses only

# Example firewall rule (adjust for your environment):
# iptables -A INPUT -p tcp --dport 502 -s 192.168.1.0/24 -j ACCEPT
# iptables -A INPUT -p tcp --dport 502 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation between OT and IT networks
Deploy industrial firewall with deep packet inspection for Modbus traffic

🔍 How to Verify

Check if Vulnerable:

Check device firmware versions against affected versions list. Use network scanners to identify devices listening on Modbus TCP port 502.

Check Version:

Check through Schneider Electric programming software (Unity Pro) or device web interface

Verify Fix Applied:

Verify firmware version has been updated beyond vulnerable versions. Test with authorized Modbus traffic to ensure normal operation.

📡 Detection & Monitoring

Log Indicators:

PLC restart events
Modbus protocol errors
Unusual traffic patterns to port 502

Network Indicators:

Malformed Modbus packets
High volume of Modbus requests from single source
Traffic to port 502 from unauthorized sources

SIEM Query:

source_port:502 AND (packet_size:unusual OR protocol_violation:true)

📊 Metadata

CVE ID: CVE-2020-7477

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-754

Published: March 23, 2020

Last Updated: November 21, 2024

🔗 References

https://www.se.com/ww/en/download/document/SEVD-2020-070-02/ Vendor Advisory
https://www.se.com/ww/en/download/document/SEVD-2020-070-02/ Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

140cpu65150 Firmware by Schneider Electric

140cpu65160 Firmware by Schneider Electric

140cpu65160s Firmware by Schneider Electric

140cpu65260 Firmware by Schneider Electric

140cpu65860 Firmware by Schneider Electric

140cpu67060 Firmware by Schneider Electric

140cpu67160 Firmware by Schneider Electric

140cpu67160s Firmware by Schneider Electric

140cpu67260 Firmware by Schneider Electric

140cpu67261 Firmware by Schneider Electric

140cpu67261 Firmware by Schneider Electric

140cpu67861 Firmware by Schneider Electric

140noe77101 Firmware by Schneider Electric

140noe77111 Firmware by Schneider Electric

Tsxh5724m Firmware by Schneider Electric

Tsxh5744m Firmware by Schneider Electric

Tsxp57104m Firmware by Schneider Electric

Tsxp57154m Firmware by Schneider Electric

Tsxp571634m Firmware by Schneider Electric

Tsxp57204m Firmware by Schneider Electric

Tsxp57254m Firmware by Schneider Electric

Tsxp572634m Firmware by Schneider Electric

Tsxp57304m Firmware by Schneider Electric

Tsxp573634m Firmware by Schneider Electric

Tsxp57454m Firmware by Schneider Electric

Tsxp574634m Firmware by Schneider Electric

Tsxp57554m Firmware by Schneider Electric

Tsxp575634m Firmware by Schneider Electric

Tsxp576634m Firmware by Schneider Electric