Details of VAR-201904-0175

ID

VAR-201904-0175

CVE

CVE-2019-6570

TITLE

Siemens SINEMA Unauthorized Access Vulnerability

Trust: 0.8

sources: IVD: 7372e208-26d9-4cfc-93cd-b8e76b594c46 // CNVD: CNVD-2019-10133

DESCRIPTION

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0). Due to insufficient checking of user permissions, an attacker may access URLs that require special authorization. An attacker must have access to a low privileged account in order to exploit the vulnerability. SINEMA Remote Connect Server Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Siemens is a leading global technology company that provides solutions to customers in the areas of power generation and transmission and distribution, infrastructure, industrial automation, drive and software with innovation in electrification, automation and digital. Siemens SINEMA has an unauthorized access vulnerability that an attacker can use to gain unauthorized access and perform unauthorized actions. This may aid in further attacks. An attacker could use the vulnerability to compromise confidentiality, integrity and availability of the affected system. At the time of advisory publication no public exploitation of this security vulnerability was known. The platform supports efficient and secure remote access to machines and equipment distributed around the world, as well as secure management of VPN tunnels between control centers, service engineers and installed equipment. The vulnerability stems from the lack of effective permissions and access control measures in network systems or products

Trust: 2.79

sources: NVD: CVE-2019-6570 // JVNDB: JVNDB-2019-003470 // CNVD: CNVD-2019-10133 // BID: 107843 // IVD: 7372e208-26d9-4cfc-93cd-b8e76b594c46 // VULHUB: VHN-158005 // VULMON: CVE-2019-6570

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 7372e208-26d9-4cfc-93cd-b8e76b594c46 // CNVD: CNVD-2019-10133

AFFECTED PRODUCTS

vendor:	siemens	model:	sinema remote connect server	scope:	lt	version:	2.0	Trust: 1.8
vendor:	siemens	model:	sinema remote connect server	scope:	lt	version:	1.2	Trust: 0.6
vendor:	siemens	model:	sinema remote connect server	scope:	eq	version:	1.2	Trust: 0.3
vendor:	siemens	model:	sinema remote connect server	scope:	ne	version:	2.0	Trust: 0.3
vendor:	sinema remote connect server	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 7372e208-26d9-4cfc-93cd-b8e76b594c46 // CNVD: CNVD-2019-10133 // BID: 107843 // JVNDB: JVNDB-2019-003470 // NVD: CVE-2019-6570

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-6570
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-6570
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-10133
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201904-466
value:	HIGH
Trust: 0.6
IVD:	7372e208-26d9-4cfc-93cd-b8e76b594c46
value:	HIGH
Trust: 0.2
VULHUB:	VHN-158005
value:	HIGH
Trust: 0.1
VULMON:	CVE-2019-6570
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-6570
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2019-10133
severity:	HIGH
baseScore:	9.7
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	9.5
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	7372e208-26d9-4cfc-93cd-b8e76b594c46
severity:	HIGH
baseScore:	9.7
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	9.5
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-158005
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-6570
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2019-6570
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: 7372e208-26d9-4cfc-93cd-b8e76b594c46 // CNVD: CNVD-2019-10133 // VULHUB: VHN-158005 // VULMON: CVE-2019-6570 // JVNDB: JVNDB-2019-003470 // CNNVD: CNNVD-201904-466 // NVD: CVE-2019-6570

PROBLEMTYPE DATA

problemtype:	CWE-863	Trust: 1.1
problemtype:	CWE-280	Trust: 1.0
problemtype:	CWE-264	Trust: 0.9

sources: VULHUB: VHN-158005 // JVNDB: JVNDB-2019-003470 // NVD: CVE-2019-6570

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201904-466

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201904-466

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-003470

PATCH

title:	SSA-436177	url:	https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf	Trust: 0.8
title:	Siemens SINEMA Unauthorized Access Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/158809	Trust: 0.6
title:	Haxx libcurl Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91294	Trust: 0.6
title:	Siemens Security Advisories: Siemens Security Advisory	url:	https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=8a056bd2177d12192b11798b7ac3e013	Trust: 0.1

