CVE-2019-6847 - OpenCVE

A CWE-755: Improper Handling of Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Modicon BMxCRA and 140CRA modules (all firmware versions), which could cause a Denial of Service attack on the FTP service when upgrading the firmware with a version incompatible with the application in the controller using FTP protocol.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:S/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Schneider-electric	Modicon 140cra Modicon 140cra Firmware Modicon Bmxcra Modicon Bmxcra Firmware Modicon M340 Modicon M340 Firmware Modicon M580 Modicon M580 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:schneider-electric:modicon_m580_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:modicon_m580:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:schneider-electric:modicon_m340_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:modicon_m340:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:schneider-electric:modicon_bmxcra_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:modicon_bmxcra:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:schneider-electric:modicon_140cra_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:modicon_140cra:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.se.com/ww/en/download/document/SEVD-2019-281-02/

History

No history.

MITRE

Status: PUBLISHED

Assigner: schneider

Published: 2019-10-29T14:52:24

Updated: 2024-08-04T20:31:04.413Z

Reserved: 2019-01-25T00:00:00

Link: CVE-2019-6847

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-10-29T19:15:22.267

Modified: 2022-02-03T16:09:58.473

Link: CVE-2019-6847

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Modicon M580, Modicon M340, and Modicon BMxCRA / 140CRA modules (see notification for version info)", "vendor": "n/a", "versions": [{"status": "affected", "version": "Modicon M580, Modicon M340, and Modicon BMxCRA / 140CRA modules (see notification for version info)"}]}], "descriptions": [{"lang": "en", "value": "A CWE-755: Improper Handling of Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Modicon BMxCRA and 140CRA modules (all firmware versions), which could cause a Denial of Service attack on the FTP service when upgrading the firmware with a version incompatible with the application in the controller using FTP protocol."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-755", "description": "CWE-755: Improper Handling of Exceptional Conditions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-04-19T12:18:02", "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.se.com/ww/en/download/document/SEVD-2019-281-02/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cybersecurity@schneider-electric.com", "ID": "CVE-2019-6847", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Modicon M580, Modicon M340, and Modicon BMxCRA / 140CRA modules (see notification for version info)", "version": {"version_data": [{"version_value": "Modicon M580, Modicon M340, and Modicon BMxCRA / 140CRA modules (see notification for version info)"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A CWE-755: Improper Handling of Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Modicon BMxCRA and 140CRA modules (all firmware versions), which could cause a Denial of Service attack on the FTP service when upgrading the firmware with a version incompatible with the application in the controller using FTP protocol."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-755: Improper Handling of Exceptional Conditions"}]}]}, "references": {"reference_data": [{"name": "https://www.se.com/ww/en/download/document/SEVD-2019-281-02/", "refsource": "MISC", "url": "https://www.se.com/ww/en/download/document/SEVD-2019-281-02/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T20:31:04.413Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.se.com/ww/en/download/document/SEVD-2019-281-02/"}]}]}, "cveMetadata": {"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "assignerShortName": "schneider", "cveId": "CVE-2019-6847", "datePublished": "2019-10-29T14:52:24", "dateReserved": "2019-01-25T00:00:00", "dateUpdated": "2024-08-04T20:31:04.413Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:modicon_m580_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "D52D735D-8AB5-40FE-A83F-266977601571", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:schneider-electric:modicon_m580:-:*:*:*:*:*:*:*", "matchCriteriaId": "E876C738-ABF6-4864-98A6-1E06E96A0DF4", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:modicon_m340_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "05CBA9AD-ECB7-453F-8551-DD176FDE8043", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:schneider-electric:modicon_m340:-:*:*:*:*:*:*:*", "matchCriteriaId": "138681A2-0146-492B-8E10-06849FC27C6E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:modicon_bmxcra_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "E4E41AAB-05A3-43A4-B97A-34F265E25F40", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:schneider-electric:modicon_bmxcra:-:*:*:*:*:*:*:*", "matchCriteriaId": "F80F2F1C-F681-4498-942E-31EDA9CF79F8", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:modicon_140cra_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "76F5D4B2-1C0A-45E8-993C-DBBA4F745345", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:schneider-electric:modicon_140cra:-:*:*:*:*:*:*:*", "matchCriteriaId": "94575CFC-1395-4BB4-8D4F-AA41F7068A26", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A CWE-755: Improper Handling of Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Modicon BMxCRA and 140CRA modules (all firmware versions), which could cause a Denial of Service attack on the FTP service when upgrading the firmware with a version incompatible with the application in the controller using FTP protocol."}, {"lang": "es", "value": "Existe una vulnerabilidad CWE-755: Manejo inadecuado de condiciones excepcionales en los m\u00f3dulos Modicon M580, Modicon M340, Modicon BMxCRA y 140CRA (todas las versiones de firmware), que podr\u00eda causar un ataque de denegaci\u00f3n de servicio en el servicio FTP al actualizar el firmware con una versi\u00f3n incompatible con la aplicaci\u00f3n en el controlador utilizando el protocolo FTP"}], "id": "CVE-2019-6847", "lastModified": "2022-02-03T16:09:58.473", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-10-29T19:15:22.267", "references": [{"source": "cybersecurity@se.com", "tags": ["Vendor Advisory"], "url": "https://www.se.com/ww/en/download/document/SEVD-2019-281-02/"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-755"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-755"}], "source": "cybersecurity@se.com", "type": "Secondary"}]}