Details of VAR-201910-0576

ID

VAR-201910-0576

CVE

CVE-2019-6843

TITLE

plural Modicon Vulnerability in handling exceptional conditions in products

Trust: 0.8

sources: JVNDB: JVNDB-2019-011434

DESCRIPTION

A CWE-755: Improper Handling of Exceptional Conditions vulnerability exists in Modicon M580 with firmware (version prior to V3.10), Modicon M340 (all firmware versions), and Modicon BMxCRA and 140CRA modules (all firmware versions), which could cause a Denial of Service attack on the PLC when upgrading the controller with an empty firmware package using FTP protocol. plural Modicon The product contains an exceptional condition handling vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. The Modicon M580/M340/BMxCRA/140CRA are programmable logic controllers from Schneider Electric. A denial of service vulnerability exists in the Schneider Electric Modicon M580/M340/BMxCRA/140CRA

Trust: 2.34

sources: NVD: CVE-2019-6843 // JVNDB: JVNDB-2019-011434 // CNVD: CNVD-2019-41496 // IVD: 7eaa68f9-e73a-4548-a0c9-a2eb041ec668

IOT TAXONOMY

category:	['IoT', 'ICS']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: 7eaa68f9-e73a-4548-a0c9-a2eb041ec668 // CNVD: CNVD-2019-41496

AFFECTED PRODUCTS

vendor:	schneider electric	model:	modicon 140cra	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon bmxcra	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m340	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon 140cra	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	modicon bmxcra	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	modicon m340	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	modicon m580	scope:	-	version:	-	Trust: 0.8
vendor:	schneider	model:	electric modicon m340	scope:	-	version:	-	Trust: 0.6
vendor:	schneider	model:	electric modicon m580	scope:	-	version:	-	Trust: 0.6
vendor:	schneider	model:	electric modicon bmxcra	scope:	-	version:	-	Trust: 0.6
vendor:	schneider	model:	electric modicon 140cra	scope:	-	version:	-	Trust: 0.6
vendor:	modicon m580	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	modicon m340	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	modicon bmxcra	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	modicon 140cra	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 7eaa68f9-e73a-4548-a0c9-a2eb041ec668 // CNVD: CNVD-2019-41496 // JVNDB: JVNDB-2019-011434 // NVD: CVE-2019-6843

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-6843
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-6843
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2019-41496
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201910-414
value:	MEDIUM
Trust: 0.6
IVD:	7eaa68f9-e73a-4548-a0c9-a2eb041ec668
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2019-6843
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-41496
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	7eaa68f9-e73a-4548-a0c9-a2eb041ec668
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2019-6843
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2019-6843
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: 7eaa68f9-e73a-4548-a0c9-a2eb041ec668 // CNVD: CNVD-2019-41496 // JVNDB: JVNDB-2019-011434 // CNNVD: CNNVD-201910-414 // NVD: CVE-2019-6843

PROBLEMTYPE DATA

problemtype:

CWE-755

Trust: 1.8

sources: JVNDB: JVNDB-2019-011434 // NVD: CVE-2019-6843

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201910-414

TYPE

other

Trust: 0.8

sources: IVD: 7eaa68f9-e73a-4548-a0c9-a2eb041ec668 // CNNVD: CNNVD-201910-414

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-011434

PATCH

title:	SEVD-2019-281-02	url:	https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-281-02	Trust: 0.8
title:	Patch for Schneider Electric Modicon M580/M340/BMxCRA/140CRA Denial of Service Vulnerability (CNVD-2019-41496)	url:	https://www.cnvd.org.cn/patchInfo/show/190777	Trust: 0.6

sources: CNVD: CNVD-2019-41496 // JVNDB: JVNDB-2019-011434

EXTERNAL IDS

db:	NVD	id:	CVE-2019-6843	Trust: 3.2
db:	SCHNEIDER	id:	SEVD-2019-281-02	Trust: 1.6
db:	CNVD	id:	CNVD-2019-41496	Trust: 0.8
db:	CNNVD	id:	CNNVD-201910-414	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-011434	Trust: 0.8
db:	TALOS	id:	TALOS-2019-0824	Trust: 0.6
db:	IVD	id:	7EAA68F9-E73A-4548-A0C9-A2EB041EC668	Trust: 0.2

sources: IVD: 7eaa68f9-e73a-4548-a0c9-a2eb041ec668 // CNVD: CNVD-2019-41496 // JVNDB: JVNDB-2019-011434 // CNNVD: CNNVD-201910-414 // NVD: CVE-2019-6843

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2019-6843	Trust: 2.0
url:	https://www.se.com/ww/en/download/document/sevd-2019-281-02/	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6843	Trust: 0.8
url:	https://www.schneider-electric.com/ww/en/download/document/sevd-2019-281-02	Trust: 0.6
url:	https://www.talosintelligence.com/vulnerability_reports/talos-2019-0824	Trust: 0.6

sources: CNVD: CNVD-2019-41496 // JVNDB: JVNDB-2019-011434 // CNNVD: CNNVD-201910-414 // NVD: CVE-2019-6843

CREDITS

Discovered by Jared Rittle of Cisco Talos.

Trust: 0.6

sources: CNNVD: CNNVD-201910-414

SOURCES

db:	IVD	id:	7eaa68f9-e73a-4548-a0c9-a2eb041ec668
db:	CNVD	id:	CNVD-2019-41496
db:	JVNDB	id:	JVNDB-2019-011434
db:	CNNVD	id:	CNNVD-201910-414
db:	NVD	id:	CVE-2019-6843

LAST UPDATE DATE

2024-11-23T21:36:37.726000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-41496	date:	2019-11-20T00:00:00
db:	JVNDB	id:	JVNDB-2019-011434	date:	2019-11-07T00:00:00
db:	CNNVD	id:	CNNVD-201910-414	date:	2021-04-20T00:00:00
db:	NVD	id:	CVE-2019-6843	date:	2024-11-21T04:47:15.820

SOURCES RELEASE DATE

db:	IVD	id:	7eaa68f9-e73a-4548-a0c9-a2eb041ec668	date:	2019-11-20T00:00:00
db:	CNVD	id:	CNVD-2019-41496	date:	2019-11-19T00:00:00
db:	JVNDB	id:	JVNDB-2019-011434	date:	2019-11-07T00:00:00
db:	CNNVD	id:	CNNVD-201910-414	date:	2019-10-08T00:00:00
db:	NVD	id:	CVE-2019-6843	date:	2019-10-29T19:15:21.987