Details of VAR-201910-0577

ID

VAR-201910-0577

CVE

CVE-2019-6844

TITLE

plural Modicon Vulnerability in handling exceptional conditions in products

Trust: 0.8

sources: JVNDB: JVNDB-2019-011435

DESCRIPTION

A CWE-755: Improper Handling of Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Modicon BMxCRA and 140CRA modules (all firmware versions), which could cause a Denial of Service atack on the PLC when upgrading the controller with a firmware package containing an invalid web server image using FTP protocol. plural Modicon The product contains an exceptional condition handling vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. The Modicon M580/M340/BMxCRA/140CRA are programmable logic controllers from Schneider Electric. A denial of service vulnerability exists in the Schneider Electric Modicon M580/M340/BMxCRA/140CRA

Trust: 2.34

sources: NVD: CVE-2019-6844 // JVNDB: JVNDB-2019-011435 // CNVD: CNVD-2019-41495 // IVD: cfd6314c-082a-422c-9dc3-ee3e10eb3129

IOT TAXONOMY

category:	['IoT', 'ICS']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: cfd6314c-082a-422c-9dc3-ee3e10eb3129 // CNVD: CNVD-2019-41495

AFFECTED PRODUCTS

vendor:	schneider electric	model:	modicon 140cra	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon bmxcra	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m340	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon 140cra	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	modicon bmxcra	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	modicon m340	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	modicon m580	scope:	-	version:	-	Trust: 0.8
vendor:	schneider	model:	electric modicon m340	scope:	-	version:	-	Trust: 0.6
vendor:	schneider	model:	electric modicon m580	scope:	-	version:	-	Trust: 0.6
vendor:	schneider	model:	electric modicon bmxcra	scope:	-	version:	-	Trust: 0.6
vendor:	schneider	model:	electric modicon 140cra	scope:	-	version:	-	Trust: 0.6
vendor:	modicon m580	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	modicon m340	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	modicon bmxcra	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	modicon 140cra	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: cfd6314c-082a-422c-9dc3-ee3e10eb3129 // CNVD: CNVD-2019-41495 // JVNDB: JVNDB-2019-011435 // NVD: CVE-2019-6844

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-6844
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-6844
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2019-41495
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201910-426
value:	MEDIUM
Trust: 0.6
IVD:	cfd6314c-082a-422c-9dc3-ee3e10eb3129
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2019-6844
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-41495
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	cfd6314c-082a-422c-9dc3-ee3e10eb3129
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2019-6844
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2019-6844
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: cfd6314c-082a-422c-9dc3-ee3e10eb3129 // CNVD: CNVD-2019-41495 // JVNDB: JVNDB-2019-011435 // CNNVD: CNNVD-201910-426 // NVD: CVE-2019-6844

PROBLEMTYPE DATA

problemtype:

CWE-755

Trust: 1.8

sources: JVNDB: JVNDB-2019-011435 // NVD: CVE-2019-6844

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201910-426

TYPE

other

Trust: 0.8

sources: IVD: cfd6314c-082a-422c-9dc3-ee3e10eb3129 // CNNVD: CNNVD-201910-426

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-011435

PATCH

title:	SEVD-2019-281-02	url:	https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-281-02	Trust: 0.8
title:	Patch for Schneider Electric Modicon M580/M340/BMxCRA/140CRA Denial of Service Vulnerability (CNVD-2019-41495)	url:	https://www.cnvd.org.cn/patchInfo/show/190775	Trust: 0.6

sources: CNVD: CNVD-2019-41495 // JVNDB: JVNDB-2019-011435

EXTERNAL IDS

db:	NVD	id:	CVE-2019-6844	Trust: 3.2
db:	SCHNEIDER	id:	SEVD-2019-281-02	Trust: 1.6
db:	CNVD	id:	CNVD-2019-41495	Trust: 0.8
db:	CNNVD	id:	CNNVD-201910-426	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-011435	Trust: 0.8
db:	TALOS	id:	TALOS-2019-0825	Trust: 0.6
db:	IVD	id:	CFD6314C-082A-422C-9DC3-EE3E10EB3129	Trust: 0.2

sources: IVD: cfd6314c-082a-422c-9dc3-ee3e10eb3129 // CNVD: CNVD-2019-41495 // JVNDB: JVNDB-2019-011435 // CNNVD: CNNVD-201910-426 // NVD: CVE-2019-6844

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2019-6844	Trust: 2.0
url:	https://www.se.com/ww/en/download/document/sevd-2019-281-02/	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6844	Trust: 0.8
url:	https://www.schneider-electric.com/ww/en/download/document/sevd-2019-281-02	Trust: 0.6
url:	https://www.talosintelligence.com/vulnerability_reports/talos-2019-0825	Trust: 0.6

sources: CNVD: CNVD-2019-41495 // JVNDB: JVNDB-2019-011435 // CNNVD: CNNVD-201910-426 // NVD: CVE-2019-6844

CREDITS

Discovered by Jared Rittle of Cisco Talos.

Trust: 0.6

sources: CNNVD: CNNVD-201910-426

SOURCES

db:	IVD	id:	cfd6314c-082a-422c-9dc3-ee3e10eb3129
db:	CNVD	id:	CNVD-2019-41495
db:	JVNDB	id:	JVNDB-2019-011435
db:	CNNVD	id:	CNNVD-201910-426
db:	NVD	id:	CVE-2019-6844

LAST UPDATE DATE

2024-11-23T21:36:37.696000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-41495	date:	2019-11-20T00:00:00
db:	JVNDB	id:	JVNDB-2019-011435	date:	2019-11-07T00:00:00
db:	CNNVD	id:	CNNVD-201910-426	date:	2021-04-20T00:00:00
db:	NVD	id:	CVE-2019-6844	date:	2024-11-21T04:47:15.937

SOURCES RELEASE DATE

db:	IVD	id:	cfd6314c-082a-422c-9dc3-ee3e10eb3129	date:	2019-11-20T00:00:00
db:	CNVD	id:	CNVD-2019-41495	date:	2019-11-19T00:00:00
db:	JVNDB	id:	JVNDB-2019-011435	date:	2019-11-07T00:00:00
db:	CNNVD	id:	CNNVD-201910-426	date:	2019-10-08T00:00:00
db:	NVD	id:	CVE-2019-6844	date:	2019-10-29T19:15:22.047