SB2020042815 - Multiple vulnerabilities in Modicon Logic Controllers and related products

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Cleartext transmission of sensitive information (CVE-ID: CVE-2020-7488)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to software uses insecure communication channel to transmit sensitive information. A remote attacker on the local network with ability to intercept network traffic can gain access to sensitive data transmitted between the software and the Modicon controllers.

2) Insufficient verification of data authenticity (CVE-ID: CVE-2020-7487)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insufficient verification of data authenticity issue. A remote attacker on the local network can execute arbitrary code on the Modicon controllers. 

3) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2020-7489)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper validation of input. A remote attacker can execute arbitrary code on the controller.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://www.se.com/ww/en/download/document/SEVD-2020-105-02
• https://www.se.com/ww/en/download/document/SEVD-2020-105-01