Lucene search

HistoryJun 29, 2023 - 12:00 a.m.

Schneider Electric Modicon M340 PLC Uncontrolled Resource Consumption (CVE-2017-6017)

2023-06-2900:00:00

www.tenable.com

schneider electric

modicon m340 plc

resource exhaustion

cve-2017-6017

uncontrolled consumption

remote attacker

specially crafted packets

freeze

reset button

7.8 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.004 Low

EPSS

Percentile

73.0%

JSON

A Resource Exhaustion issue was discovered in Schneider Electric Modicon M340 PLC BMXNOC0401, BMXNOE0100, BMXNOE0110, BMXNOE0110H, BMXNOR0200H, BMXP341000, BMXP342000, BMXP3420102, BMXP3420102CL, BMXP342020, BMXP342020H, BMXP342030, BMXP3420302, BMXP3420302H, and BMXP342030H. A remote attacker could send a specially crafted set of packets to the PLC causing it to freeze, requiring the operator to physically press the reset button on the PLC in order to recover.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(501204);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/04");

  script_cve_id("CVE-2017-6017");

  script_name(english:"Schneider Electric Modicon M340 PLC Uncontrolled Resource Consumption (CVE-2017-6017)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A Resource Exhaustion issue was discovered in Schneider Electric
Modicon M340 PLC BMXNOC0401, BMXNOE0100, BMXNOE0110, BMXNOE0110H,
BMXNOR0200H, BMXP341000, BMXP342000, BMXP3420102, BMXP3420102CL,
BMXP342020, BMXP342020H, BMXP342030, BMXP3420302, BMXP3420302H, and
BMXP342030H. A remote attacker could send a specially crafted set of
packets to the PLC causing it to freeze, requiring the operator to
physically press the reset button on the PLC in order to recover.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/bid/96414");
  script_set_attribute(attribute:"see_also", value:"https://ics-cert.us-cert.gov/advisories/ICSA-17-054-03");
  # https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2017-048-02
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8e3e8ebf");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Schneider Electric has released fixes for the vulnerability that can be downloaded from:

- M340: https://www.schneider-electric.fr/fr/search/V2.9?filters=CAT_PRD_DOC_FIRMUPD
- M580: https://www.schneider-electric.us/en/product-range/62098-modicon-m580-paccontroller/
- Quantum: https://www.schneider-electric.com/en/download/document/OFS_3_50_2905/

Schneider Electric recommends the following workarounds and mitigations for Premium and M1E devices:

- Set up a firewall blocking all remote/external access to Port 502

For more information Schneider Electric has released a security notification that can be found at:
https://www.schneider-electric.com/en/download/document/SEVD-2017-048-02/");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-6017");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(400);

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/30");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/06/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/06/29");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:schneider-electric:bmxnoc0401_firmware:2.8");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:schneider-electric:bmxnoe0100_firmware:2.8");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:schneider-electric:bmxnoe0110_firmware:2.8");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:schneider-electric:bmxnoe0110h_firmware:2.8");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:schneider-electric:bmxnor0200h_firmware:2.8");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:schneider-electric:bmxp341000_firmware:2.8");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:schneider-electric:bmxp342000_firmware:2.8");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:schneider-electric:bmxp3420102_firmware:2.8");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:schneider-electric:bmxp3420102cl_firmware:2.8");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:schneider-electric:bmxp342020_firmware:2.8");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:schneider-electric:bmxp342020h_firmware:2.8");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:schneider-electric:bmxp3420302_firmware:2.8");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:schneider-electric:bmxp3420302h_firmware:2.8");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:schneider-electric:bmxp342030_firmware:2.8");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:schneider-electric:bmxp342030h_firmware:2.8");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Schneider");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Schneider');

var asset = tenable_ot::assets::get(vendor:'Schneider');

