An exploitable information disclosure vulnerability exists in the TFTP server functionality of the Schneider Electric Modicon M580 Programmable Automation Controller. A specially crafted TFTP get request can cause a file download, resulting in disclosure of sensitive information. An attacker can send unauthenticated commands to trigger this vulnerability.
Schneider Electric Modicon M580 BMEP582040 SV2.80
7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-538: File and Directory Information Exposure
The Modicon M580 is the latest in Schneider Electric’s Modicon line of Programmable Automation Controllers. The device boasts a Wurldtech Achilles Level 2 certification and global policy controls to quickly enforce various security configurations. Communication with the device is possible over FTP, TFTP, HTTP, SNMP, EtherNet/IP, Modbus, and a management protocol referred to as UMAS.
It’s possible to obtain various sensitive information from the device by requesting specific files from the Modicon M580’s TFTP server. The following files have been confirmed to successfully download from the tested device.
Additionally, the file /usr/webpage.img can be downloaded using the same technique. This file is of note as it contains the unencrypted web server firmware and directory tree.
echo -e "connect 192.168.10.1\nget /usr/webpage.img\nquit\n" | tftp
2019-07-22 - Vendor Disclosure
2019-10-08 - Public Release
Discovered by Jared Rittle of Cisco Talos