Details of VAR-201910-0574

ID

VAR-201910-0574

CVE

CVE-2019-6841

TITLE

plural Modicon Vulnerability in handling exceptional conditions in products

Trust: 0.8

sources: JVNDB: JVNDB-2019-011438

DESCRIPTION

A CWE-755: Improper Handling of Exceptional Conditions vulnerability exists in Modicon M580 with firmware (version prior to V3.10), Modicon M340 (all firmware versions), and Modicon BMxCRA and 140CRA modules (all firmware versions), which could cause a Denial of Service attack on the PLC when upgrading the firmware with no firmware image inside the package using FTP protocol. plural Modicon The product contains an exceptional condition handling vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. The Modicon M580/M340/BMxCRA/140CRA are programmable logic controllers from Schneider Electric. A denial of service vulnerability exists in the Schneider Electric Modicon M580/M340/BMxCRA/140CRA

Trust: 2.34

sources: NVD: CVE-2019-6841 // JVNDB: JVNDB-2019-011438 // CNVD: CNVD-2019-41493 // IVD: f8b0fd24-fb1e-4e29-81de-50f1f528c64c

IOT TAXONOMY

category:	['IoT', 'ICS']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: f8b0fd24-fb1e-4e29-81de-50f1f528c64c // CNVD: CNVD-2019-41493

AFFECTED PRODUCTS

vendor:	schneider electric	model:	modicon 140cra	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon bmxcra	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m340	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon 140cra	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	modicon bmxcra	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	modicon m340	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	modicon m580	scope:	-	version:	-	Trust: 0.8
vendor:	schneider	model:	electric modicon m340	scope:	-	version:	-	Trust: 0.6
vendor:	schneider	model:	electric modicon m580	scope:	-	version:	-	Trust: 0.6
vendor:	schneider	model:	electric modicon bmxcra	scope:	-	version:	-	Trust: 0.6
vendor:	schneider	model:	electric modicon 140cra	scope:	-	version:	-	Trust: 0.6
vendor:	modicon m580	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	modicon m340	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	modicon bmxcra	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	modicon 140cra	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: f8b0fd24-fb1e-4e29-81de-50f1f528c64c // CNVD: CNVD-2019-41493 // JVNDB: JVNDB-2019-011438 // NVD: CVE-2019-6841

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-6841
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-6841
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2019-41493
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201910-424
value:	MEDIUM
Trust: 0.6
IVD:	f8b0fd24-fb1e-4e29-81de-50f1f528c64c
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2019-6841
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-41493
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	f8b0fd24-fb1e-4e29-81de-50f1f528c64c
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2019-6841
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2019-6841
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: f8b0fd24-fb1e-4e29-81de-50f1f528c64c // CNVD: CNVD-2019-41493 // JVNDB: JVNDB-2019-011438 // CNNVD: CNNVD-201910-424 // NVD: CVE-2019-6841

PROBLEMTYPE DATA

problemtype:

CWE-755

Trust: 1.8

sources: JVNDB: JVNDB-2019-011438 // NVD: CVE-2019-6841

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201910-424

TYPE

other

Trust: 0.8

sources: IVD: f8b0fd24-fb1e-4e29-81de-50f1f528c64c // CNNVD: CNNVD-201910-424

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-011438

PATCH

title:	SEVD-2019-281-02	url:	https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-281-02	Trust: 0.8
title:	Patch for Schneider Electric Modicon M580/M340/BMxCRA/140CRA Denial of Service Vulnerability (CNVD-2019-41493)	url:	https://www.cnvd.org.cn/patchInfo/show/190771	Trust: 0.6

sources: CNVD: CNVD-2019-41493 // JVNDB: JVNDB-2019-011438

EXTERNAL IDS

db:	NVD	id:	CVE-2019-6841	Trust: 3.2
db:	SCHNEIDER	id:	SEVD-2019-281-02	Trust: 1.6
db:	CNVD	id:	CNVD-2019-41493	Trust: 0.8
db:	CNNVD	id:	CNNVD-201910-424	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-011438	Trust: 0.8
db:	TALOS	id:	TALOS-2019-0822	Trust: 0.6
db:	IVD	id:	F8B0FD24-FB1E-4E29-81DE-50F1F528C64C	Trust: 0.2

sources: IVD: f8b0fd24-fb1e-4e29-81de-50f1f528c64c // CNVD: CNVD-2019-41493 // JVNDB: JVNDB-2019-011438 // CNNVD: CNNVD-201910-424 // NVD: CVE-2019-6841

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2019-6841	Trust: 2.0
url:	https://www.se.com/ww/en/download/document/sevd-2019-281-02/	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6841	Trust: 0.8
url:	https://www.schneider-electric.com/ww/en/download/document/sevd-2019-281-02	Trust: 0.6
url:	https://www.talosintelligence.com/vulnerability_reports/talos-2019-0822	Trust: 0.6

sources: CNVD: CNVD-2019-41493 // JVNDB: JVNDB-2019-011438 // CNNVD: CNNVD-201910-424 // NVD: CVE-2019-6841

CREDITS

Discovered by Jared Rittle of Cisco Talos.

Trust: 0.6

sources: CNNVD: CNNVD-201910-424

SOURCES

db:	IVD	id:	f8b0fd24-fb1e-4e29-81de-50f1f528c64c
db:	CNVD	id:	CNVD-2019-41493
db:	JVNDB	id:	JVNDB-2019-011438
db:	CNNVD	id:	CNNVD-201910-424
db:	NVD	id:	CVE-2019-6841

LAST UPDATE DATE

2024-11-23T21:36:37.666000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-41493	date:	2019-11-20T00:00:00
db:	JVNDB	id:	JVNDB-2019-011438	date:	2019-11-07T00:00:00
db:	CNNVD	id:	CNNVD-201910-424	date:	2021-04-20T00:00:00
db:	NVD	id:	CVE-2019-6841	date:	2024-11-21T04:47:15.580

SOURCES RELEASE DATE

db:	IVD	id:	f8b0fd24-fb1e-4e29-81de-50f1f528c64c	date:	2019-11-20T00:00:00
db:	CNVD	id:	CNVD-2019-41493	date:	2019-11-19T00:00:00
db:	JVNDB	id:	JVNDB-2019-011438	date:	2019-11-07T00:00:00
db:	CNNVD	id:	CNNVD-201910-424	date:	2019-10-08T00:00:00
db:	NVD	id:	CVE-2019-6841	date:	2019-10-29T19:15:21.830