sources: CNVD: CNVD-2019-10133 // VULMON: CVE-2019-6570 // JVNDB: JVNDB-2019-003470 // CNNVD: CNNVD-201904-466

EXTERNAL IDS

db:	NVD	id:	CVE-2019-6570	Trust: 3.7
db:	SIEMENS	id:	SSA-436177	Trust: 2.7
db:	ICS CERT	id:	ICSA-19-099-04	Trust: 1.8
db:	BID	id:	107843	Trust: 1.7
db:	CNNVD	id:	CNNVD-201904-466	Trust: 0.9
db:	CNVD	id:	CNVD-2019-10133	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-003470	Trust: 0.8
db:	AUSCERT	id:	ESB-2019.1221	Trust: 0.6
db:	IVD	id:	7372E208-26D9-4CFC-93CD-B8E76B594C46	Trust: 0.2
db:	VULHUB	id:	VHN-158005	Trust: 0.1
db:	VULMON	id:	CVE-2019-6570	Trust: 0.1

sources: IVD: 7372e208-26d9-4cfc-93cd-b8e76b594c46 // CNVD: CNVD-2019-10133 // VULHUB: VHN-158005 // VULMON: CVE-2019-6570 // BID: 107843 // JVNDB: JVNDB-2019-003470 // CNNVD: CNNVD-201904-466 // NVD: CVE-2019-6570

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf	Trust: 2.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6570	Trust: 1.4
url:	https://ics-cert.us-cert.gov/advisories/icsa-19-099-04	Trust: 1.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6570	Trust: 0.8
url:	https://www.us-cert.gov/ics/advisories/icsa-19-099-04	Trust: 0.8
url:	https://www.securityfocus.com/bid/107843	Trust: 0.7
url:	https://us-cert.cisa.gov/ics/advisories/icsa-19-099-04	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/78786	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/280.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2019-10133 // VULHUB: VHN-158005 // VULMON: CVE-2019-6570 // BID: 107843 // JVNDB: JVNDB-2019-003470 // CNNVD: CNNVD-201904-466 // NVD: CVE-2019-6570

CREDITS

Siemens ProductCERT reported these vulnerabilities to NCCIC.,Siemens

Trust: 0.6

sources: CNNVD: CNNVD-201904-466

SOURCES

db:	IVD	id:	7372e208-26d9-4cfc-93cd-b8e76b594c46
db:	CNVD	id:	CNVD-2019-10133
db:	VULHUB	id:	VHN-158005
db:	VULMON	id:	CVE-2019-6570
db:	BID	id:	107843
db:	JVNDB	id:	JVNDB-2019-003470
db:	CNNVD	id:	CNNVD-201904-466
db:	NVD	id:	CVE-2019-6570

LAST UPDATE DATE

2024-08-14T12:54:04.815000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-10133	date:	2019-04-17T00:00:00
db:	VULHUB	id:	VHN-158005	date:	2020-10-06T00:00:00
db:	VULMON	id:	CVE-2019-6570	date:	2021-03-15T00:00:00
db:	BID	id:	107843	date:	2019-04-09T00:00:00
db:	JVNDB	id:	JVNDB-2019-003470	date:	2019-07-08T00:00:00
db:	CNNVD	id:	CNNVD-201904-466	date:	2021-03-19T00:00:00
db:	NVD	id:	CVE-2019-6570	date:	2021-03-15T18:15:16.457

SOURCES RELEASE DATE

db:	IVD	id:	7372e208-26d9-4cfc-93cd-b8e76b594c46	date:	2019-04-17T00:00:00
db:	CNVD	id:	CNVD-2019-10133	date:	2019-04-17T00:00:00
db:	VULHUB	id:	VHN-158005	date:	2019-04-17T00:00:00
db:	VULMON	id:	CVE-2019-6570	date:	2019-04-17T00:00:00
db:	BID	id:	107843	date:	2019-04-09T00:00:00
db:	JVNDB	id:	JVNDB-2019-003470	date:	2019-05-17T00:00:00
db:	CNNVD	id:	CNNVD-201904-466	date:	2019-04-09T00:00:00
db:	NVD	id:	CVE-2019-6570	date:	2019-04-17T14:29:03.730