Talos Vulnerability Report

TALOS-2019-0827

Schneider Electric Modicon M580 FTP cleartext authentication vulnerability

October 8, 2019
CVE Number

CVE-2019-6846

Summary

An exploitable information disclosure vulnerability exists in the FTP functionality of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.80. An attacker can sniff network traffic to exploit this vulnerability.

Tested Versions

Schneider Electric Modicon M580 BMEP582040 SV2.80

Product URLs

https://www.schneider-electric.com/en/work/campaign/m580-epac/

CVSSv3 Score

5.9 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-319: Cleartext Transmission of Sensitive Information

Details

The Modicon M580 is the latest in Schneider Electric’s Modicon line of Programmable Automation Controllers. The device boasts a Wurldtech Achilles Level 2 certification and global policy controls to quickly enforce various security configurations. Communication with the device is possible over FTP, TFTP, HTTP, SNMP, EtherNet/IP, Modbus, and a management protocol referred to as UMAS.

When conducting a firmware upgrade of the Modicon M580 there are a few options to choose from, including FTP. If FTP is chosen, credentials must be provided to gain access to the custom commands exposed by the device. Due to the use of FTP for communication, these credentials will be sent in plaintext across the network. This allows an attacker sniffing the traffic between a legitimate workstation and the device to passively obtain the FTP credentials.

Timeline

2019-05-08 - Vendor Disclosure
2019-09-10 - Vendor disclosure date extended
2019-10-08 - Public Release

Credit

Discovered by Jared Rittle of Cisco Talos.