Sign-up

ID

VAR-201905-1073


CVE

CVE-2019-10919


TITLE

Siemens LOGO!8 BM Access Control Error Vulnerability

Trust: 1.4

sources: IVD: 01c009eb-10a0-4f9c-8e38-14ea18211745 // CNVD: CNVD-2019-17519 // CNNVD: CNNVD-201905-598

DESCRIPTION

A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3). Attackers with access to port 10005/tcp could perform device reconfigurations and obtain project files from the devices. The system manual recommends to protect access to this port. The security vulnerability could be exploited by an unauthenticated attacker with network access to port 10005/tcp. No user interaction is required to exploit this security vulnerability. The vulnerability impacts confidentiality, integrity, and availability of the device. At the time of advisory publication no public exploitation of this security vulnerability was known. LOGO!8 BM Contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. LOGO!8 is Siemens' 8th generation intelligent logic controller, which is a Nano PLC in the Siemens PLC family. It simplifies the programming configuration, the integrated panel can display more content, and can be easily networked through the integrated Ethernet interface. Efficient interconnection. There is an access control error vulnerability in Siemens LOGO!8 BM. An attacker can exploit these issues to obtain sensitive information. Successful exploits may lead to other attacks. All versions of LOGO!8 BM are vulnerable. This vulnerability stems from network systems or products not properly restricting access to resources from unauthorized roles

Trust: 2.7

sources: NVD: CVE-2019-10919 // JVNDB: JVNDB-2019-004556 // CNVD: CNVD-2019-17519 // BID: 108382 // IVD: 01c009eb-10a0-4f9c-8e38-14ea18211745 // VULHUB: VHN-142513

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 01c009eb-10a0-4f9c-8e38-14ea18211745 // CNVD: CNVD-2019-17519

AFFECTED PRODUCTS

vendor:siemensmodel:logo\!8 bmscope:ltversion:8.3

Trust: 1.0

vendor:siemensmodel:logo! 8 bmscope: - version: -

Trust: 0.8

vendor:siemensmodel:logo!8 bmscope: - version: -

Trust: 0.6

vendor:siemensmodel:logo!8 bmscope:eqversion:0

Trust: 0.3

vendor:logo 8 bmmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 01c009eb-10a0-4f9c-8e38-14ea18211745 // CNVD: CNVD-2019-17519 // BID: 108382 // JVNDB: JVNDB-2019-004556 // NVD: CVE-2019-10919

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-10919
value: CRITICAL

Trust: 1.0

NVD: CVE-2019-10919
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2019-17519
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201905-598
value: CRITICAL

Trust: 0.6

IVD: 01c009eb-10a0-4f9c-8e38-14ea18211745
value: CRITICAL

Trust: 0.2

VULHUB: VHN-142513
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-10919
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-17519
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 01c009eb-10a0-4f9c-8e38-14ea18211745
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-142513
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-10919
baseSeverity: CRITICAL
baseScore: 9.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: LOW
exploitabilityScore: 3.9
impactScore: 5.5
version: 3.1

Trust: 1.0

NVD: CVE-2019-10919
baseSeverity: CRITICAL
baseScore: 9.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: LOW
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: 01c009eb-10a0-4f9c-8e38-14ea18211745 // CNVD: CNVD-2019-17519 // VULHUB: VHN-142513 // JVNDB: JVNDB-2019-004556 // CNNVD: CNNVD-201905-598 // NVD: CVE-2019-10919

PROBLEMTYPE DATA

problemtype:CWE-306

Trust: 1.1

problemtype:CWE-284

Trust: 0.9

sources: VULHUB: VHN-142513 // JVNDB: JVNDB-2019-004556 // NVD: CVE-2019-10919

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201905-598

TYPE

Access control error

Trust: 0.8

sources: IVD: 01c009eb-10a0-4f9c-8e38-14ea18211745 // CNNVD: CNNVD-201905-598

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-004556

PATCH
title:SSA-542701url:https://cert-portal.siemens.com/productcert/pdf/ssa-542701.pdf
Trust: 0.8
title:Siemens LOGO! 8 BM Access Control Error Vulnerability Patchurl:https://www.cnvd.org.cn/patchInfo/show/161883
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-17519 // 
            
            
            
