Details of VAR-202304-1259

ID

VAR-202304-1259

CVE

CVE-2023-25620

TITLE

plural Schneider Electric Product Exceptional State Check Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2023-008735

DESCRIPTION

A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause denial of service of the controller when a malicious project file is loaded onto the controller by an authenticated user. Modicon M580 firmware, Modicon M340 firmware, modicon momentum unity m1e processor firmware etc. Schneider Electric The product contains an exceptional state check vulnerability.Service operation interruption (DoS) It may be in a state. Schneider Electric Modicon M580 is a programmable automation controller produced by French Schneider Electric (Schneider Electric). Schneider Electric Modicon M580 versions prior to V4.10 and Modicon M340 CPU versions prior to 3.51 have a code problem vulnerability

Trust: 2.25

sources: NVD: CVE-2023-25620 // JVNDB: JVNDB-2023-008735 // CNVD: CNVD-2023-40172 // VULMON: CVE-2023-25620

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2023-40172

AFFECTED PRODUCTS

vendor:	schneider electric	model:	bmep58s	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	bmeh58s	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m340	scope:	lt	version:	3.51	Trust: 1.0
vendor:	schneider electric	model:	modicon momentum unity m1e processor	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	tsxp57	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	140cpu65	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580	scope:	lt	version:	4.10	Trust: 1.0
vendor:	schneider electric	model:	modicon mc80	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon momentum unity m1e processor	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	140cpu65	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	tsxp57	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	modicon mc80	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	bmeh58s	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	modicon m340	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	modicon m580	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	bmep58s	scope:	-	version:	-	Trust: 0.8
vendor:	schneider	model:	electric modicon m580	scope:	lt	version:	4.10	Trust: 0.6
vendor:	schneider	model:	electric modicon m340	scope:	lt	version:	3.51	Trust: 0.6

sources: CNVD: CNVD-2023-40172 // JVNDB: JVNDB-2023-008735 // NVD: CVE-2023-25620

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-25620
value:	MEDIUM
Trust: 1.0
cybersecurity@se.com:	CVE-2023-25620
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2023-25620
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2023-40172
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202304-1649
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2023-40172
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2023-25620
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 2.0
NVD:	CVE-2023-25620
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2023-40172 // JVNDB: JVNDB-2023-008735 // CNNVD: CNNVD-202304-1649 // NVD: CVE-2023-25620 // NVD: CVE-2023-25620

PROBLEMTYPE DATA

problemtype:	CWE-754	Trust: 1.0
problemtype:	Improper checking in exceptional conditions (CWE-754) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-008735 // NVD: CVE-2023-25620

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202304-1649

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202304-1649

PATCH

title:	Patch for Schneider Electric Modicon M580, Modicon M340 Code Issue Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/428636	Trust: 0.6
title:	Schneider Electric Modicon M580 Fixes for code issue vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=235299	Trust: 0.6

sources: CNVD: CNVD-2023-40172 // CNNVD: CNNVD-202304-1649

EXTERNAL IDS

db:	NVD	id:	CVE-2023-25620	Trust: 3.9
db:	SCHNEIDER	id:	SEVD-2023-101-05	Trust: 2.5
db:	JVNDB	id:	JVNDB-2023-008735	Trust: 0.8
db:	CNVD	id:	CNVD-2023-40172	Trust: 0.6
db:	CNNVD	id:	CNNVD-202304-1649	Trust: 0.6
db:	VULMON	id:	CVE-2023-25620	Trust: 0.1

sources: CNVD: CNVD-2023-40172 // VULMON: CVE-2023-25620 // JVNDB: JVNDB-2023-008735 // CNNVD: CNNVD-202304-1649 // NVD: CVE-2023-25620

REFERENCES

url:	https://download.schneider-electric.com/files?p_doc_ref=sevd-2023-101-05&p_endoctype=security+and+safety+notice&p_file_name=sevd-2023-101-05.pdf	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2023-25620	Trust: 1.4
url:	https://cxsecurity.com/cveshow/cve-2023-25620/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/754.html	Trust: 0.1
url:	https://https://download.schneider-electric.com/files?p_doc_ref=sevd-2023-101-05&p_endoctype=security+and+safety+notice&p_file_name=sevd-2023-101-05.pdf	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2023-40172 // VULMON: CVE-2023-25620 // JVNDB: JVNDB-2023-008735 // CNNVD: CNNVD-202304-1649 // NVD: CVE-2023-25620

SOURCES

db:	CNVD	id:	CNVD-2023-40172
db:	VULMON	id:	CVE-2023-25620
db:	JVNDB	id:	JVNDB-2023-008735
db:	CNNVD	id:	CNNVD-202304-1649
db:	NVD	id:	CVE-2023-25620

LAST UPDATE DATE

2024-08-14T13:20:52.345000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2023-40172	date:	2023-05-23T00:00:00
db:	VULMON	id:	CVE-2023-25620	date:	2023-04-19T00:00:00
db:	JVNDB	id:	JVNDB-2023-008735	date:	2023-12-04T01:49:00
db:	CNNVD	id:	CNNVD-202304-1649	date:	2023-04-28T00:00:00
db:	NVD	id:	CVE-2023-25620	date:	2023-05-12T05:15:16.990

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2023-40172	date:	2023-05-18T00:00:00
db:	VULMON	id:	CVE-2023-25620	date:	2023-04-19T00:00:00
db:	JVNDB	id:	JVNDB-2023-008735	date:	2023-12-04T00:00:00
db:	CNNVD	id:	CNNVD-202304-1649	date:	2023-04-19T00:00:00
db:	NVD	id:	CVE-2023-25620	date:	2023-04-19T09:15:07.457