Insufficient input validation in the libmodbus library allows unprivileged local network attackers to cause data leakage by sending simple crafted packets.
libmodbus [3.0.0,3.0.7), fixed on 3.0.7
libmodbus [3.1.0,3.1.5), fixed on 3.1.5
Attackers can trigger the exploit by invoking the modbus_write_registers(3) function (which implements the Modbus Write Multiple Registers protocol call) while specifying a large number of registers to be written. Since the code takes this parameter from the network packet without checking it for validity against the length of the provided payload, the attackers can specify a large enough number to cause memory overwrites. Memory contents directly following the payload will be saved to Modbus register units. These contents can be later read out using the modbus_read_registers() function. This results in a memory exfiltration vulnerability, exposing arbitrary memory contents.
The attacker must be on the same network segment as the target device, limiting the potential for this attack.
The library implementation of the
modbus_reply() function of module
src/modbus.c module does not check properly that the number of registers/coils to be written corresponds to the the size of the provided payload data.
The original exploit was developed by JFrog researches, using smart fuzzing on the library compiled separately from the rest of the code. There is another CVE (CVE-2019-14462) for this library, for the
No PoC is supplied for this issue
No vulnerability mitigations are supplied for this issue