Cross-site request forgery (CSRF) vulnerability on the Schneider Electric Quantum 140NOE77111, 140NOE77101, and 140NWM10000; M340 BMXNOC0401, BMXNOE0100x, and BMXNOE011xx; and Premium TSXETY4103, TSXETY5103, and TSXWMY100 PLC modules allows remote attackers to hijack the authentication of arbitrary users for requests that execute commands, as demonstrated by modifying HTTP credentials.
This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(500074);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/14");
script_cve_id("CVE-2013-0663");
script_xref(name:"EDB-ID", value:"44678");
script_name(english:"Schneider Electric Modicon Cross-Site Request Forgery (CVE-2013-0663)");
script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"Cross-site request forgery (CSRF) vulnerability on the Schneider Electric Quantum 140NOE77111, 140NOE77101, and
140NWM10000; M340 BMXNOC0401, BMXNOE0100x, and BMXNOE011xx; and Premium TSXETY4103, TSXETY5103, and TSXWMY100 PLC
modules allows remote attackers to hijack the authentication of arbitrary users for requests that execute commands, as
demonstrated by modifying HTTP credentials.
This plugin only works with Tenable.ot. Please visit
https://www.tenable.com/products/tenable-ot for more information.");
script_set_attribute(attribute:"see_also", value:"http://ics-cert.us-cert.gov/pdf/ICSA-13-077-01A.pdf");
# http://www.schneider-electric.com/download/ww/en/file/36555639-SEVD-2013-023-01.pdf/?fileName=SEVD-2013-023-01.pdf&reference=SEVD-2013-023-01&docType=Technical-paper
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c3596b1c");
# http://www.schneider-electric.com/download/ww/en/details/35081317-Vulnerability-Disclosure-for-Quantum-Premium-and-M340/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0ec12ec6");
script_set_attribute(attribute:"see_also", value:"https://www.exploit-db.com/exploits/44678/");
script_set_attribute(attribute:"solution", value:
"Refer to the vendor advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-0663");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(352);
script_set_attribute(attribute:"vuln_publication_date", value:"2013/04/04");
script_set_attribute(attribute:"patch_publication_date", value:"2013/04/04");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/02/07");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/h:schneider-electric:modicon_quantum_plc:140noe77101");
script_set_attribute(attribute:"cpe", value:"cpe:/h:schneider-electric:modicon_quantum_plc:140nwm10000");
script_set_attribute(attribute:"cpe", value:"cpe:/h:schneider-electric:modicon_quantum_plc:140noe77111");
script_set_attribute(attribute:"cpe", value:"cpe:/h:schneider-electric:modicon_m340:bmxnoe0100x");
script_set_attribute(attribute:"cpe", value:"cpe:/h:schneider-electric:modicon_m340:bmxnoe011xx");
script_set_attribute(attribute:"cpe", value:"cpe:/h:schneider-electric:modicon_m340:bmxnoc0401");
script_set_attribute(attribute:"cpe", value:"cpe:/h:schneider-electric:modicon_premium:tsxety5103");
script_set_attribute(attribute:"cpe", value:"cpe:/h:schneider-electric:modicon_premium:tsxwmy100");
script_set_attribute(attribute:"cpe", value:"cpe:/h:schneider-electric:modicon_premium:tsxety4103");
script_set_attribute(attribute:"generated_plugin", value:"former");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tenable.ot");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tenable_ot_api_integration.nasl");
script_require_keys("Tenable.ot/Schneider");
exit(0);
}
include('tenable_ot_cve_funcs.inc');
get_kb_item_or_exit('Tenable.ot/Schneider');
var asset = tenable_ot::assets::get(vendor:'Schneider');
var vuln_cpes = {
"cpe:/h:schneider-electric:modicon_quantum_plc:140noe77101" :
{"family" : "QuantumUnityCP"},
"cpe:/h:schneider-electric:modicon_quantum_plc:140nwm10000" :
{"family" : "QuantumUnityCP"},
"cpe:/h:schneider-electric:modicon_quantum_plc:140noe77111" :
{"family" : "QuantumUnityCP"},
"cpe:/h:schneider-electric:modicon_m340:bmxnoe0100x" :
{"family" : "ModiconM340M580CP"},
"cpe:/h:schneider-electric:modicon_m340:bmxnoe011xx" :
{"family" : "ModiconM340M580CP"},
"cpe:/h:schneider-electric:modicon_m340:bmxnoc0401" :
{"family" : "ModiconM340M580CP"},
"cpe:/h:schneider-electric:modicon_premium:tsxety5103" :
{"family" : "PremiumCP"},
"cpe:/h:schneider-electric:modicon_premium:tsxwmy100" :
{"family" : "PremiumCP"},
"cpe:/h:schneider-electric:modicon_premium:tsxety4103" :
{"family" : "PremiumCP"}
};
tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);
Vendor | Product | Version | CPE |
---|---|---|---|
schneider-electric | modicon_quantum_plc | 140noe77101 | cpe:/h:schneider-electric:modicon_quantum_plc:140noe77101 |
schneider-electric | modicon_quantum_plc | 140nwm10000 | cpe:/h:schneider-electric:modicon_quantum_plc:140nwm10000 |
schneider-electric | modicon_quantum_plc | 140noe77111 | cpe:/h:schneider-electric:modicon_quantum_plc:140noe77111 |
schneider-electric | modicon_m340 | bmxnoe0100x | cpe:/h:schneider-electric:modicon_m340:bmxnoe0100x |
schneider-electric | modicon_m340 | bmxnoe011xx | cpe:/h:schneider-electric:modicon_m340:bmxnoe011xx |
schneider-electric | modicon_m340 | bmxnoc0401 | cpe:/h:schneider-electric:modicon_m340:bmxnoc0401 |
schneider-electric | modicon_premium | tsxety5103 | cpe:/h:schneider-electric:modicon_premium:tsxety5103 |
schneider-electric | modicon_premium | tsxwmy100 | cpe:/h:schneider-electric:modicon_premium:tsxwmy100 |
schneider-electric | modicon_premium | tsxety4103 | cpe:/h:schneider-electric:modicon_premium:tsxety4103 |