Detections
Analytics

Schneider Electric Modicon Cross-Site Request Forgery (CVE-2020-7534)

high Tenable OT Security Plugin ID 501198

Synopsis

The remote OT asset is affected by a vulnerability.

Description

A CWE-352: Cross-Site Request Forgery (CSRF) vulnerability exists on the web server used, that could cause a leak of sensitive data or unauthorized actions on the web server during the time the user is logged in. Affected Products: Modicon M340 CPUs: BMXP34 (All Versions), Modicon Quantum CPUs with integrated Ethernet (Copro):
140CPU65 (All Versions), Modicon Premium CPUs with integrated Ethernet (Copro): TSXP57 (All Versions), Modicon M340 ethernet modules:
(BMXNOC0401, BMXNOE01, BMXNOR0200H) (All Versions), Modicon Quantum and Premium factory cast communication modules: (140NOE77111, 140NOC78*00, TSXETY5103, TSXETY4103) (All Versions)

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

Refer to the vendor advisory.

See Also

http://www.nessus.org/u?e7662aef

Plugin Details

Severity: High

ID: 501198

Version: 1.2

Type: remote

Family: Tenable.ot

Published: 6/29/2023

Updated: 8/22/2023

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-7534

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:schneider-electric:140cpu65_firmware, cpe:/o:schneider-electric:140noc78000_firmware, cpe:/o:schneider-electric:140noe77111_firmware, cpe:/o:schneider-electric:bmxnoc0401_firmware, cpe:/o:schneider-electric:bmxnoe01_firmware, cpe:/o:schneider-electric:bmxnor0200h_firmware, cpe:/o:schneider-electric:bmxp342020_firmware, cpe:/o:schneider-electric:tsxety4103_firmware, cpe:/o:schneider-electric:tsxety5103_firmware, cpe:/o:schneider-electric:tsxp57_firmware

Required KB Items: Tenable.ot/Schneider

Exploit Ease: No known exploits are available

Patch Publication Date: 2/4/2022

Vulnerability Publication Date: 2/4/2022

Reference Information

CVE: CVE-2020-7534

CWE: 352