Incorrect Buffer Size Calculation in Schneider Electric's Webserver Product
CVE-2024-11425

8.7HIGH

Key Information:

Vendor: Schneider Electric
Status: Modicon M580 Cpu (part Numbers Bmep* And Bmeh*, Excluding M580 Cpu Safety); Modicon M580 Cpu Safety (part Numbers Bmep58*s And Bmeh58*s); Bmenor2200h; Evlink Pro Ac
Vendor: CVE Published:; 17 January 2025

Summary

A vulnerability exists in Schneider Electric's webserver that allows an unauthenticated user to send a specially crafted HTTPS packet, which can lead to a Denial-of-Service condition. This issue highlights improper buffer size calculations, enabling attackers to exploit the webserver, potentially rendering it inoperable. It is crucial for users to evaluate their systems and apply appropriate mitigations to safeguard against such vulnerabilities.

Affected Version(s)

BMENOR2200H All Versions

EVLink Pro AC Versions prior to v1.3.10

Modicon M580 CPU (part numbers BMEP* and BMEH*, excluding M580 CPU Safety) Versions prior to SV4.30

References

https://download.schneider-electric.com/files?p_Doc_Ref=S...

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Jan 17, 2025
Vulnerability Reserved
Nov 19, 2024