var vuln_cpes = {
    "cpe:/o:schneider-electric:bmxnoc0401_firmware:2.8" :
        {"versionEndIncluding" : "2.8", "versionStartIncluding" : "2.8", "family" : "ModiconM340M580CP"},
    "cpe:/o:schneider-electric:bmxnoe0100_firmware:2.8" :
        {"versionEndIncluding" : "2.8", "versionStartIncluding" : "2.8", "family" : "ModiconM340M580CP"},
    "cpe:/o:schneider-electric:bmxnoe0110_firmware:2.8" :
        {"versionEndIncluding" : "2.8", "versionStartIncluding" : "2.8", "family" : "ModiconM340M580CP"},
    "cpe:/o:schneider-electric:bmxnoe0110h_firmware:2.8" :
        {"versionEndIncluding" : "2.8", "versionStartIncluding" : "2.8", "family" : "ModiconM340M580CP"},
    "cpe:/o:schneider-electric:bmxnor0200h_firmware:2.8" :
        {"versionEndIncluding" : "2.8", "versionStartIncluding" : "2.8", "family" : "ModiconM340M580CP"},
    "cpe:/o:schneider-electric:bmxp341000_firmware:2.8" :
        {"versionEndIncluding" : "2.8", "versionStartIncluding" : "2.8", "family" : "ModiconM340"},
    "cpe:/o:schneider-electric:bmxp342000_firmware:2.8" :
        {"versionEndIncluding" : "2.8", "versionStartIncluding" : "2.8", "family" : "ModiconM340"},
    "cpe:/o:schneider-electric:bmxp3420102_firmware:2.8" :
        {"versionEndIncluding" : "2.8", "versionStartIncluding" : "2.8", "family" : "ModiconM340"},
    "cpe:/o:schneider-electric:bmxp3420102cl_firmware:2.8" :
        {"versionEndIncluding" : "2.8", "versionStartIncluding" : "2.8", "family" : "ModiconM340"},
    "cpe:/o:schneider-electric:bmxp342020_firmware:2.8" :
        {"versionEndIncluding" : "2.8", "versionStartIncluding" : "2.8", "family" : "ModiconM340"},
    "cpe:/o:schneider-electric:bmxp342020h_firmware:2.8" :
        {"versionEndIncluding" : "2.8", "versionStartIncluding" : "2.8", "family" : "ModiconM340"},
    "cpe:/o:schneider-electric:bmxp342030_firmware:2.8" :
        {"versionEndIncluding" : "2.8", "versionStartIncluding" : "2.8", "family" : "ModiconM340"},
    "cpe:/o:schneider-electric:bmxp3420302_firmware:2.8" :
        {"versionEndIncluding" : "2.8", "versionStartIncluding" : "2.8", "family" : "ModiconM340"},
    "cpe:/o:schneider-electric:bmxp3420302h_firmware:2.8" :
        {"versionEndIncluding" : "2.8", "versionStartIncluding" : "2.8", "family" : "ModiconM340"},
    "cpe:/o:schneider-electric:bmxp342030h_firmware:2.8" :
        {"versionEndIncluding" : "2.8", "versionStartIncluding" : "2.8", "family" : "ModiconM340"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);

VendorProductVersionCPE
schneider-electricbmxnoc0401_firmware2.8cpe:/o:schneider-electric:bmxnoc0401_firmware:2.8
schneider-electricbmxnoe0100_firmware2.8cpe:/o:schneider-electric:bmxnoe0100_firmware:2.8
schneider-electricbmxnoe0110_firmware2.8cpe:/o:schneider-electric:bmxnoe0110_firmware:2.8
schneider-electricbmxnoe0110h_firmware2.8cpe:/o:schneider-electric:bmxnoe0110h_firmware:2.8
schneider-electricbmxnor0200h_firmware2.8cpe:/o:schneider-electric:bmxnor0200h_firmware:2.8
schneider-electricbmxp341000_firmware2.8cpe:/o:schneider-electric:bmxp341000_firmware:2.8
schneider-electricbmxp342000_firmware2.8cpe:/o:schneider-electric:bmxp342000_firmware:2.8
schneider-electricbmxp3420102_firmware2.8cpe:/o:schneider-electric:bmxp3420102_firmware:2.8
schneider-electricbmxp3420102cl_firmware2.8cpe:/o:schneider-electric:bmxp3420102cl_firmware:2.8
schneider-electricbmxp342020_firmware2.8cpe:/o:schneider-electric:bmxp342020_firmware:2.8

Vendor	Product	Version	CPE
schneider-electric	bmxnoc0401_firmware	2.8	cpe:/o:schneider-electric:bmxnoc0401_firmware:2.8
schneider-electric	bmxnoe0100_firmware	2.8	cpe:/o:schneider-electric:bmxnoe0100_firmware:2.8
schneider-electric	bmxnoe0110_firmware	2.8	cpe:/o:schneider-electric:bmxnoe0110_firmware:2.8
schneider-electric	bmxnoe0110h_firmware	2.8	cpe:/o:schneider-electric:bmxnoe0110h_firmware:2.8
schneider-electric	bmxnor0200h_firmware	2.8	cpe:/o:schneider-electric:bmxnor0200h_firmware:2.8
schneider-electric	bmxp341000_firmware	2.8	cpe:/o:schneider-electric:bmxp341000_firmware:2.8
schneider-electric	bmxp342000_firmware	2.8	cpe:/o:schneider-electric:bmxp342000_firmware:2.8
schneider-electric	bmxp3420102_firmware	2.8	cpe:/o:schneider-electric:bmxp3420102_firmware:2.8
schneider-electric	bmxp3420102cl_firmware	2.8	cpe:/o:schneider-electric:bmxp3420102cl_firmware:2.8
schneider-electric	bmxp342020_firmware	2.8	cpe:/o:schneider-electric:bmxp342020_firmware:2.8

Rows per page:

1-10 of 151

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6017

www.nessus.org/u?8e3e8ebf

www.securityfocus.com/bid/96414

ics-cert.us-cert.gov/advisories/ICSA-17-054-03

7.8 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.004 Low

EPSS

Percentile

73.0%

JSON

Related for TENABLE_OT_SCHNEIDER_CVE-2017-6017.NASL