Sign-up

ID

VAR-201905-1029


CVE

CVE-2018-7847


TITLE

plural Modicon Access control vulnerabilities in products

Trust: 0.8

sources: JVNDB: JVNDB-2018-015474

DESCRIPTION

A CWE-284: Improper Access Control vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service or potential code execution by overwriting configuration settings of the controller over Modbus. plural Modicon The product contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Schneider Electric Modicon M580 and other products are products of Schneider Electric (France). Schneider Electric Modicon M580 is a programmable automation controller. Schneider Electric Modicon Premium is a large programmable logic controller (PLC) for discrete or process applications. Schneider Electric Modicon Quantum is a large programmable logic controller (PLC) for process applications, high availability and safety solutions. Multiple Schneider Electric products have access control error vulnerabilities. This vulnerability stems from network systems or products not properly restricting access to resources from unauthorized roles. The following products and versions are affected: Schneider Electric Modicon M580 (all versions); Modicon M340 (all versions); Modicon Quantum (all versions); Modicon Premium (all versions)

Trust: 2.52

sources: NVD: CVE-2018-7847 // JVNDB: JVNDB-2018-015474 // CNVD: CNVD-2019-34610 // IVD: 68cf334f-7b3b-4555-bee5-8d20c8febedb // VULHUB: VHN-137879 // VULMON: CVE-2018-7847

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 68cf334f-7b3b-4555-bee5-8d20c8febedb // CNVD: CNVD-2019-34610

AFFECTED PRODUCTS

vendor:schneider electricmodel:modicon premiumscope:eqversion:*

Trust: 1.0

vendor:schneider electricmodel:modicon quantumscope:eqversion:*

Trust: 1.0

vendor:schneider electricmodel:modicon m580scope:eqversion:*

Trust: 1.0

vendor:schneider electricmodel:modicon m340scope:eqversion:*

Trust: 1.0

vendor:schneider electricmodel:modicon m340scope: - version: -

Trust: 0.8

vendor:schneider electricmodel:modicon m580scope: - version: -

Trust: 0.8

vendor:schneider electricmodel:modicon premium plcscope: - version: -

Trust: 0.8

vendor:schneider electricmodel:modicon quantum plcscope: - version: -

Trust: 0.8

vendor:schneidermodel:electric modicon m340scope: - version: -

Trust: 0.6

vendor:schneidermodel:electric modicon m580scope: - version: -

Trust: 0.6

vendor:schneidermodel:electric modicon premiumscope: - version: -

Trust: 0.6

vendor:schneidermodel:electric modicon quantumscope: - version: -

Trust: 0.6

vendor:modicon m580model: - scope:eqversion:*

Trust: 0.2

vendor:modicon m340model: - scope:eqversion:*

Trust: 0.2

vendor:modicon quantummodel: - scope:eqversion:*

Trust: 0.2

vendor:modicon premiummodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 68cf334f-7b3b-4555-bee5-8d20c8febedb // CNVD: CNVD-2019-34610 // JVNDB: JVNDB-2018-015474 // NVD: CVE-2018-7847

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-7847
value: CRITICAL

Trust: 1.0

NVD: CVE-2018-7847
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2019-34610
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201905-920
value: CRITICAL

Trust: 0.6

IVD: 68cf334f-7b3b-4555-bee5-8d20c8febedb
value: CRITICAL

Trust: 0.2

VULHUB: VHN-137879
value: HIGH

Trust: 0.1

VULMON: CVE-2018-7847
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2018-7847
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2019-34610
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 68cf334f-7b3b-4555-bee5-8d20c8febedb
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-137879
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-7847
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2018-7847
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: 68cf334f-7b3b-4555-bee5-8d20c8febedb // CNVD: CNVD-2019-34610 // VULHUB: VHN-137879 // VULMON: CVE-2018-7847 // JVNDB: JVNDB-2018-015474 // CNNVD: CNNVD-201905-920 // NVD: CVE-2018-7847

