SB2020121015 - Multiple vulnerabilities in Schneider Electric Modicon M221

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Inadequate Encryption Strength (CVE-ID: CVE-2020-7565)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to an inadequate encryption strength issue. A remote attacker on the local network can break the encryption key.

2) Small Space of Random Values (CVE-ID: CVE-2020-7566)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to a small space of random values issue. A remote attacker on the local network can break the encryption keys.

3) Missing Encryption of Sensitive Data (CVE-ID: CVE-2020-7567)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to missing encryption of sensitive data. A remote attacker on the local ntwork can find the password hash.

4) Information disclosure (CVE-ID: CVE-2020-7568)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker on the local network can gain unauthorized access to sensitive information on the system.

5) Use of a One-Way Hash with a Predictable Salt (CVE-ID: CVE-2020-28214)

The vulnerability allows a local user to compromise the target system.

The vulnerability exists due to a use of a one-way hash with a predictable salt. A local user can pre-compute the hash value using a dictionary attack, effectively disabling the protection that an unpredictable salt would provide. 

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://www.se.com/ww/en/download/document/SEVD-2020-315-05/
• https://us-cert.cisa.gov/ics/advisories/icsa-20-343-04
• https://ics-cert.us-cert.gov/advisories/icsa-20-343-04