Multiple vulnerabilities in libmodbus
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2019-14462 CVE-2019-14463 |
| CWE-ID | CWE-125 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
libmodbus Universal components / Libraries / Libraries used by multiple products |
| Vendor | libmodbus.org |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Out-of-bounds read
EUVDB-ID: #VU20025
Risk: Low
CVSSv3.1: 3.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-14462
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information or perform denial of service attack.
The vulnerability exists due to a boundary condition within MODBUS_FC_WRITE_MULTIPLE_COILS in libmodbus. A local user can submit specially crafted input to the affected aplication, trigger out-of-bounds read error and read contents of memory on the system or perform denial of service attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionslibmodbus: 3.0.0 - 3.1.4
CPE2.3- cpe:2.3:a:libmodbus.org:libmodbus:3.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:libmodbus.org:libmodbus:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:libmodbus.org:libmodbus:3.1.2:*:*:*:*:*:*:*
http://github.com/stephane/libmodbus/commit/5ccdf5ef79d742640355d1132fa9e2abc7fbaefc
http://libmodbus.org/2019/stable-and-development-releases/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Out-of-bounds read
EUVDB-ID: #VU20026
Risk: Low
CVSSv3.1: 3.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-14463
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information or perform denial of service attack.
The vulnerability exists due to a boundary condition within MODBUS_FC_WRITE_MULTIPLE_REGISTERS in libmodbus. A local user can submit specially crafted input to the affected aplication, trigger out-of-bounds read error and read contents of memory on the system or perform denial of service attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionslibmodbus: 3.0.0 - 3.1.4
CPE2.3- cpe:2.3:a:libmodbus.org:libmodbus:3.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:libmodbus.org:libmodbus:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:libmodbus.org:libmodbus:3.1.2:*:*:*:*:*:*:*
http://github.com/stephane/libmodbus/commit/5ccdf5ef79d742640355d1132fa9e2abc7fbaefc
http://libmodbus.org/2019/stable-and-development-releases/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
