CVE-2020-7536 : A CWE-754:Improper Check for Unusual or Exceptional Conditions vulnerability exi

A CWE-754:Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M340 CPUs (BMXP34* versions prior to V3.30) Modicon M340 Communication Ethernet modules (BMXNOE0100 (H) versions prior to V3.4 BMXNOE0110 (H) versions prior to V6.6 BMXNOR0200H all versions), that could cause the device to be unreachable when modifying network parameters over SNMP.

Published 2020-12-11 01:15:12

Updated 2020-12-14 20:42:28

Source Schneider Electric SE

View at NVD, CVE.org

Products affected by CVE-2020-7536

Schneider-electric » Bmxnor0200h Firmware
cpe:2.3:o:schneider-electric:bmxnor0200h_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Schneider-electric » Bmxnor0200h » Version: N/A
Schneider-electric » Bmxp341000 Firmware
Versions before (<) 3.30
cpe:2.3:o:schneider-electric:bmxp341000_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Schneider-electric » Bmxp341000 » Version: N/A
Schneider-electric » Bmxp342000 Firmware
Versions before (<) 3.30
cpe:2.3:o:schneider-electric:bmxp342000_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Schneider-electric » Bmxp342000 » Version: N/A
Schneider-electric » Bmxp3420102 Firmware
Versions before (<) 3.30
cpe:2.3:o:schneider-electric:bmxp3420102_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Schneider-electric » Bmxp3420102 » Version: N/A
Schneider-electric » Bmxp3420102cl Firmware
Versions before (<) 3.30
cpe:2.3:o:schneider-electric:bmxp3420102cl_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Schneider-electric » Bmxp3420102cl » Version: N/A
Schneider-electric » Bmxp342020 Firmware
Versions before (<) 3.30
cpe:2.3:o:schneider-electric:bmxp342020_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Schneider-electric » Bmxp342020 » Version: N/A
Schneider-electric » Bmxp3420302 Firmware
Versions before (<) 3.30
cpe:2.3:o:schneider-electric:bmxp3420302_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Schneider-electric » Bmxp3420302 » Version: N/A
Schneider-electric » Bmxp3420302cl Firmware
Versions before (<) 3.30
cpe:2.3:o:schneider-electric:bmxp3420302cl_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Schneider-electric » Bmxp3420302cl » Version: N/A
Schneider-electric » Bmxnoe0100 Firmware
Versions before (<) 3.4
cpe:2.3:o:schneider-electric:bmxnoe0100_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Schneider-electric » Bmxnoe0100 » Version: N/A
Schneider-electric » Bmxnoe0110 Firmware
Versions before (<) 6.6
cpe:2.3:o:schneider-electric:bmxnoe0110_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Schneider-electric » Bmxnoe0110 » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2020-7536

EPSS FAQ

0.48%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 62 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-7536

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.8	HIGH	AV:N/AC:L/Au:N/C:N/I:N/A:C	10.0	6.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2020-7536

CWE-754 Improper Check for Unusual or Exceptional Conditions

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

Assigned by: cybersecurity@se.com (Primary)

References for CVE-2020-7536

https://www.se.com/ww/en/download/document/SEVD-2020-343-07/

Security Notification - SNMP Service on Modicon M340 and associated Communication Modules | Schneider Electric
Vendor Advisory
https://security.cse.iitk.ac.in/responsible-disclosure

Responsible Disclosure | Indian Institute of Technology, Kanpur
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2020-7536

Products affected by CVE-2020-7536

Exploit prediction scoring system (EPSS) score for CVE-2020-7536

CVSS scores for CVE-2020-7536

CWE ids for CVE-2020-7536

References for CVE-2020-7536