            JVNDB: JVNDB-2019-004556

EXTERNAL IDS
db:NVDid:CVE-2019-10919
Trust: 3.6
db:SIEMENSid:SSA-542701
Trust: 2.3
db:BIDid:108382
Trust: 2.0
db:PACKETSTORMid:153123
Trust: 1.7
db:ICS CERTid:ICSA-19-134-04
Trust: 1.7
db:CNNVDid:CNNVD-201905-598
Trust: 0.9
db:CNVDid:CNVD-2019-17519
Trust: 0.8
db:JVNDBid:JVNDB-2019-004556
Trust: 0.8
db:ICS CERTid:ICSA-19-134-02
Trust: 0.6
db:AUSCERTid:ESB-2019.1716.2
Trust: 0.6
db:IVDid:01C009EB-10A0-4F9C-8E38-14EA18211745
Trust: 0.2
db:VULHUBid:VHN-142513
Trust: 0.1
sources:
            
            
            IVD: 01c009eb-10a0-4f9c-8e38-14ea18211745 // 
            
            
            
            CNVD: CNVD-2019-17519 // 
            
            
            
            VULHUB: VHN-142513 // 
            
            
            
            BID: 108382 // 
            
            
            
            JVNDB: JVNDB-2019-004556 // 
            
            
            
            CNNVD: CNNVD-201905-598 // 
            
            
            
            NVD: CVE-2019-10919

REFERENCES
url:http://www.securityfocus.com/bid/108382
Trust: 2.9
url:http://packetstormsecurity.com/files/153123/siemens-logo-8-missing-authentication.html
Trust: 2.9
url:https://cert-portal.siemens.com/productcert/pdf/ssa-542701.pdf
Trust: 2.3
url:https://seclists.org/bugtraq/2019/may/73
Trust: 1.7
url:http://seclists.org/fulldisclosure/2019/may/45
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-10919
Trust: 1.4
url:http://www.siemens.com/
Trust: 0.9
url:https://ics-cert.us-cert.gov/advisories/icsa-19-134-04
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-10919
Trust: 0.8
url:https://www.us-cert.gov/ics/advisories/icsa-19-134-04
Trust: 0.8
url:https://ics-cert.us-cert.gov/advisories/icsa-19-134-02-0
Trust: 0.6
url:https://us-cert.cisa.gov/ics/advisories/icsa-19-134-04
Trust: 0.6
url:https://www.auscert.org.au/bulletins/80946
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-17519 // 
            
            
            
            VULHUB: VHN-142513 // 
            
            
            
            BID: 108382 // 
            
            
            
            JVNDB: JVNDB-2019-004556 // 
            
            
            
            CNNVD: CNNVD-201905-598 // 
            
            
            
            NVD: CVE-2019-10919

CREDITS
Manuel Stotz and Matthias Deeg from SySS GmbH reported these vulnerabilities to Siemens.
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201905-598

SOURCES
db:IVDid:01c009eb-10a0-4f9c-8e38-14ea18211745
db:CNVDid:CNVD-2019-17519
db:VULHUBid:VHN-142513
db:BIDid:108382
db:JVNDBid:JVNDB-2019-004556
db:CNNVDid:CNNVD-201905-598
db:NVDid:CVE-2019-10919

LAST UPDATE DATE
2024-11-23T21:37:16.817000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-17519date:2019-06-16T00:00:00
db:VULHUBid:VHN-142513date:2020-10-02T00:00:00
db:BIDid:108382date:2019-05-14T00:00:00
db:JVNDBid:JVNDB-2019-004556date:2019-07-08T00:00:00
db:CNNVDid:CNNVD-201905-598date:2020-12-15T00:00:00
db:NVDid:CVE-2019-10919date:2024-11-21T04:20:09.060

SOURCES RELEASE DATE
db:IVDid:01c009eb-10a0-4f9c-8e38-14ea18211745date:2019-06-16T00:00:00
db:CNVDid:CNVD-2019-17519date:2019-05-22T00:00:00
db:VULHUBid:VHN-142513date:2019-05-14T00:00:00
db:BIDid:108382date:2019-05-14T00:00:00
db:JVNDBid:JVNDB-2019-004556date:2019-06-04T00:00:00
db:CNNVDid:CNNVD-201905-598date:2019-05-14T00:00:00
db:NVDid:CVE-2019-10919date:2019-05-14T20:29:02.560