Sign-up

ID

VAR-201904-0177


CVE

CVE-2019-6579


TITLE

Siemens Spectrum Power Command injection vulnerability

Trust: 0.8

sources: IVD: 83791c2d-3285-4e41-a870-1d0a9c27c954 // CNVD: CNVD-2019-12906

DESCRIPTION

A vulnerability has been identified in Spectrum Power 4 (with Web Office Portal). An attacker with network access to the web server on port 80/TCP or 443/TCP could execute system commands with administrative privileges. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises confidentiality, integrity or availability of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known. Spectrum Power 4 Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SiemensSpectrumPower is a system that provides the basic components for SCADA, communication and data modeling of control and monitoring systems

Trust: 2.7

sources: NVD: CVE-2019-6579 // JVNDB: JVNDB-2019-003489 // CNVD: CNVD-2019-12906 // BID: 107830 // IVD: 83791c2d-3285-4e41-a870-1d0a9c27c954 // VULMON: CVE-2019-6579

IOT TAXONOMY

category:['ICS', 'Network device']sub_category: -

Trust: 0.6

category:['ICS']sub_category: -

Trust: 0.2

sources: IVD: 83791c2d-3285-4e41-a870-1d0a9c27c954 // CNVD: CNVD-2019-12906

AFFECTED PRODUCTS

vendor:siemensmodel:spectrum power 4scope:eqversion: -

Trust: 1.0

vendor:siemensmodel:spectrum power 4scope: - version: -

Trust: 0.8

vendor:siemensmodel:spectrum powerscope:eqversion:4

Trust: 0.6

vendor:siemensmodel:spectrum powerscope:eqversion:4.7

Trust: 0.3

vendor:spectrum power 4model: - scope:eqversion: -

Trust: 0.2

sources: IVD: 83791c2d-3285-4e41-a870-1d0a9c27c954 // CNVD: CNVD-2019-12906 // BID: 107830 // JVNDB: JVNDB-2019-003489 // NVD: CVE-2019-6579

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-6579
value: CRITICAL

Trust: 1.0

NVD: CVE-2019-6579
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2019-12906
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201904-465
value: CRITICAL

Trust: 0.6

IVD: 83791c2d-3285-4e41-a870-1d0a9c27c954
value: CRITICAL

Trust: 0.2

VULMON: CVE-2019-6579
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-6579
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2019-12906
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 83791c2d-3285-4e41-a870-1d0a9c27c954
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2019-6579
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2019-6579
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: 83791c2d-3285-4e41-a870-1d0a9c27c954 // CNVD: CNVD-2019-12906 // VULMON: CVE-2019-6579 // JVNDB: JVNDB-2019-003489 // CNNVD: CNNVD-201904-465 // NVD: CVE-2019-6579

PROBLEMTYPE DATA

problemtype:CWE-77

Trust: 1.0

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-264

Trust: 0.8

sources: JVNDB: JVNDB-2019-003489 // NVD: CVE-2019-6579

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201904-465

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201904-465

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-003489

PATCH
title:SSA-324467url:https://cert-portal.siemens.com/productcert/pdf/ssa-324467.pdf
Trust: 0.8
title:Siemens Spectrum Power Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91293
Trust: 0.6
title:Siemens Security Advisories: Siemens Security Advisoryurl:https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=734d25d8df94a8c5e8326d29effa044c
Trust: 0.1
title:Attack-Defense-Analysis-of-a-Vulnerable-Networkurl:https://github.com/ActualSalt/Attack-Defense-Analysis-of-a-Vulnerable-Network 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2019-6579 // 
            
            
            
            JVNDB: JVNDB-2019-003489 // 
            
            
            
            CNNVD: CNNVD-201904-465

EXTERNAL IDS
db:NVDid:CVE-2019-6579
Trust: 3.6
db:ICS CERTid:ICSA-19-099-02
Trust: 2.4
db:BIDid:107830
Trust: 2.0
db:SIEMENSid:SSA-324467
Trust: 2.0
db:CNVDid:CNVD-2019-12906
Trust: 0.8
db:CNNVDid:CNNVD-201904-465
Trust: 0.8
db:JVNDBid:JVNDB-2019-003489
Trust: 0.8
db:AUSCERTid:ESB-2019.1222
Trust: 0.6
db:IVDid:83791C2D-3285-4E41-A870-1D0A9C27C954
Trust: 0.2
db:VULMONid:CVE-2019-6579
Trust: 0.1
sources:
            
            
            IVD: 83791c2d-3285-4e41-a870-1d0a9c27c954 // 
            
            
            
            CNVD: CNVD-2019-12906 // 
            
            
            
            VULMON: CVE-2019-6579 // 
            
            
            
            BID: 107830 // 
            
            
            
            JVNDB: JVNDB-2019-003489 // 
            
            
            
            CNNVD: CNNVD-201904-465 // 
            
            
            
            NVD: CVE-2019-6579

REFERENCES
url:http://www.securityfocus.com/bid/107830
Trust: 2.4
url:https://cert-portal.siemens.com/productcert/pdf/ssa-324467.pdf
Trust: 2.0
url:https://ics-cert.us-cert.gov/advisories/icsa-19-099-02
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2019-6579
Trust: 1.4
url:http://subscriber.communications.siemens.com/
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6579
Trust: 0.8
url:https://www.us-cert.gov/ics/advisories/icsa-19-099-02
Trust: 0.8
url:https://vigilance.fr/vulnerability/siemens-spectrum-power-code-execution-via-os-command-injection-28975
Trust: 0.6
url:https://www.auscert.org.au/bulletins/78778
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2019-12906 // 
            
            
            
            VULMON: CVE-2019-6579 // 
            
            
            
            BID: 107830 // 
            
            
            
            JVNDB: JVNDB-2019-003489 // 
            
            
            
            CNNVD: CNNVD-201904-465 // 
            
            
            
            NVD: CVE-2019-6579

CREDITS
Applied Risk,Applied Risk reported this vulnerability to Siemens.
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201904-465

SOURCES
db:IVDid:83791c2d-3285-4e41-a870-1d0a9c27c954
db:CNVDid:CNVD-2019-12906
db:VULMONid:CVE-2019-6579
db:BIDid:107830
db:JVNDBid:JVNDB-2019-003489
db:CNNVDid:CNNVD-201904-465
db:NVDid:CVE-2019-6579

LAST UPDATE DATE
2024-11-23T23:08:25.826000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-12906date:2019-05-07T00:00:00
db:VULMONid:CVE-2019-6579date:2020-10-16T00:00:00
db:BIDid:107830date:2019-04-09T00:00:00
db:JVNDBid:JVNDB-2019-003489date:2019-07-08T00:00:00
db:CNNVDid:CNNVD-201904-465date:2020-10-19T00:00:00
db:NVDid:CVE-2019-6579date:2024-11-21T04:46:44.550

SOURCES RELEASE DATE
db:IVDid:83791c2d-3285-4e41-a870-1d0a9c27c954date:2019-05-05T00:00:00
db:CNVDid:CNVD-2019-12906date:2019-05-05T00:00:00
db:VULMONid:CVE-2019-6579date:2019-04-17T00:00:00
db:BIDid:107830date:2019-04-09T00:00:00
db:JVNDBid:JVNDB-2019-003489date:2019-05-17T00:00:00
db:CNNVDid:CNNVD-201904-465date:2019-04-09T00:00:00
db:NVDid:CVE-2019-6579date:2019-04-17T14:29:03.793