A vulnerability classified as critical was found in Schneider Electric Modicon M340 CPU, Modicon M580 CPU, Legacy Modicon Quantum, Legacy Modicon Premium, Modicon Momentum MDI and Modicon MC80 (SCADA Software). This vulnerability affects some unknown functionality of the component Modbus TCP Protocol Handler. The manipulation with an unknown input leads to a integer underflow vulnerability. The CWE definition for the vulnerability is CWE-191. The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. As an impact it is known to affect availability. CVE summarizes:

A CWE-191: Integer Underflow (Wrap or Wraparound) vulnerability exists that could cause a denial of service of the controller due to memory access violations when using the Modbus TCP protocol. Affected products: Modicon M340 CPU (part numbers BMXP34*)(V3.40 and prior), Modicon M580 CPU (part numbers BMEP* and BMEH*)(V3.22 and prior), Legacy Modicon Quantum/Premium(All Versions), Modicon Momentum MDI (171CBU*)(All Versions), Modicon MC80 (BMKC80)(V1.7 and prior)

The weakness was shared 11/22/2022 as SEVD-2022-221-02. The advisory is available at se.com. This vulnerability was named CVE-2022-37301 since 08/01/2022. The technical details are unknown and an exploit is not available.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Productinfo

Type

• SCADA Software

Vendor

• Schneider Electric

Name

• Legacy Modicon Premium
• Legacy Modicon Quantum
• Modicon M340 CPU
• Modicon M580 CPU
• Modicon MC80
• Modicon Momentum MDI

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion