Details of VAR-201910-0575

ID

VAR-201910-0575

CVE

CVE-2019-6842

TITLE

plural Modicon Vulnerability in handling exceptional conditions in products

Trust: 0.8

sources: JVNDB: JVNDB-2019-011439

DESCRIPTION

A CWE-755: Improper Handling of Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Modicon BMxCRA and 140CRA modules (all firmware versions), which could cause a Denial of Service attack on the PLC when upgrading the firmware with a missing web server image inside the package using FTP protocol. plural Modicon The product contains an exceptional condition handling vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. The Modicon M580/M340/BMxCRA/140CRA are programmable logic controllers from Schneider Electric. A denial of service vulnerability exists in the Schneider Electric Modicon M580/M340/BMxCRA/140CRA

Trust: 2.34

sources: NVD: CVE-2019-6842 // JVNDB: JVNDB-2019-011439 // CNVD: CNVD-2019-41497 // IVD: 6b038939-27b5-4818-95c7-4d2fbe09a504

IOT TAXONOMY

category:	['IoT', 'ICS']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: 6b038939-27b5-4818-95c7-4d2fbe09a504 // CNVD: CNVD-2019-41497

AFFECTED PRODUCTS

vendor:	schneider electric	model:	modicon 140cra	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon bmxcra	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m340	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon 140cra	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	modicon bmxcra	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	modicon m340	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	modicon m580	scope:	-	version:	-	Trust: 0.8
vendor:	schneider	model:	electric modicon m340	scope:	-	version:	-	Trust: 0.6
vendor:	schneider	model:	electric modicon m580	scope:	-	version:	-	Trust: 0.6
vendor:	schneider	model:	electric modicon bmxcra	scope:	-	version:	-	Trust: 0.6
vendor:	schneider	model:	electric modicon 140cra	scope:	-	version:	-	Trust: 0.6
vendor:	modicon m580	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	modicon m340	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	modicon bmxcra	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	modicon 140cra	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 6b038939-27b5-4818-95c7-4d2fbe09a504 // CNVD: CNVD-2019-41497 // JVNDB: JVNDB-2019-011439 // NVD: CVE-2019-6842

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-6842
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-6842
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2019-41497
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201910-403
value:	MEDIUM
Trust: 0.6
IVD:	6b038939-27b5-4818-95c7-4d2fbe09a504
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2019-6842
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-41497
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	6b038939-27b5-4818-95c7-4d2fbe09a504
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2019-6842
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2019-6842
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: 6b038939-27b5-4818-95c7-4d2fbe09a504 // CNVD: CNVD-2019-41497 // JVNDB: JVNDB-2019-011439 // CNNVD: CNNVD-201910-403 // NVD: CVE-2019-6842

PROBLEMTYPE DATA

problemtype:

CWE-755

Trust: 1.8

sources: JVNDB: JVNDB-2019-011439 // NVD: CVE-2019-6842

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201910-403

TYPE

other

Trust: 0.8

sources: IVD: 6b038939-27b5-4818-95c7-4d2fbe09a504 // CNNVD: CNNVD-201910-403

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-011439

PATCH

title:	SEVD-2019-281-02	url:	https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-281-02	Trust: 0.8
title:	Patch for Schneider Electric Modicon M580/M340/BMxCRA/140CRA Denial of Service Vulnerability (CNVD-2019-41497)	url:	https://www.cnvd.org.cn/patchInfo/show/190773	Trust: 0.6

sources: CNVD: CNVD-2019-41497 // JVNDB: JVNDB-2019-011439

EXTERNAL IDS

db:	NVD	id:	CVE-2019-6842	Trust: 3.2
db:	SCHNEIDER	id:	SEVD-2019-281-02	Trust: 1.6
db:	CNVD	id:	CNVD-2019-41497	Trust: 0.8
db:	CNNVD	id:	CNNVD-201910-403	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-011439	Trust: 0.8
db:	TALOS	id:	TALOS-2019-0823	Trust: 0.6
db:	IVD	id:	6B038939-27B5-4818-95C7-4D2FBE09A504	Trust: 0.2

sources: IVD: 6b038939-27b5-4818-95c7-4d2fbe09a504 // CNVD: CNVD-2019-41497 // JVNDB: JVNDB-2019-011439 // CNNVD: CNNVD-201910-403 // NVD: CVE-2019-6842

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2019-6842	Trust: 2.0
url:	https://www.se.com/ww/en/download/document/sevd-2019-281-02/	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6842	Trust: 0.8
url:	https://www.schneider-electric.com/ww/en/download/document/sevd-2019-281-02	Trust: 0.6
url:	https://www.talosintelligence.com/vulnerability_reports/talos-2019-0823	Trust: 0.6

sources: CNVD: CNVD-2019-41497 // JVNDB: JVNDB-2019-011439 // CNNVD: CNNVD-201910-403 // NVD: CVE-2019-6842

CREDITS

Discovered by Jared Rittle of Cisco Talos.

Trust: 0.6

sources: CNNVD: CNNVD-201910-403

SOURCES

db:	IVD	id:	6b038939-27b5-4818-95c7-4d2fbe09a504
db:	CNVD	id:	CNVD-2019-41497
db:	JVNDB	id:	JVNDB-2019-011439
db:	CNNVD	id:	CNNVD-201910-403
db:	NVD	id:	CVE-2019-6842

LAST UPDATE DATE

2024-11-23T21:36:37.635000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-41497	date:	2019-11-20T00:00:00
db:	JVNDB	id:	JVNDB-2019-011439	date:	2019-11-07T00:00:00
db:	CNNVD	id:	CNNVD-201910-403	date:	2021-04-20T00:00:00
db:	NVD	id:	CVE-2019-6842	date:	2024-11-21T04:47:15.700

SOURCES RELEASE DATE

db:	IVD	id:	6b038939-27b5-4818-95c7-4d2fbe09a504	date:	2019-11-20T00:00:00
db:	CNVD	id:	CNVD-2019-41497	date:	2019-11-19T00:00:00
db:	JVNDB	id:	JVNDB-2019-011439	date:	2019-11-07T00:00:00
db:	CNNVD	id:	CNNVD-201910-403	date:	2019-10-08T00:00:00
db:	NVD	id:	CVE-2019-6842	date:	2019-10-29T19:15:21.923