Raheem Beyah

**Name of the Vulnerable Software and Affected Versions** Modicon M580 versions prior to V2.30 Modicon M340 (affected versions not specified) Modicon Premium (affected versions not specified) Modicon Quantum (affected versions not specified) **Description** The issue is related to the use of insufficiently random values, which could allow a remote attacker to hijack TCP connections when using Ethernet communication. **Recommendations** For Modicon M580 versions prior to V2.30, update to version V2.30 or later. For Modicon M340, Modicon Premium, and Modicon Quantum, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Schneider Electric Modicon M221 versions prior to 1.5.0.0 Schneider Electric Modicon M241 versions prior to 4.0.5.11 Schneider Electric Modicon M251 versions prior to 4.0.5.11 **Description** A Predictable Value Range from Previous Values issue was discovered in Schneider Electric Modicon PLCs. The affected products generate insufficiently random TCP initial sequence numbers, which may allow an attacker to predict the numbers from previous values. This could enable an attacker to spoof or disrupt TCP connections. **Recommendations** For Schneider Electric Modicon M221 versions prior to 1.5.0.0, update to version 1.5.0.0 or later. For Schneider Electric Modicon M241 versions prior to 4.0.5.11, update to version 4.0.5.11 or later. For Schneider Electric Modicon M251 versions prior to 4.0.5.11, update to version 4.0.5.11 or later.

**Name of the Vulnerable Software and Affected Versions** Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers versions 16.00 and prior Rockwell Automation Allen-Bradley MicroLogix 1400 programmable logic controllers versions 16.00 and prior **Description** An issue with improper restriction of excessive authentication attempts was found, allowing for repeated entry of incorrect passwords without penalties. **Recommendations** For Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers versions 16.00 and prior, consider implementing additional authentication measures to restrict excessive login attempts until a patch is available. For Rockwell Automation Allen-Bradley MicroLogix 1400 programmable logic controllers versions 16.00 and prior, consider implementing additional authentication measures to restrict excessive login attempts until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers versions 16.00 and prior Rockwell Automation Allen-Bradley MicroLogix 1400 programmable logic controllers versions 16.00 and prior **Description** A "Reusing a Nonce, Key Pair in Encryption" issue was discovered, where the affected product reuses nonces. This may allow an attacker to capture and replay a valid request until the nonce is changed. **Recommendations** For Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers versions 16.00 and prior, update to a version later than 16.00 to resolve the issue. For Rockwell Automation Allen-Bradley MicroLogix 1400 programmable logic controllers versions 16.00 and prior, update to a version later than 16.00 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Modicon M241 versions all firmware versions Modicon M251 versions all firmware versions **Description** An issue was discovered where log-in credentials are sent over the network with Base64 encoding, leaving them susceptible to sniffing. Sniffed credentials could then be used to log into the web application. This issue is related to insufficient protection of credentials, which could allow a remote attacker to intercept credentials and gain access to the web application. **Recommendations** For Modicon M241, consider implementing additional security measures to protect log-in credentials, such as encryption or secure transmission protocols, until a patch is available. For Modicon M251, restrict access to the web application and consider using alternative authentication methods to minimize the risk of exploitation. As a temporary workaround, consider disabling remote access to the web application for both Modicon M241 and Modicon M251 until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Schneider Electric Telvent Sage 2300 RTUs versions prior to C3413-500-S01 Schneider Electric LANDAC II-2 RTUs versions prior to C3414-500-S02J2 Schneider Electric Sage 1410 RTUs versions prior to C3414-500-S02J2 Schneider Electric Sage 1430 RTUs versions prior to C3414-500-S02J2 Schneider Electric Sage 1450 RTUs versions prior to C3414-500-S02J2 Schneider Electric Sage 2400 RTUs versions prior to C3414-500-S02J2 Schneider Electric Sage 3030M RTUs versions prior to C3414-500-S02J2 **Description** The issue allows remote attackers to obtain sensitive information from device memory by reading a padding field of an Ethernet packet. **Recommendations** For Schneider Electric Telvent Sage 2300 RTUs versions prior to C3413-500-S01, update to firmware C3413-500-S01 or later. For Schneider Electric LANDAC II-2, Sage 1410, Sage 1430, Sage 1450, Sage 2400, and Sage 3030M RTUs versions prior to C3414-500-S02J2, update to firmware C3414-500-S02J2 or later.

**Name of the Vulnerable Software and Affected Versions** Eaton Cooper Power Systems ProView versions 4.x through 5.x before 5.1 **Description** The issue is related to the improper initialization of padding fields in Ethernet packets, which can be exploited by remote attackers to obtain sensitive information by reading packet data. **Recommendations** For versions 4.x through 5.x before 5.1, update to version 5.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Siemens RUGGEDCOM ROS versions prior to 4.2.1 **Description** The issue allows remote attackers to obtain sensitive information by sniffing the network for VLAN data within the padding section of an Ethernet frame. **Recommendations** For versions prior to 4.2.1, update to version 4.2.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Wind River VxWorks versions prior to 5.5.1 Wind River VxWorks versions 6.5.x through 6.7.x before 6.7.1.1 Wind River VxWorks versions 6.8.x before 6.8.3 Wind River VxWorks versions 6.9.x before 6.9.4.4 Wind River VxWorks versions 7.x before 7 **Description** The issue is related to the improper generation of TCP initial sequence number (ISN) values, making it easier for remote attackers to spoof TCP sessions by predicting an ISN value. **Recommendations** For versions prior to 5.5.1, update to version 5.5.1 or later. For versions 6.5.x through 6.7.x, update to version 6.7.1.1 or later. For versions 6.8.x, update to version 6.8.3 or later. For versions 6.9.x, update to version 6.9.4.4 or later. For versions 7.x, update to a version later than 7.

**Name of the Vulnerable Software and Affected Versions** GE Digital Energy Hydran M2 versions before 94450214LFMT100SEM-L.R3-CL **Description** The issue concerns the generation of random values for TCP Initial Sequence Numbers (ISNs) in the Ethernet card. Specifically, it does not properly generate these values, making it easier for remote attackers to spoof packets by predicting the ISNs. **Recommendations** For versions before 94450214LFMT100SEM-L.R3-CL, update to version 94450214LFMT100SEM-L.R3-CL or later to resolve the issue.