Details of VAR-201910-0582

ID

VAR-201910-0582

CVE

CVE-2019-6849

TITLE

plural Modicon Information disclosure vulnerability in products

Trust: 0.8

sources: JVNDB: JVNDB-2019-011422

DESCRIPTION

A CWE-200: Information Exposure vulnerability exists in Modicon M580, Modicon BMENOC 0311, and Modicon BMENOC 0321, which could cause the disclosure of sensitive information when using specific Modbus services provided by the REST API of the controller/communication module. Modicon M580 , Modicon BMENOC 0311 , Modicon BMENOC 0321 Contains an information disclosure vulnerability.Information may be obtained. Modicon M580 / BMENOC 0311 / BMENOC 0321 are all programmable logic controllers from Schneider Electric

Trust: 2.34

sources: NVD: CVE-2019-6849 // JVNDB: JVNDB-2019-011422 // CNVD: CNVD-2019-44958 // IVD: 83e638bb-50ba-4d5d-b66d-f716b078a405

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 83e638bb-50ba-4d5d-b66d-f716b078a405 // CNVD: CNVD-2019-44958

AFFECTED PRODUCTS

vendor:	schneider electric	model:	modicon bmenoc 0311	scope:	eq	version:	-	Trust: 2.2
vendor:	schneider electric	model:	modicon m580	scope:	eq	version:	-	Trust: 2.2
vendor:	schneider electric	model:	modicon bmenoc 0321	scope:	eq	version:	-	Trust: 2.2
vendor:	schneider electric	model:	modicon bmenoc 0311	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	modicon bmenoc 0321	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	modicon m580	scope:	-	version:	-	Trust: 0.8
vendor:	schneider	model:	electric modicon m580	scope:	-	version:	-	Trust: 0.6
vendor:	modicon m580	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	modicon bmenoc 0311	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	modicon bmenoc 0321	model:	-	scope:	eq	version:	-	Trust: 0.2

sources: IVD: 83e638bb-50ba-4d5d-b66d-f716b078a405 // CNVD: CNVD-2019-44958 // JVNDB: JVNDB-2019-011422 // CNNVD: CNNVD-201910-421 // NVD: CVE-2019-6849

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-6849
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-6849
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-44958
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201910-421
value:	HIGH
Trust: 0.6
IVD:	83e638bb-50ba-4d5d-b66d-f716b078a405
value:	HIGH
Trust: 0.2

nvd@nist.gov:	CVE-2019-6849
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-44958
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	83e638bb-50ba-4d5d-b66d-f716b078a405
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2019-6849
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2019-6849
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: 83e638bb-50ba-4d5d-b66d-f716b078a405 // CNVD: CNVD-2019-44958 // JVNDB: JVNDB-2019-011422 // CNNVD: CNNVD-201910-421 // NVD: CVE-2019-6849

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.8

sources: JVNDB: JVNDB-2019-011422 // NVD: CVE-2019-6849

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201910-421

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201910-421

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-011422

PATCH

title:	SEVD-2019-281-04	url:	https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-281-04	Trust: 0.8
title:	Patch for Schneider Electric Modicon M580 / BMENOC 0311 / BMENOC 0321 Information Disclosure Vulnerability (CNVD-2019-44958)	url:	https://www.cnvd.org.cn/patchInfo/show/193527	Trust: 0.6

sources: CNVD: CNVD-2019-44958 // JVNDB: JVNDB-2019-011422

EXTERNAL IDS

db:	NVD	id:	CVE-2019-6849	Trust: 3.2
db:	SCHNEIDER	id:	SEVD-2019-281-04	Trust: 1.6
db:	CNVD	id:	CNVD-2019-44958	Trust: 0.8
db:	CNNVD	id:	CNNVD-201910-421	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-011422	Trust: 0.8
db:	TALOS	id:	TALOS-2019-0867	Trust: 0.6
db:	IVD	id:	83E638BB-50BA-4D5D-B66D-F716B078A405	Trust: 0.2

sources: IVD: 83e638bb-50ba-4d5d-b66d-f716b078a405 // CNVD: CNVD-2019-44958 // JVNDB: JVNDB-2019-011422 // CNNVD: CNNVD-201910-421 // NVD: CVE-2019-6849

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2019-6849	Trust: 2.0
url:	https://www.schneider-electric.com/ww/en/download/document/sevd-2019-281-04	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6849	Trust: 0.8
url:	https://www.talosintelligence.com/vulnerability_reports/talos-2019-0867	Trust: 0.6

sources: CNVD: CNVD-2019-44958 // JVNDB: JVNDB-2019-011422 // CNNVD: CNNVD-201910-421 // NVD: CVE-2019-6849

CREDITS

Discovered by Jared Rittle of Cisco Talos

Trust: 0.6

sources: CNNVD: CNNVD-201910-421

SOURCES

db:	IVD	id:	83e638bb-50ba-4d5d-b66d-f716b078a405
db:	CNVD	id:	CNVD-2019-44958
db:	JVNDB	id:	JVNDB-2019-011422
db:	CNNVD	id:	CNNVD-201910-421
db:	NVD	id:	CVE-2019-6849

LAST UPDATE DATE

2024-11-23T22:21:25.680000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-44958	date:	2019-12-11T00:00:00
db:	JVNDB	id:	JVNDB-2019-011422	date:	2019-11-07T00:00:00
db:	CNNVD	id:	CNNVD-201910-421	date:	2019-11-26T00:00:00
db:	NVD	id:	CVE-2019-6849	date:	2024-11-21T04:47:16.557

SOURCES RELEASE DATE

db:	IVD	id:	83e638bb-50ba-4d5d-b66d-f716b078a405	date:	2019-12-11T00:00:00
db:	CNVD	id:	CNVD-2019-44958	date:	2019-12-10T00:00:00
db:	JVNDB	id:	JVNDB-2019-011422	date:	2019-11-07T00:00:00
db:	CNNVD	id:	CNNVD-201910-421	date:	2019-10-08T00:00:00
db:	NVD	id:	CVE-2019-6849	date:	2019-10-29T19:15:22.407