CVE-2019-14462 – CVE-2019-14462 is an out-of-bounds read vulnera... (How to Fix)

Q: What is the severity of CVE-2019-14462?

CVE-2019-14462 has a CVSS score of 9.1 (CRITICAL). CVE-2019-14462 is an out-of-bounds read vulnerability in libmodbus that allows attackers to read sensitive memory contents when processing MODBUS_FC_WRITE_MULTIPLE_COILS function codes. This affects systems using vulnerable versions of libmodbus for industrial control and SCADA communications. The vulnerability could lead to information disclosure or be used as part of a larger attack chain.

📋 TL;DR

CVE-2019-14462 is an out-of-bounds read vulnerability in libmodbus that allows attackers to read sensitive memory contents when processing MODBUS_FC_WRITE_MULTIPLE_COILS function codes. This affects systems using vulnerable versions of libmodbus for industrial control and SCADA communications. The vulnerability could lead to information disclosure or be used as part of a larger attack chain.

💻 Affected Systems

Products:

libmodbus
Any software using libmodbus library

Versions: libmodbus versions before 3.0.7 and 3.1.x before 3.1.5

Operating Systems: Linux, Windows, Embedded systems using libmodbus

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any system using libmodbus with MODBUS_FC_WRITE_MULTIPLE_COILS functionality enabled.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Memory disclosure leading to sensitive information leakage, potential system crash, or as a stepping stone for more severe attacks like remote code execution.

🟠

Likely Case

Information disclosure of adjacent memory contents, potentially exposing sensitive data or causing denial of service through application crashes.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent unauthorized access to MODBUS services.

🌐 Internet-Facing: HIGH if MODBUS services are exposed to the internet without proper controls, as exploitation requires only network access.

🏢 Internal Only: MEDIUM to HIGH depending on network segmentation and access controls within industrial/OT networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted MODBUS packets to vulnerable endpoints. Public proof-of-concept code exists in the commit reference.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libmodbus 3.0.7 or 3.1.5

Vendor Advisory: https://libmodbus.org/2019/stable-and-development-releases/

Restart Required: Yes

Instructions:

1. Identify libmodbus version on system. 2. Update to libmodbus 3.0.7 or 3.1.5. 3. Recompile and reinstall any applications using libmodbus. 4. Restart affected services or systems.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate MODBUS services from untrusted networks using firewalls and network segmentation.

Disable Vulnerable Function

all

If possible, disable MODBUS_FC_WRITE_MULTIPLE_COILS functionality in application configuration.

🧯 If You Can't Patch

Implement strict network access controls to limit MODBUS traffic to authorized sources only.
Deploy intrusion detection systems to monitor for anomalous MODBUS traffic patterns.

🔍 How to Verify

Check if Vulnerable:

Check libmodbus version: ldd /path/to/application | grep modbus, then check version in library or check package manager for libmodbus version.

Check Version:

pkg-config --modversion libmodbus or check library version in /usr/lib or /usr/local/lib

Verify Fix Applied:

Verify libmodbus version is 3.0.7 or higher for 3.0.x branch, or 3.1.5 or higher for 3.1.x branch.

📡 Detection & Monitoring

Log Indicators:

Application crashes or abnormal termination when processing MODBUS requests
Error logs mentioning out-of-bounds access or memory violations

Network Indicators:

Unusual MODBUS traffic patterns, especially WRITE_MULTIPLE_COILS function codes with malformed parameters
Traffic from unexpected sources to MODBUS ports (typically TCP/502)

SIEM Query:

source_port=502 AND (function_code=15 OR abnormal_packet_size)

📊 Metadata

CVE ID: CVE-2019-14462

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-125

Published: July 31, 2019

Last Updated: November 21, 2024

🔗 References

https://github.com/stephane/libmodbus/commit/5ccdf5ef79d742640355d1132fa9e2abc7fbaefc Patch,Third Party Advisory
https://libmodbus.org/2019/stable-and-development-releases/ Release Notes,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00020.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HAGHQFJTJCMYHW553OUWJ3YIJR6PJHB7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PRAQZXGAZY6UGWZ6CD33QEFLL7AWW233/
https://github.com/stephane/libmodbus/commit/5ccdf5ef79d742640355d1132fa9e2abc7fbaefc Patch,Third Party Advisory
https://libmodbus.org/2019/stable-and-development-releases/ Release Notes,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00020.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HAGHQFJTJCMYHW553OUWJ3YIJR6PJHB7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PRAQZXGAZY6UGWZ6CD33QEFLL7AWW233/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-14462, you might also want to check these: