Schneider Electric Modicon CVE-2017-7575 Information Disclosure Vulnerability

Schneider Electric Modicon TM221CE16R is prone to a local information-disclosure vulnerability.

An attacker can exploit this issue to obtain potentially sensitive information. Information obtained may aid in further attacks.

Schneider Modicon TM221CE16R firmware 1.3.3.3 is affected.

Information

Bugtraq ID: 97523
Class: Design Error
CVE: CVE-2017-7575

Remote: Yes
Local: No
Published: Apr 06 2017 12:00AM
Updated: Apr 17 2017 03:07PM
Credit: Simon Heming, Maik Brüggemann, Hendrik Schwartke, Ralf Spenneberg.
Vulnerable: Schneider-Electric Modicon TM221CE16R 1.3.3.3
Schneider-Electric Modicon M221 1.5.0.1
Schneider-Electric Modicon M221 1.5.0.0

Not Vulnerable:

Exploit

The researcher has created a proof-of-concept to demonstrate the issue. Please see the references for more information.

References:

• Schneider Electric HomePage (Schneider Electric)
  
• ICSA-17-103-02:Schneider Electric Modicon M221 PLCs and SoMachine Basic (CERT)
  
• OS-S Security Advisory 2017-01 (OS-S)
  

Source: www.securityfocus.com