JFrog Security Research


CVE-2019-14463 | CVSS 9.1

JFrog Severity:critical

Published 31 Jul. 2019 | Last updated 31 Jul. 2019

Insufficient input validation in the libmodbus library allows unprivileged local network attackers to cause data leakage by sending simple crafted packets.


libmodbus [3.0.0,3.0.7), fixed on 3.0.7

libmodbus [3.1.0,3.1.5), fixed on 3.1.5

libmodbus is a C library that provides an implementation of the Modbus protocol. It runs on Linux, Windows, FreeBSD, OS X, and QNX, and it is widely used in embedded devices.

Attackers can trigger the exploit by invoking the modbus_write_registers(3) function (which implements the Modbus Write Multiple Registers protocol call) while specifying a large number of registers to be written. Since the code takes this parameter from the network packet without checking it for validity against the length of the provided payload, the attackers can specify a large enough number to cause memory overwrites. Memory contents directly following the payload will be saved to Modbus register units. These contents can be later read out using the modbus_read_registers() function. This results in a memory exfiltration vulnerability, exposing arbitrary memory contents.

The attacker must be on the same network segment as the target device, limiting the potential for this attack.

The library implementation of the modbus_reply() function of module src/modbus.c module does not check properly that the number of registers/coils to be written corresponds to the the size of the provided payload data.

The original exploit was developed by JFrog researches, using smart fuzzing on the library compiled separately from the rest of the code. There is another CVE (CVE-2019-14462) for this library, for the modbus_write_bits function.

The official solution (see commits 1 and 2) fixes the bug by adding code to check for the correspondence between the number of the registers to be written and the data provided in the payload.

No PoC is supplied for this issue

No vulnerability mitigations are supplied for this issue