CVE-2021-22816
📋 TL;DR
This vulnerability allows remote attackers to cause a Denial of Service (DoS) on Schneider Electric SCADAPack RTUs by sending specially crafted Modbus requests. The RTU becomes unresponsive when configured as a Modbus server. Affected products include SCADAPack 312E, 313E, 314E, 330E, 333E, 334E, 337E, 350E, and 357E RTUs with firmware V8.18.1 and prior.
💻 Affected Systems
- SCADAPack 312E
- SCADAPack 313E
- SCADAPack 314E
- SCADAPack 330E
- SCADAPack 333E
- SCADAPack 334E
- SCADAPack 337E
- SCADAPack 350E
- SCADAPack 357E
📦 What is this software?
Scadapack 312e Firmware by Schneider Electric
Scadapack 313e Firmware by Schneider Electric
Scadapack 314e Firmware by Schneider Electric
Scadapack 330e Firmware by Schneider Electric
Scadapack 333e Firmware by Schneider Electric
Scadapack 334e Firmware by Schneider Electric
Scadapack 337e Firmware by Schneider Electric
Scadapack 350e Firmware by Schneider Electric
Scadapack 357e Firmware by Schneider Electric
⚠️ Risk & Real-World Impact
Worst Case
Complete loss of RTU functionality, disrupting industrial control processes and potentially causing operational downtime in critical infrastructure.
Likely Case
RTU becomes unresponsive, requiring manual reboot and causing temporary disruption to monitoring/control functions.
If Mitigated
Minimal impact with proper network segmentation and access controls preventing unauthorized Modbus traffic.
🎯 Exploit Status
Exploitation requires sending specially crafted Modbus packets to the RTU's Modbus port (typically TCP 502).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware V8.18.2 or later
Vendor Advisory: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-313-01
Restart Required: Yes
Instructions:
1. Download firmware V8.18.2 or later from Schneider Electric. 2. Follow vendor instructions to update RTU firmware. 3. Verify firmware version after update. 4. Test RTU functionality.
🔧 Temporary Workarounds
Network Segmentation
allRestrict Modbus traffic to trusted sources only using firewalls or network ACLs.
Change Modbus Configuration
allReconfigure RTU to operate as Modbus client instead of server if possible.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate RTUs from untrusted networks.
- Deploy intrusion detection systems to monitor for anomalous Modbus traffic patterns.
🔍 How to Verify
Check if Vulnerable:
Check RTU firmware version via vendor management interface. If version is V8.18.1 or earlier and RTU is configured as Modbus server, it is vulnerable.Check Version:
Use vendor-specific commands via management interface (varies by product).Verify Fix Applied:
Verify firmware version is V8.18.2 or later and test RTU functionality with normal Modbus operations.📡 Detection & Monitoring
Log Indicators:
- RTU becoming unresponsive
- Modbus connection errors
- Unexpected RTU reboots
Network Indicators:
- Unusual Modbus traffic patterns
- Multiple connection attempts to TCP port 502
- Malformed Modbus packets
SIEM Query:
source_ip=* AND dest_port=502 AND (packet_size>normal OR protocol_anomaly=true)