Multiple vulnerabilities in Schneider Electric Modicon Controllers



| Updated: 2019-10-03
Risk High
Patch available YES
Number of vulnerabilities 14
CVE-ID CVE-2019-6809
CVE-2018-7850
CVE-2018-7849
CVE-2018-7848
CVE-2018-7847
CVE-2018-7846
CVE-2018-7842
CVE-2019-6808
CVE-2019-6807
CVE-2018-7855
CVE-2018-7854
CVE-2018-7853
CVE-2019-6829
CVE-2019-6828
CWE-ID CWE-248
CWE-807
CWE-200
CWE-284
CWE-290
Exploitation vector Network
Public exploit Public exploit code for vulnerability #3 is available.
Public exploit code for vulnerability #4 is available.
Public exploit code for vulnerability #6 is available.
Public exploit code for vulnerability #7 is available.
Public exploit code for vulnerability #9 is available.
Public exploit code for vulnerability #10 is available.
Public exploit code for vulnerability #11 is available.
Public exploit code for vulnerability #12 is available.
Vulnerable software
 Modicon Quantum
Hardware solutions / Firmware

Modicon Premium
Hardware solutions / Firmware

Modicon M340
Hardware solutions / Firmware

Modicon M580
Hardware solutions / Firmware

Vendor Schneider Electric

Security Bulletin

This security bulletin contains information about 14 vulnerabilities.

1) Uncaught exception

EUVDB-ID: #VU21478

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-6809

CWE-ID: CWE-248 - Uncaught Exception

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause a denial of service (DoS) condition on the target system.

The vulnerability exists due to uncaught exception vulnerability when reading invalid data from the controller. A remote attacker can cause a denial of service condition.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Modicon Quantum: All versions

Modicon Premium: All versions

Modicon M340: before 3.10

Modicon M580: 1.04 - 2.80

CPE2.3 External links

https://www.schneider-electric.com/en/download/document/SEVD-2019-134-11/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Reliance on untrusted inputs in a security decision

EUVDB-ID: #VU21510

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2018-7850

CWE-ID: CWE-807 - Reliance on Untrusted Inputs in a Security Decision

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause modification of sensitive data.

The vulnerability exists due to the application uses a protection mechanism that relies on the existence or values of an input, but the input can be modified in a way that bypasses the protection mechanism.  A remote attacker can cause invalid information displayed in Unity Pro software.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Modicon Quantum: All versions

Modicon Premium: All versions

Modicon M340: before 3.10

Modicon M580: 1.04 - 2.80

CPE2.3 External links

https://www.schneider-electric.com/en/download/document/SEVD-2019-134-11/
https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0743


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Uncaught Exception

EUVDB-ID: #VU21502

Risk: Medium

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2018-7849

CWE-ID: CWE-248 - Uncaught Exception

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause a denial of service (DoS) condition on the target system.

The vulnerability exists due to improper data integrity check when sending files to the controller over Modbus. A remote attacker can cause a denial of service condition.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Modicon Quantum: All versions

Modicon Premium: All versions

Modicon M340: before 3.10

Modicon M580: 1.04 - 2.80

CPE2.3 External links

https://www.schneider-electric.com/en/download/document/SEVD-2019-134-11/
https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0737


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

4) Information disclosure

EUVDB-ID: #VU21501

Risk: Medium

CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2018-7848

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to improper input validation. A remote attacker can gain unauthorized access to SNMP information when reading files from the controller over Modbus.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Modicon Quantum: All versions

Modicon Premium: All versions

Modicon M340: before 3.10

Modicon M580: 1.04 - 2.80

CPE2.3 External links

https://www.schneider-electric.com/en/download/document/SEVD-2019-134-11/
https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0740


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

5) Improper access control

EUVDB-ID: #VU21499

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-7847

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote attacker can overwrite configuration settings of the controller over Modbus and cause a denial of service condition or potential code execution on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Modicon Quantum: All versions

Modicon Premium: All versions

Modicon M340: before 3.10

Modicon M580: 1.04 - 2.80

CPE2.3 External links

https://www.schneider-electric.com/en/download/document/SEVD-2019-134-11/
https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0742


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Trust boundary violation

EUVDB-ID: #VU21498

Risk: Medium

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2018-7846

CWE-ID: N/A

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to the target system.

The vulnerability exists on connection to the Controller due to the affected product mixes trusted and untrusted data in the same data structure or structured message. A remote attacker can conduct a brute force attack on Modbus protocol to the controller and gain unauthorized access to the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Modicon Quantum: All versions

Modicon Premium: All versions

Modicon M340: before 3.10

Modicon M580: 1.04 - 2.80

CPE2.3 External links

https://www.schneider-electric.com/en/download/document/SEVD-2019-134-11/
https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0735


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

7) Authentication bypass by spoofing

EUVDB-ID: #VU21495

Risk: Medium

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2018-7842

CWE-ID: CWE-290 - Authentication Bypass by Spoofing

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.


