ID

VAR-201904-1023


CVE

CVE-2019-10955


TITLE

plural Rockwell Automation Open redirect vulnerability in products

Trust: 0.8

sources: JVNDB: JVNDB-2019-004245

DESCRIPTION

In Rockwell Automation MicroLogix 1400 Controllers Series A, All Versions Series B, v15.002 and earlier, MicroLogix 1100 Controllers v14.00 and earlier, CompactLogix 5370 L1 controllers v30.014 and earlier, CompactLogix 5370 L2 controllers v30.014 and earlier, CompactLogix 5370 L3 controllers (includes CompactLogix GuardLogix controllers) v30.014 and earlier, an open redirect vulnerability could allow a remote unauthenticated attacker to input a malicious link to redirect users to a malicious site that could run or download arbitrary malware on the user’s machine. plural Rockwell Automation The product contains an open redirect vulnerability.Information may be obtained and information may be altered. Rockwell Automation MicroLogix 1400 Controllers Series A are all programmable logic controllers from Rockwell Automation. An input validation error vulnerability exists in several Rockwell Automation products that originated from a network system or product that did not properly validate the input data. An attacker exploiting a vulnerability can build a well-designed URI and entice a user to follow it. When a victim tracks a link, they may be redirected to an attacker-controlled site to aid in phishing attacks. Other attacks are possible

Trust: 2.7

sources: NVD: CVE-2019-10955 // JVNDB: JVNDB-2019-004245 // CNVD: CNVD-2019-14396 // BID: 108049 // IVD: 97035cb3-c916-4f33-be89-ac33b1bbe2a3 // VULHUB: VHN-142553

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 97035cb3-c916-4f33-be89-ac33b1bbe2a3 // CNVD: CNVD-2019-14396

AFFECTED PRODUCTS

vendor:rockwellautomationmodel:compactlogix 5370 l1scope:lteversion:30.014

Trust: 1.0

vendor:rockwellautomationmodel:micrologix 1100scope:lteversion:14.00

Trust: 1.0

vendor:rockwellautomationmodel:micrologix 1400 bscope:lteversion:15.002

Trust: 1.0

vendor:rockwellautomationmodel:compactlogix 5370 l3scope:lteversion:30.014

Trust: 1.0

vendor:rockwellautomationmodel:micrologix 1400 ascope:eqversion:*

Trust: 1.0

vendor:rockwellautomationmodel:compactlogix 5370 l2scope:lteversion:30.014

Trust: 1.0

vendor:rockwellmodel:automation micrologix controllersscope:eqversion:110014.00

Trust: 0.9

vendor:rockwellmodel:automation compactlogix l3scope:eqversion:537030.014

Trust: 0.9

vendor:rockwellmodel:automation compactlogix l2scope:eqversion:537030.014

Trust: 0.9

vendor:rockwellmodel:automation compactlogix l1scope:eqversion:537030.014

Trust: 0.9

vendor:rockwell automationmodel:compactlogix 5370 l1scope:lteversion:30.014

Trust: 0.8

vendor:rockwell automationmodel:compactlogix 5370 l2scope:lteversion:30.014

Trust: 0.8

vendor:rockwell automationmodel:compactlogix 5370 l3scope:lteversion:30.014

Trust: 0.8

vendor:rockwell automationmodel:micrologix 1100scope:lteversion:14.00

Trust: 0.8

vendor:rockwell automationmodel:micrologix 1400 ascope: - version: -

Trust: 0.8

vendor:rockwell automationmodel:micrologix 1400 bscope:lteversion:15.002

Trust: 0.8

vendor:rockwellmodel:automation micrologix controllers series bscope:eqversion:140015.002

Trust: 0.6

vendor:rockwellmodel:automation micrologix controllers series ascope:eqversion:1400

Trust: 0.6

vendor:rockwallmodel:automation micrologix controllers series bscope:eqversion:140015.002

Trust: 0.3

vendor:rockwallmodel:automation micrologix controllers series ascope:eqversion:14000

Trust: 0.3

vendor:micrologix 1400 amodel: - scope:eqversion:*

Trust: 0.2

vendor:micrologix 1400 bmodel: - scope:eqversion:*

Trust: 0.2

vendor:micrologix 1100model: - scope:eqversion:*

Trust: 0.2

vendor:compactlogix 5370 l1model: - scope:eqversion:*

Trust: 0.2

vendor:compactlogix 5370 l2model: - scope:eqversion:*

Trust: 0.2

vendor:compactlogix 5370 l3model: - scope:eqversion:*

Trust: 0.2

sources: IVD: 97035cb3-c916-4f33-be89-ac33b1bbe2a3 // CNVD: CNVD-2019-14396 // BID: 108049 // JVNDB: JVNDB-2019-004245 // NVD: CVE-2019-10955

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-10955
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-10955
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2019-14396
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201904-1053
value: MEDIUM

