CVE-2020-7564

Q: What is the severity of CVE-2020-7564?

CVE-2020-7564 has a CVSS score of 8.8 (HIGH). This buffer overflow vulnerability in Schneider Electric Modicon PLC web servers allows attackers to execute arbitrary commands by uploading malicious files via FTP. It affects Modicon M340, Quantum, and Premium Legacy PLCs and their communication modules. Successful exploitation could give attackers full control over industrial control systems.

8.8 HIGH

Remote Code Execution Buffer Overflow

📋 TL;DR

This buffer overflow vulnerability in Schneider Electric Modicon PLC web servers allows attackers to execute arbitrary commands by uploading malicious files via FTP. It affects Modicon M340, Quantum, and Premium Legacy PLCs and their communication modules. Successful exploitation could give attackers full control over industrial control systems.

💻 Affected Systems

Products:

Modicon M340
Modicon Quantum
Modicon Premium Legacy
Communication Modules for these PLCs

Versions: All versions prior to the security updates

Operating Systems: PLC firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the built-in web server component when FTP service is enabled. Systems with FTP disabled are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, modify control logic, disrupt industrial processes, and potentially cause physical damage or safety incidents.

🟠

Likely Case

Unauthorized access to PLC systems, manipulation of industrial processes, data theft, and potential disruption of manufacturing or critical infrastructure operations.

🟢

If Mitigated

Limited impact if proper network segmentation, access controls, and monitoring are in place to detect and block malicious FTP activity.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires FTP access to the PLC. No authentication is needed for the buffer overflow itself once FTP access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Schneider Electric security notification SEVD-2020-315-01 for specific firmware versions

Vendor Advisory: https://www.se.com/ww/en/download/document/SEVD-2020-315-01/

Restart Required: Yes

Instructions:

1. Download the updated firmware from Schneider Electric's website. 2. Backup current configuration. 3. Apply firmware update following vendor instructions. 4. Restart the PLC. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable FTP Service

all

Disable the FTP service on affected PLCs if not required for operations

Network Segmentation

all

Isolate PLCs in separate network segments with strict firewall rules

🧯 If You Can't Patch

Implement strict network access controls to limit FTP access to trusted IP addresses only
Monitor FTP logs for unusual file uploads and implement intrusion detection for buffer overflow attempts

🔍 How to Verify

Check if Vulnerable:

Check if FTP service is enabled on Modicon PLCs and verify firmware version against Schneider Electric's advisory

Check Version:

Use Schneider Electric's programming software (Unity Pro, EcoStruxure Control Expert) to read PLC firmware version

Verify Fix Applied:

Verify firmware version has been updated to patched version and test that FTP service functions normally without allowing buffer overflow

📡 Detection & Monitoring

Log Indicators:

Unusual FTP file uploads
Large file uploads to PLC FTP server
Failed buffer overflow attempts in system logs

Network Indicators:

FTP connections from unauthorized sources
Unusual FTP traffic patterns to PLCs
Attempts to upload files with crafted payloads

SIEM Query:

source="ftp_logs" AND (dest_ip="PLC_IP" OR dest_ip="PLC_subnet") AND (file_size>threshold OR file_name CONTAINS suspicious_pattern)

📊 Metadata

CVE ID: CVE-2020-7564

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: November 18, 2020

Last Updated: November 21, 2024

🔗 References

https://www.se.com/ww/en/download/document/SEVD-2020-315-01/ Vendor Advisory
https://www.se.com/ww/en/download/document/SEVD-2020-315-01/ Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Modicon M340 Bmx Noc 0401 Firmware by Schneider Electric

Modicon M340 Bmx Noe 0100 Firmware by Schneider Electric

Modicon M340 Bmx Noe 0100h Firmware by Schneider Electric

Modicon M340 Bmx Noe 0110 Firmware by Schneider Electric

Modicon M340 Bmx Noe 0110h Firmware by Schneider Electric

Modicon M340 Bmx Nor 0200h Firmware by Schneider Electric

Modicon M340 Bmx P34 2010 Firmware by Schneider Electric

Modicon M340 Bmx P34 2030 Firmware by Schneider Electric

Modicon Quantum 140cpu65150 Firmware by Schneider Electric

Modicon Quantum 140cpu65150c Firmware by Schneider Electric

Modicon Quantum 140cpu65160 Firmware by Schneider Electric

Modicon Quantum 140cpu65160c Firmware by Schneider Electric

Modicon Quantum 140noc78100 Firmware by Schneider Electric

Modicon Quantum 140noe77101 Firmware by Schneider Electric

Modicon Quantum 140noe77111 Firmware by Schneider Electric

Modicon Tsxety4103 Firmware by Schneider Electric

Modicon Tsxety5103 Firmware by Schneider Electric

Modicon Tsxp574634 Firmware by Schneider Electric

Modicon Tsxp575634 Firmware by Schneider Electric

Modicon Tsxp576634 Firmware by Schneider Electric