Insufficient Randomness Vulnerability in Modicon Ethernet Communication by Schneider Electric
CVE-2019-6821

6.5MEDIUM

Key Information:

Vendor
Schneider Electric
Status
Modicon Controllers, Modicon M580 Firmware Versions Prior To V2.30, And All Firmware Versions Of Modicon M340, Modicon Premium, Modicon Quantum
Vendor
CVE Published:
22 May 2019

Summary

The vulnerability involves the use of insufficiently random values, making it possible for attackers to hijack TCP connections over Ethernet communication. This flaw affects multiple Schneider Electric Modicon firmware versions, opening avenues for unauthorized access and potential control of network devices.

Affected Version(s)

Modicon Controllers, Modicon M580 firmware prior to V2.30, and all firmware of Modicon M340, Modicon Premium, Modicon Quantum Modicon Controllers, Modicon M580 firmware versions prior to V2.30, and all firmware versions of Modicon M340, Modicon Premium, Modicon Quantum

References

https://ics-cert.us-cert.gov/advisories/ICSA-19-136-01
x_refsource_MISC
http://www.securityfocus.com/bid/108366
vdb-entryx_refsource_BID
https://www.schneider-electric.com/en/download/document/S...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.