CVE-2018-7522
published 2018-05-04CVE-2018-7522: In Schneider Electric Triconex Tricon MP model 3008 firmware versions 10.0-10.4, when a system call is made, registers are stored to a fixed memory location…
PriorityP277medium6.7CVSS 3.0
AVLACLPRHUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.43%
34.5th percentile
In Schneider Electric Triconex Tricon MP model 3008 firmware versions 10.0-10.4, when a system call is made, registers are stored to a fixed memory location. Modifying the data in this location could allow attackers to gain supervisor-level access and control system states.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| schneider-electric | triconex_tricon_mp_3008_firmware | 10.0 – 10.0-10.4 | — |
| schneider_electric | triconex_tricon | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →HatMan malware specifically targets CVE-2018-7522 and CVE-2018-8872 on Triconex Tricon MP Model 3008 firmware 10.0-10.4; presence of HatMan binary components can be detected using the published YARA rule (MAR-17-352-01.yara). ↗
- →CVE-2018-7522 exploitation involves writing attacker-controlled data to a fixed memory location used to store registers during system calls, enabling supervisor-level privilege escalation on the Tricon MP Model 3008. ↗
- →HatMan malware requires unrestricted access to the safety network; monitor for unexpected remote or physical access to the safety network as a precursor indicator. ↗
- ·CVE-2018-7522 only affects Triconex Tricon MP Model 3008 firmware versions 10.0 through 10.4; systems running Tricon CX v11.4 or later are not affected. ↗
- ·Exploitation requires the attacker to already have local high-privilege access (CVSS AV:L/PR:H), limiting remote-only attack scenarios despite the advisory noting remote exploitability in the context of HatMan. ↗
- ·Schneider Electric's HatMan malware detection service requires customers to have a support contract in place as of February 1, 2019; data must be sent to Schneider Electric for analysis. ↗
CVSS provenance
nvdv3.06.7MEDIUMCVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck6.7MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Schneider Electric Triconex Tricon (Update B)
cisa_ics·2018-05-03·CVSS 8.1
[HIGH] Schneider Electric Triconex Tricon (Update B)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Schneider Electric Triconex Tricon (Update B)
Last RevisedDecember 18, 2018
Alert CodeICSA-18-107-02
## 1. EXECUTIVE SUMMARY
-
CVSS v3 9.0
- ATTENTION: Exploitable remotely/HatMan malware specifically targets these vulnerabilities.
- Vendor: Schneider Electric
- Equipment: Triconex Tricon, Model 3008
- Vulnerabilities: Improper Restriction of Operations within the Bounds of a Memory Buffer
## 2. UPDATE INFORMATION
This updated advisory is a follow-up to the updated advisory titled ICSA-18-107-02 Schneider Electric Triconex Tricon (Update A) that was published May 3, 2018,
GHSA
GHSA-293h-57f9-wc4c: In Schneider Electric Triconex Tricon MP model 3008 firmware versions 10
ghsa_unreviewed·2022-05-13
CVE-2018-7522 [HIGH] GHSA-293h-57f9-wc4c: In Schneider Electric Triconex Tricon MP model 3008 firmware versions 10
In Schneider Electric Triconex Tricon MP model 3008 firmware versions 10.0-10.4, when a system call is made, registers are stored to a fixed memory location. Modifying the data in this location could allow attackers to gain supervisor-level access and control system states.
VulnCheck
Schneider Electric Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
vulncheck·2018·CVSS 6.7
CVE-2018-7522 [MEDIUM] Schneider Electric Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
Schneider Electric Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
In Schneider Electric Triconex Tricon MP model 3008 firmware versions 10.0-10.4, when a system call is made, registers are stored to a fixed memory location. Modifying the data in this location could allow attackers to gain supervisor-level access and control system states.
Affected: Schneider Electric triconex_tricon_mp_3008_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.waterisac.org/portal/schneider-electric-triconex-tricon-icsa-18-107-02; https://hub.dragos.com/hubfs/333%20Year%20in%20Review/2021/2021%20ICS%20OT%20Cybersecurity%20Yea
No detection rules found.
No public exploits indexed.
http://www.securityfocus.com/bid/103947https://ics-cert.us-cert.gov/advisories/ICSA-18-107-02https://www.schneider-electric.com/en/download/document/SEVD-2017-347-01/http://www.securityfocus.com/bid/103947https://ics-cert.us-cert.gov/advisories/ICSA-18-107-02https://www.schneider-electric.com/en/download/document/SEVD-2017-347-01/
2018-05-04
Published
Exploited in the wild