Integer Underflow Vulnerability in Modicon Controllers by Schneider Electric
CVE-2022-37301

7.5HIGH

Key Information:

Vendor: Schneider Electric
Status: Modicon M340 Cpu (part Numbers Bmxp34*); Modicon M580 Cpu (part Numbers Bmep* And Bmeh*); Legacy Modicon Quantum/premium; Modicon Momentum Mdi (171cbu*)
Vendor: CVE Published:; 22 November 2022

Summary

A vulnerability exists in Schneider Electric's Modicon controllers that allows for an integer underflow, causing a potential denial of service. This issue arises when using the Modbus TCP protocol, leading to memory access violations. As a result, affected controllers may become unresponsive, impacting operational reliability. Users are encouraged to review their systems and implement necessary updates to mitigate this vulnerability.

Affected Version(s)

Legacy Modicon Quantum/Premium All Versions

Modicon M340 CPU (part numbers BMXP34*) V <= 3.40

Modicon M580 CPU (part numbers BMEP* and BMEH*) V <= 3.22

References

https://www.se.com/us/en/download/document/SEVD-2022-221-02/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 22, 2022
Vulnerability Reserved
Aug 1, 2022