Talos Vulnerability Report

TALOS-2019-0851

Schneider Electric Modicon M580 TFTP server information disclosure vulnerability

October 8, 2019
CVE Number

CVE-2019-6851

Summary

An exploitable information disclosure vulnerability exists in the TFTP server functionality of the Schneider Electric Modicon M580 Programmable Automation Controller. A specially crafted TFTP get request can cause a file download, resulting in disclosure of sensitive information. An attacker can send unauthenticated commands to trigger this vulnerability.

Tested Versions

Schneider Electric Modicon M580 BMEP582040 SV2.80

Product URLs

https://www.schneider-electric.com/en/work/campaign/m580-epac/

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-538: File and Directory Information Exposure

Details

The Modicon M580 is the latest in Schneider Electric's Modicon line of Programmable Automation Controllers. The device boasts a Wurldtech Achilles Level 2 certification and global policy controls to quickly enforce various security configurations. Communication with the device is possible over FTP, TFTP, HTTP, SNMP, EtherNet/IP, Modbus, and a management protocol referred to as UMAS.

It's possible to obtain various sensitive information from the device by requesting specific files from the Modicon M580's TFTP server. The following files have been confirmed to successfully download from the tested device.

  • /usr/conf/ccsConfig.dat
  • /usr/diag/crash.bin
  • /usr/diag/crash.txt
  • /usr/diag/dwarfview.bin
  • /usr/diag/ecc_cpt.dat
  • /ram/moduli

Additionally, the file /usr/webpage.img can be downloaded using the same technique. This file is of note as it contains the unencrypted web server firmware and directory tree.

Exploit Proof of Concept

echo -e "connect 192.168.10.1\nget /usr/webpage.img\nquit\n" | tftp

Timeline

2019-07-22 - Vendor Disclosure
2019-10-08 - Public Release

Credit

Discovered by Jared Rittle of Cisco Talos