Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

Description

An Information Exposure through Discrepancy vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 where the web server sends different responses in a way that exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

The POC includes integration with shodan to find potentially vulnerable targets and automatically try the exploit against all, showing at the end the results and the % of vulnerable servers.

This POC is working correctly with the following versions of Schneider-WEB server

  • Server: Schneider-WEB/V2.1.3
  • Server: Schneider-WEB/V2.2.0
  • Server: Schneider-WEB/V2.0.11
  • Server: Schneider-WEB/V2.2.1
  • Server: Schneider-WEB/V2.5.0
  • Server: Schneider-WEB/V1.0.4 port 83

Currently at 2018/12/19, there are 300 system with this caracteristics exposed (based in shodan results).

According to Schenider Electrics, the affected products are all versions of:

  • Modicon M340
  • Premium
  • Quantum PLCs
  • BMXNOR0200

Official security notification

Timeline

  • 2018/03/28 - Notified to vendor
  • 2018/12/17 - Disclosed by vendor
  • 2018/12/19 - POC Released