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.0

problemtype:CWE-284

Trust: 0.9

sources: VULHUB: VHN-137879 // JVNDB: JVNDB-2018-015474 // NVD: CVE-2018-7847

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201905-920

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201905-920

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-015474

PATCH
title:SEVD-2019-134-11url:https://www.schneider-electric.com/en/download/document/SEVD-2019-134-11/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2018-015474

EXTERNAL IDS
db:NVDid:CVE-2018-7847
Trust: 3.4
db:TALOSid:TALOS-2018-0743
Trust: 1.8
db:TALOSid:TALOS-2018-0742
Trust: 1.8
db:SCHNEIDERid:SEVD-2019-134-11
Trust: 1.8
db:CNNVDid:CNNVD-201905-920
Trust: 0.9
db:CNVDid:CNVD-2019-34610
Trust: 0.8
db:JVNDBid:JVNDB-2018-015474
Trust: 0.8
db:IVDid:68CF334F-7B3B-4555-BEE5-8D20C8FEBEDB
Trust: 0.2
db:VULHUBid:VHN-137879
Trust: 0.1
db:VULMONid:CVE-2018-7847
Trust: 0.1
sources:
            
            
            IVD: 68cf334f-7b3b-4555-bee5-8d20c8febedb // 
            
            
            
            CNVD: CNVD-2019-34610 // 
            
            
            
            VULHUB: VHN-137879 // 
            
            
            
            VULMON: CVE-2018-7847 // 
            
            
            
            JVNDB: JVNDB-2018-015474 // 
            
            
            
            CNNVD: CNNVD-201905-920 // 
            
            
            
            NVD: CVE-2018-7847

REFERENCES
url:https://www.talosintelligence.com/vulnerability_reports/talos-2018-0743
Trust: 2.4
url:https://nvd.nist.gov/vuln/detail/cve-2018-7847
Trust: 2.0
url:https://www.schneider-electric.com/en/download/document/sevd-2019-134-11/
Trust: 1.8
url:https://www.talosintelligence.com/vulnerability_reports/talos-2018-0742
Trust: 1.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-7847
Trust: 0.8
url:https://talosintelligence.com/vulnerability_reports/talos-2018-0743
Trust: 0.6
url:https://talosintelligence.com/vulnerability_reports/talos-2018-0742
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/287.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2019-34610 // 
            
            
            
            VULHUB: VHN-137879 // 
            
            
            
            VULMON: CVE-2018-7847 // 
            
            
            
            JVNDB: JVNDB-2018-015474 // 
            
            
            
            CNNVD: CNNVD-201905-920 // 
            
            
            
            NVD: CVE-2018-7847

CREDITS
Discovered by Jared Rittle of Cisco Talos.
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201905-920

SOURCES
db:IVDid:68cf334f-7b3b-4555-bee5-8d20c8febedb
db:CNVDid:CNVD-2019-34610
db:VULHUBid:VHN-137879
db:VULMONid:CVE-2018-7847
db:JVNDBid:JVNDB-2018-015474
db:CNNVDid:CNNVD-201905-920
db:NVDid:CVE-2018-7847

LAST UPDATE DATE
2024-11-23T21:52:12.781000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-34610date:2019-10-11T00:00:00
db:VULHUBid:VHN-137879date:2019-06-10T00:00:00
db:VULMONid:CVE-2018-7847date:2022-02-03T00:00:00
db:JVNDBid:JVNDB-2018-015474date:2019-06-07T00:00:00
db:CNNVDid:CNNVD-201905-920date:2022-02-07T00:00:00
db:NVDid:CVE-2018-7847date:2024-11-21T04:12:52.250

SOURCES RELEASE DATE
db:IVDid:68cf334f-7b3b-4555-bee5-8d20c8febedbdate:2019-10-11T00:00:00
db:CNVDid:CNVD-2019-34610date:2019-10-11T00:00:00
db:VULHUBid:VHN-137879date:2019-05-22T00:00:00
db:VULMONid:CVE-2018-7847date:2019-05-22T00:00:00
db:JVNDBid:JVNDB-2018-015474date:2019-06-07T00:00:00
db:CNNVDid:CNNVD-201905-920date:2019-05-22T00:00:00
db:NVDid:CVE-2018-7847date:2019-05-22T20:29:01.697