CVE-2020-7562

Q: What is the severity of CVE-2020-7562?

CVE-2020-7562 has a CVSS score of 8.1 (HIGH). This vulnerability allows attackers to cause a segmentation fault or buffer overflow by uploading a specially crafted file via FTP to affected Schneider Electric PLC controllers. It affects Modicon M340, Quantum, and Premium Legacy PLCs and their communication modules. Successful exploitation could disrupt industrial control operations.

8.1 HIGH

Denial of Service Buffer Overflow

📋 TL;DR

This vulnerability allows attackers to cause a segmentation fault or buffer overflow by uploading a specially crafted file via FTP to affected Schneider Electric PLC controllers. It affects Modicon M340, Quantum, and Premium Legacy PLCs and their communication modules. Successful exploitation could disrupt industrial control operations.

💻 Affected Systems

Products:

Modicon M340
Modicon Quantum
Modicon Premium Legacy
Communication Modules for these PLCs

Versions: All versions prior to patches listed in vendor advisory

Operating Systems: PLC firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the web server component when FTP service is enabled. Default configurations typically have FTP enabled for maintenance.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete PLC crash leading to industrial process disruption, potential denial of service in critical infrastructure environments, and possible remote code execution if buffer overflow leads to arbitrary code execution.

🟠

Likely Case

PLC segmentation fault causing temporary loss of control, requiring manual restart and potentially disrupting industrial processes.

🟢

If Mitigated

Limited impact if FTP access is properly restricted and network segmentation isolates PLCs from untrusted networks.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires FTP access to the PLC. No authentication bypass is needed if FTP is configured without authentication or with weak credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to vendor advisory SEVD-2020-315-01 for specific firmware versions

Vendor Advisory: https://www.se.com/ww/en/download/document/SEVD-2020-315-01/

Restart Required: Yes

Instructions:

1. Download appropriate firmware update from Schneider Electric website. 2. Follow vendor's firmware update procedures for affected PLC models. 3. Restart PLC after firmware update. 4. Verify firmware version matches patched version.

🔧 Temporary Workarounds

Disable FTP Service

all

Disable FTP access to PLCs if not required for operations

Configure PLC to disable FTP service via engineering software

Network Segmentation

all

Isolate PLCs in separate network segments with strict firewall rules

Add firewall rules to block FTP (port 21) access from untrusted networks

🧯 If You Can't Patch

Implement strict network segmentation to isolate PLCs from untrusted networks
Disable FTP service entirely if not required for operations

🔍 How to Verify

Check if Vulnerable:

Check PLC firmware version against vendor advisory. If FTP service is enabled and firmware is unpatched, system is vulnerable.

Check Version:

Use Schneider Electric engineering software (Unity Pro, EcoStruxure Control Expert) to read PLC firmware version

Verify Fix Applied:

Verify firmware version matches patched version from vendor advisory and test FTP file upload functionality.

📡 Detection & Monitoring

Log Indicators:

FTP connection attempts to PLCs
Unusual file uploads via FTP
PLC crash/restart events

Network Indicators:

FTP traffic to PLCs from unexpected sources
Large or malformed FTP file transfers

SIEM Query:

source="firewall" AND dest_port=21 AND dest_ip="PLC_IP_range"

📊 Metadata

CVE ID: CVE-2020-7562

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-125

Published: November 18, 2020

Last Updated: November 21, 2024

🔗 References

https://www.se.com/ww/en/download/document/SEVD-2020-315-01/ Vendor Advisory
https://www.se.com/ww/en/download/document/SEVD-2020-315-01/ Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Modicon M340 Bmx Noc 0401 Firmware by Schneider Electric

Modicon M340 Bmx Noe 0100 Firmware by Schneider Electric

Modicon M340 Bmx Noe 0100h Firmware by Schneider Electric

Modicon M340 Bmx Noe 0110 Firmware by Schneider Electric

Modicon M340 Bmx Noe 0110h Firmware by Schneider Electric

Modicon M340 Bmx Nor 0200h Firmware by Schneider Electric

Modicon M340 Bmx P34 2010 Firmware by Schneider Electric

Modicon M340 Bmx P34 2030 Firmware by Schneider Electric

Modicon Quantum 140cpu65150 Firmware by Schneider Electric

Modicon Quantum 140cpu65150c Firmware by Schneider Electric

Modicon Quantum 140cpu65160 Firmware by Schneider Electric

Modicon Quantum 140cpu65160c Firmware by Schneider Electric

Modicon Quantum 140noc78100 Firmware by Schneider Electric

Modicon Quantum 140noe77101 Firmware by Schneider Electric

Modicon Quantum 140noe77111 Firmware by Schneider Electric

Modicon Tsxety4103 Firmware by Schneider Electric

Modicon Tsxety5103 Firmware by Schneider Electric

Modicon Tsxp574634 Firmware by Schneider Electric

Modicon Tsxp575634 Firmware by Schneider Electric

Modicon Tsxp576634 Firmware by Schneider Electric