Vulnerability Description
A Use of Insufficiently Random Values issue was discovered in Schneider Electric Modicon PLCs Modicon M241, firmware versions prior to Version 4.0.5.11, and Modicon M251, firmware versions prior to Version 4.0.5.11. The session numbers generated by the web application are lacking randomization and are shared between several users. This may allow a current session to be compromised.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Schneider-Electric | Modicon M251 Firmware | <= 4.0.3.20 |
| Schneider-Electric | Modicon M251 | - |
| Schneider-Electric | Modicon M241 Firmware | <= 4.0.3.20 |
| Schneider-Electric | Modicon M241 | - |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/97254Third Party AdvisoryVDB Entry
- https://ics-cert.us-cert.gov/advisories/ICSA-17-089-02Third Party AdvisoryUS Government Resource
- https://www.exploit-db.com/exploits/45918/ExploitThird Party AdvisoryVDB Entry
- http://www.securityfocus.com/bid/97254Third Party AdvisoryVDB Entry
- https://ics-cert.us-cert.gov/advisories/ICSA-17-089-02Third Party AdvisoryUS Government Resource
- https://www.exploit-db.com/exploits/45918/ExploitThird Party AdvisoryVDB Entry
FAQ
What is CVE-2017-6026?
CVE-2017-6026 is a vulnerability with a CVSS score of 9.1 (CRITICAL). A Use of Insufficiently Random Values issue was discovered in Schneider Electric Modicon PLCs Modicon M241, firmware versions prior to Version 4.0.5.11, and Modicon M251, firmware versions prior to Ve...
How severe is CVE-2017-6026?
CVE-2017-6026 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2017-6026?
Check the references section above for vendor advisories and patch information. Affected products include: Schneider-Electric Modicon M251 Firmware, Schneider-Electric Modicon M251, Schneider-Electric Modicon M241 Firmware, Schneider-Electric Modicon M241.