Schneider Electric Modicon Controllers Use of Insufficiently Random Values (CVE-2019-6821)

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(500068);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/09/04");

  script_cve_id("CVE-2019-6821");
  script_xref(name:"ICSA", value:"19-136-01");

  script_name(english:"Schneider Electric Modicon Controllers Use of Insufficiently Random Values (CVE-2019-6821)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"CWE-330: Use of Insufficiently Random Values vulnerability, which could cause the hijacking of the TCP connection when
using Ethernet communication in Modicon M580 firmware versions prior to V2.30, and all firmware versions of Modicon
M340, Modicon Premium, Modicon Quantum.  

This plugin only works with Tenable.ot. Please visit
https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/bid/108366");
  script_set_attribute(attribute:"see_also", value:"https://ics-cert.us-cert.gov/advisories/ICSA-19-136-01");
  # https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2019-134-03
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?eb79ea26");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Schneider Electric reports the following mitigations:

- Modicon M580 firmware Version 2.80 is available for download. For more information see Schneider Electric advisory
SEVD-2019-134-03
- Modicon M340: currently, no fix is available. 
    - Schneider Electric recommends that affected users set up network segmentation and implement a firewall to block
all remote/external access to TCP ports.
    - Configure the Access Control List following the recommendations of the user manual “Modicon M340 for Ethernet
Communications Modules and Processors User Manual,” in the chapter titled “Messaging Configuration Parameters,” which is
available here: https://download.schneiderelectric.com/files?p_enDocType=User+guide&p_File_Name=31007131_K01_000_16.pdf&
p_Doc_Ref=31007131K01000
- Modicon Premium and Modicon Quantum 
    - Set up network segmentation and implement a firewall to block all unauthorized access to all TCP ports.

In December 2018, Schneider Electric reported that the Modicon Premium and Quantum controllers reached the End of
Commercialization life cycle. For more information, please see Schneider Electric advisory SEVD-2019-134-03");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-6821");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(330);

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/22");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/02/07");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:schneider-electric:modicon_m580_series_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:schneider-electric:modicon_quantum_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:schneider-electric:modicon_premium_firmware");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Schneider");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Schneider');

var asset = tenable_ot::assets::get(vendor:'Schneider');

var vuln_cpes = {
    "cpe:/o:schneider-electric:modicon_m580_series_firmware" :
        {"versionEndExcluding" : "2.30", "family" : "ModiconM580"},
    "cpe:/o:schneider-electric:modicon_quantum_firmware" :
        {"family" : "QuantumUnity"},
    "cpe:/o:schneider-electric:modicon_premium_firmware" :
        {"family" : "Premium"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);