JFrog Security Research
< Back

XRAY-150047 - libmodbus MODBUS_FC_WRITE_MULTIPLE_COILS OOB-R

CVE-2019-14462 | CVSS 9.1

JFrog Severity:critical

Discovered ByMaor Vermuchtof the JFrog Security Research Team

Published 31 Jul, 2019 | Last updated 31 Jul, 2019

Insufficient input validation in the libmodbus library allows unprivileged local network attackers to cause data leakage by sending simple crafted packets.

libmodbus

libmodbus [3.0.0,3.0.7), fixed on 3.0.7

libmodbus [3.1.0,3.1.5), fixed on 3.1.5

libmodbus is a C library that provides an implementation of the Modbus protocol. It runs on Linux, Windows, FreeBSD, OS X, and QNX, and it is widely used in embedded devices.

Attackers can trigger the exploit by invoking the modbus_write_bits(3) function (which implements the Modbus Write Multiple Coils protocol call) while specifying a large number of coils to be written. Since the code takes this parameter from the network packet without checking it for validity against the length of the provided payload, the attackers can specify a large enough number to cause memory overwrites. Memory contents directly following the payload will be saved to Modbus coils. These contents can be later read out using the modbus_read_bits() function. This results in a memory exfiltration vulnerability, exposing arbitrary memory contents.

The attacker must be on the same network segment as the target device, limiting the potential for this attack.

The library implementation of the modbus_reply() function of module src/modbus.c module does not properly check that the number of registers/coils to be written corresponds to the size of the provided payload data.

The original exploit was developed by JFrog researches, using smart fuzzing on the library compiled separately from the rest of the code. There is another CVE (CVE-2019-14463) for this library, for the modbus_write_registers function.

The official solution fixes the bug by adding code to check for the correspondence between the number of the registers/coils to be written and the data provided in the payload.

No PoC is supplied for this issue

No vulnerability mitigations are supplied for this issue

NVD

NVD

< Back