The vulnerability exists due to improperly implemented authentication schemes that are subject to spoofing attacks. A remote attacker can gain elevated privileges by conducting a brute force attack on Modbus parameters sent to the controller.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Modicon Quantum: All versions

Modicon Premium: All versions

Modicon M340: before 3.10

Modicon M580: 1.04 - 2.80

CPE2.3 External links

https://www.schneider-electric.com/en/download/document/SEVD-2019-134-11/
https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0741


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

8) Improper access control

EUVDB-ID: #VU21494

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-6808

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote attacker can overwrite configuration settings of the controller over Modbus and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Modicon Quantum: All versions

Modicon Premium: All versions

Modicon M340: before 3.10

Modicon M580: 1.04 - 2.80

CPE2.3 External links

https://www.schneider-electric.com/en/download/document/SEVD-2019-134-11/
https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0771


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Uncaught Exception

EUVDB-ID: #VU21493

Risk: Medium

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2019-6807

CWE-ID: CWE-248 - Uncaught Exception

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause a denial of service (DoS) condition on the target system.

The vulnerability exists due to uncaught exception vulnerability when writing sensitive application variables to the controller over Modbus. A remote attacker can cause a denial of service condition.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Modicon Quantum: All versions

Modicon Premium: All versions

Modicon M340: before 3.10

Modicon M580: 1.04 - 2.80

CPE2.3 External links

https://www.schneider-electric.com/en/download/document/SEVD-2019-134-11/
https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0770


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

10) Uncaught Exception

EUVDB-ID: #VU21489

Risk: Medium

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2018-7855

CWE-ID: CWE-248 - Uncaught Exception

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause a denial of service (DoS) condition on the target system.

The vulnerability exists due to uncaught exception vulnerability when sending invalid breakpoint parameters to the controller over Modbus. A remote
attacker can cause a denial of service condition.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Modicon Quantum: All versions

Modicon Premium: All versions

Modicon M340: before 3.10

Modicon M580: 1.04 - 2.80

CPE2.3 External links

https://www.schneider-electric.com/en/download/document/SEVD-2019-134-11/
https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0766
https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0767


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

11) Uncaught Exception

EUVDB-ID: #VU21488

Risk: Medium

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2018-7854

CWE-ID: CWE-248 - Uncaught Exception

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause a denial of service (DoS) condition on the target system.

The vulnerability exists due to uncaught exception vulnerability when sending invalid debug parameters to the controller over Modbus. A remote attacker can cause a denial of service condition.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Modicon M580: 1.04 - 2.80

CPE2.3 External links

https://www.schneider-electric.com/en/download/document/SEVD-2019-134-11/
https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0765


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

12) Uncaught Exception

EUVDB-ID: #VU21486

Risk: Medium

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2018-7853

CWE-ID: CWE-248 - Uncaught Exception

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause a denial of service (DoS) condition on the target system.

The vulnerability exists due to uncaught exception vulnerability when reading invalid physical memory blocks in the controller over Modbus. A
remote attacker can cause a denial of service condition.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Modicon M580: 1.04 - 2.80

CPE2.3 External links

https://www.schneider-electric.com/en/download/document/SEVD-2019-134-11/
https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0764


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

13) Uncaught Exception

EUVDB-ID: #VU21483

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-6829

CWE-ID: CWE-248 - Uncaught Exception

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause a denial of service (DoS) condition on the target system.

The vulnerability exists due to uncaught exception vulnerability when writing to specific memory addresses in the controller over Modbus. A remote attacker can cause a denial of service condition.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Modicon M340: before 3.10

Modicon M580: 1.04 - 2.80

CPE2.3 External links

https://www.schneider-electric.com/en/download/document/SEVD-2019-134-11/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Uncaught Exception

EUVDB-ID: #VU21482

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-6828

CWE-ID: CWE-248 - Uncaught Exception

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause a denial of service (DoS) condition on the target system.

The vulnerability exists due to uncaught exception vulnerability when reading specific coils and registers in the controller over Modbus. A remote attacker can cause a denial of service condition.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Modicon Quantum: All versions

Modicon Premium: All versions

Modicon M340: before 3.10

Modicon M580: 1.04 - 2.80

CPE2.3 External links

https://www.schneider-electric.com/en/download/document/SEVD-2019-134-11/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###