CVE-2022-22724 – This vulnerability allows attackers to cause de... (How to Fix)

Q: What is the severity of CVE-2022-22724?

CVE-2022-22724 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to cause denial of service on Schneider Electric Modicon M340 PLCs by flooding open TCP ports with RST or FIN packets. The attack affects both HTTP (port 80) and Modbus (port 502) services, potentially disrupting industrial operations. Only Modicon M340 BMXP34 CPU models are affected.

📋 TL;DR

This vulnerability allows attackers to cause denial of service on Schneider Electric Modicon M340 PLCs by flooding open TCP ports with RST or FIN packets. The attack affects both HTTP (port 80) and Modbus (port 502) services, potentially disrupting industrial operations. Only Modicon M340 BMXP34 CPU models are affected.

💻 Affected Systems

Products:

Schneider Electric Modicon M340 BMXP34 CPU

Versions: All Versions

Operating Systems: PLC firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability affects both HTTP and Modbus services simultaneously when TCP ports are open.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete PLC unavailability leading to industrial process shutdown, production line stoppage, and potential safety risks in critical infrastructure.

🟠

Likely Case

Temporary PLC unresponsiveness causing production delays, data loss, and requiring manual intervention to restart affected systems.

🟢

If Mitigated

Minimal impact with proper network segmentation and rate limiting in place, potentially causing brief service interruptions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires only network access to TCP ports and ability to send crafted packets.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Schneider Electric advisory for specific firmware versions

Vendor Advisory: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-01

Restart Required: Yes

Instructions:

1. Download firmware update from Schneider Electric portal. 2. Backup PLC configuration. 3. Apply firmware update via programming software. 4. Restart PLC. 5. Verify firmware version.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate PLCs in separate network segments with firewall rules restricting access to ports 80 and 502

Rate Limiting

all

Configure network devices to limit TCP RST/FIN packets to PLC interfaces

🧯 If You Can't Patch

Implement strict network access controls allowing only trusted devices to communicate with PLC ports
Deploy intrusion prevention systems with DoS protection rules for industrial protocols

🔍 How to Verify

Check if Vulnerable:

Check if you have Modicon M340 BMXP34 CPU models in your environment and verify firmware version against Schneider Electric advisory

Check Version:

Use Schneider Electric programming software (Unity Pro) to read PLC firmware version

Verify Fix Applied:

Confirm firmware version has been updated to patched version specified in vendor advisory

📡 Detection & Monitoring

Log Indicators:

Unusual volume of TCP RST/FIN packets in firewall logs
PLC communication failures in SCADA/ICS logs

Network Indicators:

High volume of TCP RST/FIN packets to ports 80/502
PLC unresponsiveness to legitimate requests

SIEM Query:

source_ip=* AND (dest_port=80 OR dest_port=502) AND (tcp_flags=RST OR tcp_flags=FIN) AND packet_count>threshold

📊 Metadata

CVE ID: CVE-2022-22724

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: February 4, 2022

Last Updated: November 21, 2024

🔗 References

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-01 Mitigation,Patch,Vendor Advisory
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-01 Mitigation,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-22724, you might also want to check these: