CVE-2018-8872
published 2018-05-04CVE-2018-8872: In Schneider Electric Triconex Tricon MP model 3008 firmware versions 10.0-10.4, system calls read directly from memory addresses within the control program…
PriorityP275high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
2.31%
81.2th percentile
In Schneider Electric Triconex Tricon MP model 3008 firmware versions 10.0-10.4, system calls read directly from memory addresses within the control program area without any verification. Manipulating this data could allow attacker data to be copied anywhere within memory.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| schneider-electric | triconex_tricon_mp_3008_firmware | 10.0 – 10.4 | — |
| schneider_electric | triconex_tricon | — | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
https://ics-cert.us-cert.gov/sites/default/files/file_attach/MAR-17-352-01.yara
- →HatMan malware specifically targets CVE-2018-8872 and CVE-2018-7522 on Schneider Electric Triconex Tricon MP Model 3008 firmware versions 10.0-10.4; detection should focus on this malware family against these specific firmware versions. ↗
- →The vulnerability allows attacker-controlled data to be copied anywhere within memory via unverified system calls reading directly from control program area memory addresses; monitor for anomalous memory write activity in the Tricon control program area. ↗
- →HatMan malware requires unrestricted access to the safety network; monitor for unexpected connections to the safety network from external or non-TriStation hosts. ↗
- ·Only MP Model 3008 firmware versions 10.0-10.4 are affected; other models or firmware versions are not listed as vulnerable. ↗
- ·Exploitation is rated as requiring a high skill level despite being remotely exploitable (CVSS v3 base score 9.0, vector AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). ↗
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Schneider Electric Triconex Tricon (Update B)
cisa_ics·2018-05-03·CVSS 8.1
[HIGH] Schneider Electric Triconex Tricon (Update B)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Schneider Electric Triconex Tricon (Update B)
Last RevisedDecember 18, 2018
Alert CodeICSA-18-107-02
## 1. EXECUTIVE SUMMARY
-
CVSS v3 9.0
- ATTENTION: Exploitable remotely/HatMan malware specifically targets these vulnerabilities.
- Vendor: Schneider Electric
- Equipment: Triconex Tricon, Model 3008
- Vulnerabilities: Improper Restriction of Operations within the Bounds of a Memory Buffer
## 2. UPDATE INFORMATION
This updated advisory is a follow-up to the updated advisory titled ICSA-18-107-02 Schneider Electric Triconex Tricon (Update A) that was published May 3, 2018,
GHSA
GHSA-ggm5-5h63-2mvr: In Schneider Electric Triconex Tricon MP model 3008 firmware versions 10
ghsa_unreviewed·2022-05-13
CVE-2018-8872 [HIGH] CWE-119 GHSA-ggm5-5h63-2mvr: In Schneider Electric Triconex Tricon MP model 3008 firmware versions 10
In Schneider Electric Triconex Tricon MP model 3008 firmware versions 10.0-10.4, system calls read directly from memory addresses within the control program area without any verification. Manipulating this data could allow attacker data to be copied anywhere within memory.
VulnCheck
Schneider Electric triconex_tricon_mp_3008_firmware Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2018·CVSS 8.1
CVE-2018-8872 [HIGH] Schneider Electric triconex_tricon_mp_3008_firmware Improper Restriction of Operations within the Bounds of a Memory Buffer
Schneider Electric triconex_tricon_mp_3008_firmware Improper Restriction of Operations within the Bounds of a Memory Buffer
In Schneider Electric Triconex Tricon MP model 3008 firmware versions 10.0-10.4, system calls read directly from memory addresses within the control program area without any verification. Manipulating this data could allow attacker data to be copied anywhere within memory.
Affected: Schneider Electric triconex_tricon_mp_3008_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://collaborate.mitre.org/attackics/index.php/Software/S0013; https://www.us-cert.gov/ics/advisories/ICSA-18-107-02; https://www.waterisac.org/portal/s
No detection rules found.
No public exploits indexed.
http://www.securityfocus.com/bid/103947https://ics-cert.us-cert.gov/advisories/ICSA-18-107-02https://www.schneider-electric.com/en/download/document/SEVD-2017-347-01/http://www.securityfocus.com/bid/103947https://ics-cert.us-cert.gov/advisories/ICSA-18-107-02https://www.schneider-electric.com/en/download/document/SEVD-2017-347-01/
2018-05-04
Published
Exploited in the wild