CVE-2022-34761 – A NULL pointer dereference vulnerability in Sch... (How to Fix)

Q: What is the severity of CVE-2022-34761?

CVE-2022-34761 has a CVSS score of 7.5 (HIGH). A NULL pointer dereference vulnerability in Schneider Electric's X80 advanced RTU and OPC UA Modicon communication modules allows attackers to cause denial of service by sending malformed JSON content to the web server. This affects industrial control systems using these specific communication modules, potentially disrupting operational technology networks.

📋 TL;DR

A NULL pointer dereference vulnerability in Schneider Electric's X80 advanced RTU and OPC UA Modicon communication modules allows attackers to cause denial of service by sending malformed JSON content to the web server. This affects industrial control systems using these specific communication modules, potentially disrupting operational technology networks.

💻 Affected Systems

Products:

X80 advanced RTU Communication Module (BMENOR2200H)
OPC UA Modicon Communication Module (BMENUA0100)

Versions: BMENOR2200H: V2.01 and later; BMENUA0100: V1.10 and prior

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web server component when processing JSON content type requests.

📦 What is this software?

Opc Ua Module For M580 Firmware by Schneider Electric

View all CVEs affecting Opc Ua Module For M580 Firmware →

X80 Advanced Rtu Module Firmware by Schneider Electric

View all CVEs affecting X80 Advanced Rtu Module Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service of the web server component, disrupting communication and monitoring capabilities in industrial control systems, potentially affecting operational continuity.

🟠

Likely Case

Temporary web server crash requiring manual restart, causing brief loss of web-based monitoring and configuration access.

🟢

If Mitigated

Minimal impact with proper network segmentation and input validation controls in place.

🌐 Internet-Facing: HIGH if devices are directly exposed to the internet without proper segmentation, as the vulnerability can be triggered remotely via network requests.

🏢 Internal Only: MEDIUM for internal OT networks, as attackers would need internal access but could still disrupt operations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted JSON content to the vulnerable web server endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific patched versions

Vendor Advisory: https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-193-01_OPC_UA_X80_Advanced_RTU_Modicon_Communication_Modules+_Security_Notification.pdf

Restart Required: Yes

Instructions:

1. Download firmware update from Schneider Electric portal. 2. Follow vendor's firmware update procedure for affected modules. 3. Restart devices after update.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected devices in separate network segments with strict access controls.

Input Validation

all

Implement network-level JSON content validation using firewalls or web application firewalls.

🧯 If You Can't Patch

Implement strict network access controls to limit access to web server ports
Monitor for abnormal JSON payloads and web server restart events

🔍 How to Verify

Check if Vulnerable:

Check device firmware version against affected versions listed in vendor advisory.

Check Version:

Consult device documentation for version check command (typically via web interface or serial console).

Verify Fix Applied:

Verify firmware version has been updated to patched version and test JSON parsing functionality.

📡 Detection & Monitoring

Log Indicators:

Web server crash logs
Unexpected restarts of communication module services
Failed JSON parsing errors

Network Indicators:

Unusual JSON payloads sent to device web ports
Multiple connection attempts to web server

SIEM Query:

source="device_logs" AND (event="crash" OR event="restart") AND process="webserver"

📊 Metadata

CVE ID: CVE-2022-34761

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: July 13, 2022

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-34761, you might also want to check these: