Schneider Electric addresses three denial-of-service (
The vendor has
The three vulnerabilities are:
The first vulnerability tracked as CVE-2019-6857 received a CVSS v3
“Improper Check for Unusual or Exceptional Conditions vulnerability exists which could cause a Denial of Service of the controller when reading specific memory blocks using Modbus TCP” reads the advisory.
The second vulnerability tracked as CVE-2019-6856 received a CVSS v3
“Improper Check for Unusual or Exceptional Conditions vulnerability exists which could cause a Denial of Service when writing specific physical
The third issue, tracked as CVE-2018-7794, received a CVSS v3
“Improper Check for Unusual or Exceptional Conditions vulnerability exists which could cause a Denial of Service when reading data with invalid index using Modbus TCP” continues the advisory.
An attacker could trigger the above issues via Modbus TCP by reading or writing specific memory blocks, or when reading data with an invalid index. The vulnerability could be exploited by an attacker who has network access to the affected controllers, it can exploit these flaws to crash the controller’s Ethernet module. In order to restore operations, admins need to physically reset the affected device.
The vulnerabilities have been reported Mengmeng Young and Gideon Guo (CVE-2019-6857), Chansim Deng (CVE-2019-6856), and Younes Dragoni from Nozomi Networks (CVE-2018-7794).
Schneider Electric also informed its customers of multiple vulnerabilities in three of its EcoStruxure products, including the Power SCADA Operation power monitoring and control software.
The vulnerability is affected by a
The issue was reported by the industrial firm Applied Risk.
“A vulnerability was identified within Schneider ClearSCADA, which would allow an attacker to modify system-wide configuration and data files. This vulnerability arose through insecure file permissions.” reads the security dvisory.
Schneider Electric also addressed a medium-severity vulnerability in the EcoStruxure Control Expert programming software for Modicon programmable automation controllers that can allow a hacker to bypass the authentication process between the software and the controller.