An Information Exposure through Discrepancy vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 where the web server sends different responses in a way that exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
The POC includes integration with shodan to find potentially vulnerable targets and automatically try the exploit against all, showing at the end the results and the % of vulnerable servers.
This POC is working correctly with the following versions of Schneider-WEB server
- Server: Schneider-WEB/V2.1.3
- Server: Schneider-WEB/V2.2.0
- Server: Schneider-WEB/V2.0.11
- Server: Schneider-WEB/V2.2.1
- Server: Schneider-WEB/V2.5.0
- Server: Schneider-WEB/V1.0.4 port 83
Currently at 2018/12/19, there are 300 system with this caracteristics exposed (based in shodan results).
According to Schenider Electrics, the affected products are all versions of:
- Modicon M340
- Premium
- Quantum PLCs
- BMXNOR0200
Official security notification
- 2018/03/28 - Notified to vendor
- 2018/12/17 - Disclosed by vendor
- 2018/12/19 - POC Released