CVE-2018-7853 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2018-7853?

CVE-2018-7853 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-7853?

Check the references section above for vendor advisories and patch information. Affected products include: Schneider-Electric Modicon Premium Firmware, Schneider-Electric Modicon Premium, Schneider-Electric Modicon Quantum Firmware, Schneider-Electric Modicon Quantum, Schneider-Electric Modicon M340 Firmware.

Vulnerability Description

A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service when reading invalid physical memory blocks in the controller over Modbus

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Schneider-Electric	Modicon Premium Firmware	-
Schneider-Electric	Modicon Premium	-
Schneider-Electric	Modicon Quantum Firmware	-
Schneider-Electric	Modicon Quantum	-
Schneider-Electric	Modicon M340 Firmware	< 3.10
Schneider-Electric	Modicon M340	-
Schneider-Electric	Modicon M580 Firmware	< 2.90
Schneider-Electric	Modicon M580	-

Related Weaknesses (CWE)

CWE-754

References

https://www.schneider-electric.com/en/download/document/SEVD-2019-134-11/MitigationVendor Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0764ExploitThird Party Advisory
https://www.schneider-electric.com/en/download/document/SEVD-2019-134-11/MitigationVendor Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0764ExploitThird Party Advisory

FAQ

What is CVE-2018-7853?

CVE-2018-7853 is a vulnerability with a CVSS score of 7.5 (HIGH). A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service when reading invalid phys...

How severe is CVE-2018-7853?

CVE-2018-7853 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-7853?

Check the references section above for vendor advisories and patch information. Affected products include: Schneider-Electric Modicon Premium Firmware, Schneider-Electric Modicon Premium, Schneider-Electric Modicon Quantum Firmware, Schneider-Electric Modicon Quantum, Schneider-Electric Modicon M340 Firmware.