SB2019052218 - Multiple vulnerabilities in Schneider Electric Modicon Controllers
Published: May 22, 2019 Updated: November 7, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 20 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2018-7844)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to improper input validation. A remote attacker can gain unauthorized access to SNMP information when reading memory blocks from the controller over Modbus.
2) Information disclosure (CVE-ID: CVE-2019-6806)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to improper input validation. A remote attacker can gain unauthorized access to SNMP information when reading variables in the controller using Modbus.
3) Improper Authentication (CVE-ID: CVE-2018-7760)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in CGI functions. A remote attacker can send a specially crafted request to CGI functions, bypass authentication process and gain unauthorized access to the application.
4) Buffer overflow (CVE-ID: CVE-2018-7759)
The vulnerability allows a remote attacker to cause a denial of service (DoS) condition on the target system.
The vulnerability exists due to the length of the source string specified (instead of the buffer size) as the number of bytes to be copied. A remote attacker can trigger memory corruption and cause a denial of service condition.
5) Uncaught Exception (CVE-ID: CVE-2018-7857)
The vulnerability allows a remote attacker to cause a denial of service (DoS) condition on the target system.6) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2019-6813)
The vulnerability allows a remote attacker to cause a denial of service (DoS) condition.The vulnerability exits due to the affected software does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software. A remote attacker can send a specially crafted truncated SNMP packets to the port 161/UDP on the affected device and cause a denial of service condition.
7) Improper access control (CVE-ID: CVE-2019-6810)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote attacker can cause the execution of commands when using IEC 60870-5-104 protocol.
8) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2019-6831)
The vulnerability allows a remote attacker to cause a denial of service (DoS) condition.9) Code Injection (CVE-ID: CVE-2019-6816)
The vulnerability allows a remote attacker to cause the firmware modification.
The vulnerability exists due to improper input validation. A remote attacker can cause an unauthorized firmware modification with possible denial of service (DoS) condition when using Modbus protocol.
10) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-6815)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to insufficient permission restrictions. A remote attacker can cause a denial of service (DoS) condition or unauthorized modifications of the PLC configuration when using Ethernet/IP protocol.
11) Uncaught Exception (CVE-ID: CVE-2019-6847)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
12) Cleartext transmission of sensitive information (CVE-ID: CVE-2019-6845)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to software uses insecure communication channel when transferring applications to the controller using Modbus TCP protocol. A remote attacker with ability to intercept network traffic can gain access to sensitive data.
13) Uncaught Exception (CVE-ID: CVE-2019-6844)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
14) Uncaught Exception (CVE-ID: CVE-2019-6843)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
15) Uncaught Exception (CVE-ID: CVE-2019-6842)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
16) Uncaught Exception (CVE-ID: CVE-2019-6841)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to uncaught exception vulnerability when upgrading the firmware with no firmware image inside the package using FTP protocol. A remote authenticated administrator can cause a denial of service condition on the PLC.
17) Cleartext transmission of sensitive information (CVE-ID: CVE-2019-6846)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to software uses insecure communication channel to transmit sensitive information when using the FTP protocol. A remote attacker with ability to intercept network traffic can gain access to sensitive data.
18) Information disclosure (CVE-ID: CVE-2019-6850)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to improper input validation when reading specific registers with the REST API of the controller/communication module. A remote attacker can gain unauthorized access to sensitive information on the system.
19) Information disclosure (CVE-ID: CVE-2019-6849)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to improper input validation when using specific Modbus services provided by the REST API of the controller/communication module. A remote attacker can gain unauthorized access to sensitive information on the system.
20) Uncaught Exception (CVE-ID: CVE-2019-6848)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://www.schneider-electric.com/en/download/document/SEVD-2019-134-11/
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0739
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0769
- https://www.schneider-electric.com/en/download/document/SEVD-2018-081-02/
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0768
- https://www.schneider-electric.com/en/download/document/SEVD-2019-225-02/
- https://www.schneider-electric.com/en/download/document/SEVD-2019-225-03/
- https://www.schneider-electric.com/en/download/document/SEVD-2019-134-09/
- https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-281-02
- https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-281-03
- https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-281-04