Details of VAR-201902-0122

ID

VAR-201902-0122

CVE

CVE-2019-6519

TITLE

WebAccess/SCADA Authentication vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-001596

DESCRIPTION

WebAccess/SCADA, Version 8.3. An improper authentication vulnerability exists that could allow a possible authentication bypass allowing an attacker to upload malicious data. WebAccess/SCADA Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Advantech WebAccess/SCADA is a set of browser-based SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. Advantech WebAccess/SCADA is prone to the following vulnerabilities: 1. Multiple authentication-bypass vulnerabilities 2. An SQL-injection vulnerability An attacker can exploit these issues to bypass certain security restrictions, perform unauthorized actions, modify the logic of SQL queries, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database

Trust: 2.7

sources: NVD: CVE-2019-6519 // JVNDB: JVNDB-2019-001596 // CNVD: CNVD-2019-32480 // BID: 106722 // IVD: 3889e774-abcc-4ee1-bf6b-535a4fba4cff // VULHUB: VHN-157954

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 3889e774-abcc-4ee1-bf6b-535a4fba4cff // CNVD: CNVD-2019-32480

AFFECTED PRODUCTS

vendor:	advantech	model:	webaccess/scada	scope:	eq	version:	8.3	Trust: 1.7
vendor:	advantech	model:	webaccess\/scada	scope:	eq	version:	8.3	Trust: 1.0
vendor:	advantech	model:	webaccess/scada	scope:	eq	version:	8.3.4	Trust: 0.3
vendor:	advantech	model:	webaccess/scada	scope:	eq	version:	8.3.2	Trust: 0.3
vendor:	advantech	model:	webaccess/scada	scope:	ne	version:	8.3.5	Trust: 0.3
vendor:	webaccess scada	model:	-	scope:	eq	version:	8.3	Trust: 0.2

sources: IVD: 3889e774-abcc-4ee1-bf6b-535a4fba4cff // CNVD: CNVD-2019-32480 // BID: 106722 // JVNDB: JVNDB-2019-001596 // NVD: CVE-2019-6519

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-6519
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2019-6519
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2019-32480
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201901-888
value:	CRITICAL
Trust: 0.6
IVD:	3889e774-abcc-4ee1-bf6b-535a4fba4cff
value:	CRITICAL
Trust: 0.2
VULHUB:	VHN-157954
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-6519
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-32480
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	3889e774-abcc-4ee1-bf6b-535a4fba4cff
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-157954
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-6519
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: IVD: 3889e774-abcc-4ee1-bf6b-535a4fba4cff // CNVD: CNVD-2019-32480 // VULHUB: VHN-157954 // JVNDB: JVNDB-2019-001596 // CNNVD: CNNVD-201901-888 // NVD: CVE-2019-6519

PROBLEMTYPE DATA

problemtype:

CWE-287

Trust: 1.9

sources: VULHUB: VHN-157954 // JVNDB: JVNDB-2019-001596 // NVD: CVE-2019-6519

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201901-888

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201901-888

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-001596

PATCH

title:	Top Page	url:	https://www.advantech.com/	Trust: 0.8
title:	Patch for Advantech WebAccess/SCADA Authorization Issue Vulnerability (CNVD-2019-32480)	url:	https://www.cnvd.org.cn/patchInfo/show/181479	Trust: 0.6

sources: CNVD: CNVD-2019-32480 // JVNDB: JVNDB-2019-001596

EXTERNAL IDS

db:	NVD	id:	CVE-2019-6519	Trust: 3.6
db:	ICS CERT	id:	ICSA-19-024-01	Trust: 2.8
db:	BID	id:	106722	Trust: 2.0
db:	CNNVD	id:	CNNVD-201901-888	Trust: 0.9
db:	CNVD	id:	CNVD-2019-32480	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-001596	Trust: 0.8
db:	ICS CERT	id:	ICSA-19-024-01T	Trust: 0.6
db:	IVD	id:	3889E774-ABCC-4EE1-BF6B-535A4FBA4CFF	Trust: 0.2
db:	VULHUB	id:	VHN-157954	Trust: 0.1

sources: IVD: 3889e774-abcc-4ee1-bf6b-535a4fba4cff // CNVD: CNVD-2019-32480 // VULHUB: VHN-157954 // BID: 106722 // JVNDB: JVNDB-2019-001596 // CNNVD: CNNVD-201901-888 // NVD: CVE-2019-6519

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-19-024-01	Trust: 2.8
url:	http://www.securityfocus.com/bid/106722	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6519	Trust: 1.4
url:	https://support.advantech.com/support/downloadsrdetail_new.aspx?sr_id=1-ms9mjv&doc_source=download	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6519	Trust: 0.8
url:	https://ics-cert.us-cert.gov/advisories/icsa-19-024-01third party advisoryus government resource	Trust: 0.6
url:	http://www.securityfocus.com/bid/106722third party advisoryvdb entry	Trust: 0.6
url:	https://www.advantech.com/	Trust: 0.3

sources: CNVD: CNVD-2019-32480 // VULHUB: VHN-157954 // BID: 106722 // JVNDB: JVNDB-2019-001596 // CNNVD: CNNVD-201901-888 // NVD: CVE-2019-6519

CREDITS

Devesh Logendran from Attila Cybertech Pte. Ltd.

Trust: 0.9

sources: BID: 106722 // CNNVD: CNNVD-201901-888

SOURCES

db:	IVD	id:	3889e774-abcc-4ee1-bf6b-535a4fba4cff
db:	CNVD	id:	CNVD-2019-32480
db:	VULHUB	id:	VHN-157954
db:	BID	id:	106722
db:	JVNDB	id:	JVNDB-2019-001596
db:	CNNVD	id:	CNNVD-201901-888
db:	NVD	id:	CVE-2019-6519

LAST UPDATE DATE

2024-08-14T14:32:47.421000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-32480	date:	2019-09-21T00:00:00
db:	VULHUB	id:	VHN-157954	date:	2019-02-06T00:00:00
db:	BID	id:	106722	date:	2019-01-24T00:00:00
db:	JVNDB	id:	JVNDB-2019-001596	date:	2019-03-15T00:00:00
db:	CNNVD	id:	CNNVD-201901-888	date:	2019-04-01T00:00:00
db:	NVD	id:	CVE-2019-6519	date:	2019-02-06T16:52:08.173

SOURCES RELEASE DATE

db:	IVD	id:	3889e774-abcc-4ee1-bf6b-535a4fba4cff	date:	2019-09-21T00:00:00
db:	CNVD	id:	CNVD-2019-32480	date:	2019-09-21T00:00:00
db:	VULHUB	id:	VHN-157954	date:	2019-02-05T00:00:00
db:	BID	id:	106722	date:	2019-01-24T00:00:00
db:	JVNDB	id:	JVNDB-2019-001596	date:	2019-03-15T00:00:00
db:	CNNVD	id:	CNNVD-201901-888	date:	2019-01-25T00:00:00
db:	NVD	id:	CVE-2019-6519	date:	2019-02-05T21:29:00.737