SEVD-2020-175-01
Schneider Electric is aware of multiple vulnerabilities affecting Treck Inc.’s embedded TCP/IP stack, collectively known as Ripple20, which Treck disclosed publicly on June 16. The vulnerabilities range in severity and therefore have varying levels of risk. Schneider Electric continues to assess how the newly disclosed vulnerabilities affect its offers. The company will continue to update this notification as additional offer-specific information becomes available. Customers should immediately ensure they have implemented cybersecurity best practices across their operations to protect themselves from possible exploitation of these vulnerabilities. Where appropriate, this includes locating their industrial systems and remotely accessible devices behind firewalls; installing physical controls to prevent unauthorized access; preventing mission-critical systems and devices from being accessed from outside networks; and following the remediation and general security recommendations below. For additional information and support, please contact your Schneider Electric sales or service representative or Schneider Electric’s Customer Care Center. August 2022 Update: Added final mitigations for AVT6000 Medium Voltage Altivar Process Drive (page 2).
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Schneider Electric ATV630/650/660/680/6A0/6B0 Altivar Process Drives V3.3IE26 | ||
| Schneider Electric VW3A3320 Altivar 61/71 Ethernet IP RSTP option version V1.1IE19 and prior | ||
| Schneider Electric TM3BC bus coupler module – EIP prior to V2.2.1.1 | ||
| Schneider Electric VW3A3310D Altivar 61/71 Ethernet daisy chain option Version 3.0IE11 and prior | ||
| Schneider Electric SCADAPack 32 RTU version 2.25 and later | ||
| Schneider Electric ATV6000 Medium Voltage Altivar Process Drives prior to V1.6IE01 | ||
| Schneider Electric ATV930/950/960/980/9A0/9B0 Altivar Process Drives prior to V3.3IE26 | ||
| Schneider Electric ATV6000 Medium Voltage Altivar Process Drives Version 3.3IE26 and later | ||
| Schneider Electric VW3A3320 Altivar 61/71 Ethernet IP option Version V1.2IE14 and prior | ||
| Schneider Electric SCADAPack 32 RTU prior to V2.25 | ||
| Schneider Electric TM3BC bus coupler module - SL V2.1.1.1 | ||
| Schneider Electric TM3BC bus coupler module – EIP V2.2.1.1 | ||
| Schneider Electric ATV340E Altivar Machine Drives prior to 3.2IE25 | ||
| Schneider Electric ATV630/650/660/680/6A0/6B0 Altivar Process Drives prior to 3.3IE33 | ||
| Schneider Electric TM3BC bus coupler module - CANOpen prior to V2.1.1.1 | ||
| Schneider Electric TM3BC bus coupler module - SL prior to V2.1.1.1 | ||
| Schneider Electric VW3A3310 Altivar 61/71 Modbus TCP option version 2.1IE09 and prior | ||
| Schneider Electric TM3BC bus coupler module - CANOpen V2.1.1.1 | ||
| Schneider Electric ATV340E Altivar Machine Drives V3.2IE25 | ||
| Schneider Electric ATV930/950/960/980/9A0/9B0 Altivar Process Drives V3.3IE26 |
Timeline
- Jun 23, 2020 CVE Published
- Aug 8, 2022 CVE Updated
References
- https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2020-175-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2020-175-01_Treck_Vulnerabilities_Ripple20_Security_Notification_V2.18.pdf advisory
- https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2020-175-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2020-175-01.json advisory
- https://www.se.com/us/en/download/document/7EN52-0390/ url