CVE-2019-6855 — HIGH (7.3) — White Hats Nepal

Q: How severe is CVE-2019-6855?

CVE-2019-6855 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-6855?

Check the references section above for vendor advisories and patch information. Affected products include: Schneider-Electric Ecostruxure Control Expert, Schneider-Electric Unity Pro, Schneider-Electric Modicon M580 Bmep584040 Firmware, Schneider-Electric Modicon M580 Bmep584040, Schneider-Electric Modicon M580 Bmeh584040 Firmware.

Vulnerability Description

Incorrect Authorization vulnerability exists in EcoStruxure Control Expert (all versions prior to 14.1 Hot Fix), Unity Pro (all versions), Modicon M340 (all versions prior to V3.20) , and Modicon M580 (all versions prior to V3.10), which could cause a bypass of the authentication process between EcoStruxure Control Expert and the M340 and M580 controllers.

CVSS Score

7.3

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Schneider-Electric	Ecostruxure Control Expert	< 14.1
Schneider-Electric	Unity Pro	All versions
Schneider-Electric	Modicon M580 Bmep584040 Firmware	< 3.10
Schneider-Electric	Modicon M580 Bmep584040	-
Schneider-Electric	Modicon M580 Bmeh584040 Firmware	< 3.10
Schneider-Electric	Modicon M580 Bmeh584040	-
Schneider-Electric	Modicon M580 Bmep586040 Firmware	< 3.10
Schneider-Electric	Modicon M580 Bmep586040	-
Schneider-Electric	Modicon M580 Bmeh586040 Firmware	< 3.10
Schneider-Electric	Modicon M580 Bmeh586040	-
Schneider-Electric	Modicon M580 Bmep581020 Firmware	< 3.10
Schneider-Electric	Modicon M580 Bmep581020	-
Schneider-Electric	Modicon M580 Bmep582020 Firmware	< 3.10
Schneider-Electric	Modicon M580 Bmep582020	-
Schneider-Electric	Modicon M580 Bmep582040 Firmware	< 3.10
Schneider-Electric	Modicon M580 Bmep582040	-
Schneider-Electric	Modicon M580 Bmep583020 Firmware	< 3.10
Schneider-Electric	Modicon M580 Bmep583020	-
Schneider-Electric	Modicon M580 Bmep583040 Firmware	< 3.10
Schneider-Electric	Modicon M580 Bmep583040	-

Related Weaknesses (CWE)

CWE-863

References

https://www.se.com/ww/en/download/document/SEVD-2019-344-02/Vendor Advisory
https://www.se.com/ww/en/download/document/SEVD-2019-344-02/Vendor Advisory

FAQ

What is CVE-2019-6855?

CVE-2019-6855 is a vulnerability with a CVSS score of 7.3 (HIGH). Incorrect Authorization vulnerability exists in EcoStruxure Control Expert (all versions prior to 14.1 Hot Fix), Unity Pro (all versions), Modicon M340 (all versions prior to V3.20) , and Modicon M580...

How severe is CVE-2019-6855?

CVE-2019-6855 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-6855?

Check the references section above for vendor advisories and patch information. Affected products include: Schneider-Electric Ecostruxure Control Expert, Schneider-Electric Unity Pro, Schneider-Electric Modicon M580 Bmep584040 Firmware, Schneider-Electric Modicon M580 Bmep584040, Schneider-Electric Modicon M580 Bmeh584040 Firmware.