Multiple vulnerabilities in Schneider Electric Modicon Controllers

Published: 2019-05-22 | Updated: 2019-11-07

Risk	Medium
Patch available	NO
Number of vulnerabilities	2
CVE-ID	CVE-2019-6821 CVE-2019-6851
CWE-ID	CWE-330 CWE-538
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Modicon Quantum Hardware solutions / Firmware Modicon Premium Hardware solutions / Firmware Modicon M340 Hardware solutions / Firmware Modicon M580 Hardware solutions / Firmware
Vendor	Schneider Electric

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

Updated 07.11.2019

Added vulnerability #2, updated bulletin title.

1) Use of insufficiently random values

EUVDB-ID: #VU18675

Risk: Medium

CVSSv3.1: 5 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2019-6821

CWE-ID: CWE-330 - Use of Insufficiently Random Values

Exploit availability: No

Description

The vulnerability allows a remote attacker to guess the next generated value and impersonate another user or access sensitive information.

The vulnerability exists due to the device has predictable TCP initial sequence numbers.

A remote attacker can hijack TCP connection carrying unsecured communication and cause information leakage.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

A vendor recommends to:

Modicon M340:

Schneider Electric recommends that affected users set up network segmentation and implement a firewall to block all remote/external access to TCP ports. Configure the Access Control List following the recommendations of the user manual Modicon M340 for Ethernet Communications Modules and Processors User Manual, in the chapter titled Messaging
Configuration Parameters, which is available here: https://download.schneiderelectric.com/files?p_enDocType=User+guide&p_File_Name=31007131_K01_000_16.pdf&p_Doc_Ref=31007131K01000

Modicon Premium and Modicon Quantum:

Set up network segmentation and implement a firewall to block all unauthorized access to all TCP ports.

Vulnerable software versions

Modicon Quantum: All versions

Modicon Premium: All versions

Modicon M340: All versions

Modicon M580: 1.04 - 2.20

External links

http://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2019-134-03+-+Modicon+Controller.pdf&p_Doc_Ref=SEVD-2019-134-03

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) File and Directory Information Exposure

EUVDB-ID: #VU22588

Risk: Medium

CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2019-6851

CWE-ID: CWE-538 - File And Directory Information Exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information on the target system.

The vulnerability exists due to the affected software stores sensitive information in files or directories that are accessible to actors outside of the intended control sphere. A remote attacker can disclose sensitive information from the controller when using TFTP protocol.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Modicon Premium: All versions

Modicon Quantum: All versions

Modicon M340: All versions

Modicon M580: All versions

External links

http://www.schneider-electric.com/ww/en/download/document/SEVD-2019-281-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.