Trust: 0.6

IVD: 97035cb3-c916-4f33-be89-ac33b1bbe2a3
value: MEDIUM

Trust: 0.2

VULHUB: VHN-142553
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-10955
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-14396
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 97035cb3-c916-4f33-be89-ac33b1bbe2a3
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-142553
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-10955
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: IVD: 97035cb3-c916-4f33-be89-ac33b1bbe2a3 // CNVD: CNVD-2019-14396 // VULHUB: VHN-142553 // JVNDB: JVNDB-2019-004245 // CNNVD: CNNVD-201904-1053 // NVD: CVE-2019-10955

PROBLEMTYPE DATA

problemtype:CWE-601

Trust: 1.9

sources: VULHUB: VHN-142553 // JVNDB: JVNDB-2019-004245 // NVD: CVE-2019-10955

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201904-1053

TYPE

Input validation error

Trust: 1.1

sources: IVD: 97035cb3-c916-4f33-be89-ac33b1bbe2a3 // BID: 108049 // CNNVD: CNNVD-201904-1053

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-004245

PATCH

title:Top Pageurl:https://www.rockwellautomation.com/site-selection.html

Trust: 0.8

title:Multiple Rockwell Automation products enter patches for validation error vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/161289

Trust: 0.6

title:Multiple Rockwell Automation Product input verification error vulnerability fixesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91903

Trust: 0.6

sources: CNVD: CNVD-2019-14396 // JVNDB: JVNDB-2019-004245 // CNNVD: CNNVD-201904-1053

EXTERNAL IDS

db:NVDid:CVE-2019-10955

Trust: 3.6

db:ICS CERTid:ICSA-19-113-01

Trust: 3.4

db:BIDid:108049

Trust: 2.6

db:CNNVDid:CNNVD-201904-1053

Trust: 0.9

db:CNVDid:CNVD-2019-14396

Trust: 0.8

db:JVNDBid:JVNDB-2019-004245

Trust: 0.8

db:AUSCERTid:ESB-2019.1385

Trust: 0.6

db:IVDid:97035CB3-C916-4F33-BE89-AC33B1BBE2A3

Trust: 0.2

db:VULHUBid:VHN-142553

Trust: 0.1

sources: IVD: 97035cb3-c916-4f33-be89-ac33b1bbe2a3 // CNVD: CNVD-2019-14396 // VULHUB: VHN-142553 // BID: 108049 // JVNDB: JVNDB-2019-004245 // CNNVD: CNNVD-201904-1053 // NVD: CVE-2019-10955

REFERENCES

url:https://ics-cert.us-cert.gov/advisories/icsa-19-113-01

Trust: 3.4

url:https://www.securityfocus.com/bid/108049

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-10955

Trust: 1.4

url:https://www.rockwellautomation.com/en_in/overview.page

Trust: 0.9

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-10955

Trust: 0.8

url:https://www.auscert.org.au/bulletins/79558

Trust: 0.6

sources: CNVD: CNVD-2019-14396 // VULHUB: VHN-142553 // BID: 108049 // JVNDB: JVNDB-2019-004245 // CNNVD: CNNVD-201904-1053 // NVD: CVE-2019-10955

CREDITS

Josiah Bryan and Geancarlo Palavicini,Josiah Bryan and Geancarlo Palavicini reported this vulnerability to NCCIC.

Trust: 0.6

sources: CNNVD: CNNVD-201904-1053

SOURCES

db:IVDid:97035cb3-c916-4f33-be89-ac33b1bbe2a3
db:CNVDid:CNVD-2019-14396
db:VULHUBid:VHN-142553
db:BIDid:108049
db:JVNDBid:JVNDB-2019-004245
db:CNNVDid:CNNVD-201904-1053
db:NVDid:CVE-2019-10955

LAST UPDATE DATE

2024-08-14T14:56:52.164000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2019-14396date:2019-05-15T00:00:00
db:VULHUBid:VHN-142553date:2020-02-10T00:00:00
db:BIDid:108049date:2019-04-23T00:00:00
db:JVNDBid:JVNDB-2019-004245date:2019-05-29T00:00:00
db:CNNVDid:CNNVD-201904-1053date:2020-02-12T00:00:00
db:NVDid:CVE-2019-10955date:2020-02-10T21:49:28.683

SOURCES RELEASE DATE

db:IVDid:97035cb3-c916-4f33-be89-ac33b1bbe2a3date:2019-05-15T00:00:00
db:CNVDid:CNVD-2019-14396date:2019-05-15T00:00:00
db:VULHUBid:VHN-142553date:2019-04-25T00:00:00
db:BIDid:108049date:2019-04-23T00:00:00
db:JVNDBid:JVNDB-2019-004245date:2019-05-29T00:00:00
db:CNNVDid:CNNVD-201904-1053date:2019-04-23T00:00:00
db:NVDid:CVE-2019-10955date:2019-04-25T18:29:00.397