|
| 1 | +--- |
| 2 | +title: "ASEC-24-001 Vulnerabilities in ArduinoModbus Library" |
| 3 | +id: 12736735312796 |
| 4 | +--- |
| 5 | + |
| 6 | +Bulletin ID: ASEC-24-001 |
| 7 | +Date: Feb 13, 2024 |
| 8 | +Product / Component: ArduinoModbus library, Arduino Opta |
| 9 | +Affected Versions: <= 1.0.8 |
| 10 | +Fixed Version: 1.0.9 |
| 11 | + |
| 12 | +## Summary |
| 13 | + |
| 14 | +This security bulletin provides important information regarding a security update for the [ArduinoModbus](https://github.com/arduino-libraries/ArduinoModbus) library. |
| 15 | + |
| 16 | +It is important to say that this library is used in the Arduino Opta product when the user-developed firmware includes the aforementioned library to perform Modbus communication. |
| 17 | + |
| 18 | +During a security analysis, we identified that the component is impacted by the known vulnerabilities as it implements a vulnerable version of the [libmodbus](https://github.com/stephane/libmodbus) library. |
| 19 | +The indirectly inherited known vulnerabilities which affect the [ArduinoModbus](https://github.com/arduino-libraries/ArduinoModbus) component are: |
| 20 | + |
| 21 | +* [CVE-2022-0367](https://nvd.nist.gov/vuln/detail/CVE-2022-0367) |
| 22 | +* [CVE-2019-14463](https://nvd.nist.gov/vuln/detail/CVE-2019-14463) |
| 23 | + |
| 24 | +To address these vulnerabilities, we have released an updated library, which includes the required security fixes. |
| 25 | +Therefore, to maintain the security of your systems it is advised to update the [ArduinoModbus](https://github.com/arduino-libraries/ArduinoModbus) to the [1.0.9](https://github.com/arduino-libraries/ArduinoModbus/releases/tag/1.0.9) version as soon as possible. |
| 26 | + |
| 27 | +## Impact |
| 28 | + |
| 29 | +The security vulnerabilities in the affected library versions, may, under some circumstances, allow malicious actors to conduct arbitrary read/write out-of-bounds attacks, harming the confidentiality, integrity and availability of the systems which include the vulnerable library. |
| 30 | + |
| 31 | +For these reasons, we highly recommend updating to the latest library version to mitigate these risks and maintain the security of your systems. |
| 32 | + |
| 33 | +## Action Required |
| 34 | + |
| 35 | +Update the component's library to [ArduinoModbus 1.0.9](https://github.com/arduino-libraries/ArduinoModbus/releases/tag/1.0.9) or later as described by the official documentation available [here](https://www.arduino.cc/reference/en/libraries/arduinomodbus/). |
| 36 | + |
| 37 | +## Additional information |
| 38 | + |
| 39 | +For further information visit the following links: |
| 40 | + |
| 41 | +* [https://www.arduino.cc/reference/en/libraries/arduinomodbus/](https://www.arduino.cc/reference/en/libraries/arduinomodbus/) |
| 42 | +* [https://www.arduino.cc/pro/hardware-arduino-opta](https://www.arduino.cc/pro/hardware-arduino-opta) |
| 43 | +* [https://nvd.nist.gov/vuln/detail/CVE-2019-14463](https://nvd.nist.gov/vuln/detail/CVE-2019-14463) |
| 44 | +* [https://nvd.nist.gov/vuln/detail/CVE-2022-0367](https://nvd.nist.gov/vuln/detail/CVE-2022-0367) |
| 45 | +* [https://github.com/arduino-libraries/ArduinoModbus/releases/tag/1.0.9](https://github.com/arduino-libraries/ArduinoModbus/releases/tag/1.0.9) |
| 46 | + |
| 47 | +## Contact |
| 48 | + |
| 49 | +If you encounter any issues or have questions regarding this security update, please contact our security team at [security@arduino.cc](mailto:security@arduino.cc). |
0 commit comments