Details of VAR-201902-0123

ID

VAR-201902-0123

CVE

CVE-2019-6521

TITLE

Advantech WebAccess/SCADA Authorization Issue Vulnerability

Trust: 0.8

sources: IVD: a390dd39-1c31-478b-bff6-c1d917a3e87d // CNVD: CNVD-2019-32479

DESCRIPTION

WebAccess/SCADA, Version 8.3. Specially crafted requests could allow a possible authentication bypass that could allow an attacker to obtain and manipulate sensitive information. WebAccess/SCADA Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Advantech WebAccess/SCADA is a set of browser-based SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. Advantech WebAccess/SCADA is prone to the following vulnerabilities: 1. Multiple authentication-bypass vulnerabilities 2. An SQL-injection vulnerability An attacker can exploit these issues to bypass certain security restrictions, perform unauthorized actions, modify the logic of SQL queries, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database

Trust: 2.7

sources: NVD: CVE-2019-6521 // JVNDB: JVNDB-2019-001597 // CNVD: CNVD-2019-32479 // BID: 106722 // IVD: a390dd39-1c31-478b-bff6-c1d917a3e87d // VULHUB: VHN-157956

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: a390dd39-1c31-478b-bff6-c1d917a3e87d // CNVD: CNVD-2019-32479

AFFECTED PRODUCTS

vendor:	advantech	model:	webaccess/scada	scope:	eq	version:	8.3	Trust: 1.7
vendor:	advantech	model:	webaccess\/scada	scope:	eq	version:	8.3	Trust: 1.0
vendor:	advantech	model:	webaccess/scada	scope:	eq	version:	8.3.4	Trust: 0.3
vendor:	advantech	model:	webaccess/scada	scope:	eq	version:	8.3.2	Trust: 0.3
vendor:	advantech	model:	webaccess/scada	scope:	ne	version:	8.3.5	Trust: 0.3
vendor:	webaccess scada	model:	-	scope:	eq	version:	8.3	Trust: 0.2

sources: IVD: a390dd39-1c31-478b-bff6-c1d917a3e87d // CNVD: CNVD-2019-32479 // BID: 106722 // JVNDB: JVNDB-2019-001597 // NVD: CVE-2019-6521

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-6521
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-6521
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-32479
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201901-889
value:	HIGH
Trust: 0.6
IVD:	a390dd39-1c31-478b-bff6-c1d917a3e87d
value:	HIGH
Trust: 0.2
VULHUB:	VHN-157956
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-6521
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-32479
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	a390dd39-1c31-478b-bff6-c1d917a3e87d
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-157956
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-6521
baseSeverity:	HIGH
baseScore:	8.6
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	3.9
impactScore:	4.7
version:	3.0
Trust: 1.8

sources: IVD: a390dd39-1c31-478b-bff6-c1d917a3e87d // CNVD: CNVD-2019-32479 // VULHUB: VHN-157956 // JVNDB: JVNDB-2019-001597 // CNNVD: CNNVD-201901-889 // NVD: CVE-2019-6521

PROBLEMTYPE DATA

problemtype:

CWE-287

Trust: 1.9

sources: VULHUB: VHN-157956 // JVNDB: JVNDB-2019-001597 // NVD: CVE-2019-6521

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201901-889

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201901-889

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-001597

PATCH

title:	Top Page	url:	https://www.advantech.com/	Trust: 0.8
title:	Patch for Advantech WebAccess/SCADA Authorization Issue Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/181477	Trust: 0.6

sources: CNVD: CNVD-2019-32479 // JVNDB: JVNDB-2019-001597

EXTERNAL IDS

db:	NVD	id:	CVE-2019-6521	Trust: 3.6
db:	ICS CERT	id:	ICSA-19-024-01	Trust: 2.8
db:	BID	id:	106722	Trust: 2.0
db:	CNNVD	id:	CNNVD-201901-889	Trust: 0.9
db:	CNVD	id:	CNVD-2019-32479	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-001597	Trust: 0.8
db:	ICS CERT	id:	ICSA-19-024-01T	Trust: 0.6
db:	IVD	id:	A390DD39-1C31-478B-BFF6-C1D917A3E87D	Trust: 0.2
db:	VULHUB	id:	VHN-157956	Trust: 0.1

sources: IVD: a390dd39-1c31-478b-bff6-c1d917a3e87d // CNVD: CNVD-2019-32479 // VULHUB: VHN-157956 // BID: 106722 // JVNDB: JVNDB-2019-001597 // CNNVD: CNNVD-201901-889 // NVD: CVE-2019-6521

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-19-024-01	Trust: 2.8
url:	http://www.securityfocus.com/bid/106722	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6521	Trust: 1.4
url:	https://support.advantech.com/support/downloadsrdetail_new.aspx?sr_id=1-ms9mjv&doc_source=download	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6521	Trust: 0.8
url:	https://ics-cert.us-cert.gov/advisories/icsa-19-024-01third party advisoryus government resource	Trust: 0.6
url:	http://www.securityfocus.com/bid/106722third party advisoryvdb entry	Trust: 0.6
url:	https://www.advantech.com/	Trust: 0.3

sources: CNVD: CNVD-2019-32479 // VULHUB: VHN-157956 // BID: 106722 // JVNDB: JVNDB-2019-001597 // CNNVD: CNNVD-201901-889 // NVD: CVE-2019-6521

CREDITS

Devesh Logendran from Attila Cybertech Pte. Ltd.

Trust: 0.9

sources: BID: 106722 // CNNVD: CNNVD-201901-889

SOURCES

db:	IVD	id:	a390dd39-1c31-478b-bff6-c1d917a3e87d
db:	CNVD	id:	CNVD-2019-32479
db:	VULHUB	id:	VHN-157956
db:	BID	id:	106722
db:	JVNDB	id:	JVNDB-2019-001597
db:	CNNVD	id:	CNNVD-201901-889
db:	NVD	id:	CVE-2019-6521

LAST UPDATE DATE

2024-08-14T14:32:47.564000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-32479	date:	2019-09-21T00:00:00
db:	VULHUB	id:	VHN-157956	date:	2019-02-06T00:00:00
db:	BID	id:	106722	date:	2019-01-24T00:00:00
db:	JVNDB	id:	JVNDB-2019-001597	date:	2019-03-15T00:00:00
db:	CNNVD	id:	CNNVD-201901-889	date:	2019-04-01T00:00:00
db:	NVD	id:	CVE-2019-6521	date:	2019-02-06T16:45:19.680

SOURCES RELEASE DATE

db:	IVD	id:	a390dd39-1c31-478b-bff6-c1d917a3e87d	date:	2019-09-21T00:00:00
db:	CNVD	id:	CNVD-2019-32479	date:	2019-09-21T00:00:00
db:	VULHUB	id:	VHN-157956	date:	2019-02-05T00:00:00
db:	BID	id:	106722	date:	2019-01-24T00:00:00
db:	JVNDB	id:	JVNDB-2019-001597	date:	2019-03-15T00:00:00
db:	CNNVD	id:	CNNVD-201901-889	date:	2019-01-25T00:00:00
db:	NVD	id:	CVE-2019-6521	date:	2019-02-05T21:29:00.800