CVE-2019-6820 — HIGH (8.2) — White Hats Nepal

Vulnerability Description

A CWE-306: Missing Authentication for Critical Function vulnerability exists which could cause a modification of device IP configuration (IP address, network mask and gateway IP address) when a specific Ethernet frame is received in all versions of: Modicon M100, Modicon M200, Modicon M221, ATV IMC drive controller, Modicon M241, Modicon M251, Modicon M258, Modicon LMC058, Modicon LMC078, PacDrive Eco ,PacDrive Pro, PacDrive Pro2

CVSS Score

8.2

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

HIGH

Affected Products

Vendor	Product	Versions
Schneider-Electric	Modicon M100 Firmware	All versions
Schneider-Electric	Modicon M100	-
Schneider-Electric	Modicon M200 Firmware	All versions
Schneider-Electric	Modicon M200	-
Schneider-Electric	Modicon M221 Firmware	All versions
Schneider-Electric	Modicon M221	-
Schneider-Electric	Atv Imc Drive Controller Firmware	All versions
Schneider-Electric	Atv Imc Drive Controller	-
Schneider-Electric	Modicon M241 Firmware	All versions
Schneider-Electric	Modicon M241	-
Schneider-Electric	Modicon M251 Firmware	All versions
Schneider-Electric	Modicon M251	-
Schneider-Electric	Modicon M258 Firmware	All versions
Schneider-Electric	Modicon M258	-
Schneider-Electric	Modicon Lmc058 Firmware	All versions
Schneider-Electric	Modicon Lmc058	-
Schneider-Electric	Modicon Lmc078 Firmware	All versions
Schneider-Electric	Modicon Lmc078	-
Schneider-Electric	Pacdrive Eco Firmware	All versions
Schneider-Electric	Pacdrive Eco	-

Related Weaknesses (CWE)

CWE-306

References

https://www.schneider-electric.com/en/download/document/SEVD-2019-134-02/Vendor Advisory
https://www.schneider-electric.com/en/download/document/SEVD-2019-134-02/Vendor Advisory

FAQ

What is CVE-2019-6820?

CVE-2019-6820 is a vulnerability with a CVSS score of 8.2 (HIGH). A CWE-306: Missing Authentication for Critical Function vulnerability exists which could cause a modification of device IP configuration (IP address, network mask and gateway IP address) when a specif...

How severe is CVE-2019-6820?

CVE-2019-6820 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-6820?

Check the references section above for vendor advisories and patch information. Affected products include: Schneider-Electric Modicon M100 Firmware, Schneider-Electric Modicon M100, Schneider-Electric Modicon M200 Firmware, Schneider-Electric Modicon M200, Schneider-Electric Modicon M221 Firmware.