Details of VAR-201905-1077

ID

VAR-201905-1077

CVE

CVE-2019-10924

TITLE

LOGO! Soft Comfort Access control vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-004560

DESCRIPTION

A vulnerability has been identified in LOGO! Soft Comfort (All versions < V8.3). The vulnerability could allow an attacker to execute arbitrary code if the attacker tricks a legitimate user to open a manipulated project. In order to exploit the vulnerability, a valid user must open a manipulated project file. No further privileges are required on the target system. The vulnerability could compromise the confidentiality, integrity and availability of the engineering station. At the time of advisory publication no public exploitation of this security vulnerability was known. LOGO! Soft Comfort Contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state

Trust: 1.89

sources: NVD: CVE-2019-10924 // JVNDB: JVNDB-2019-004560 // BID: 108368

AFFECTED PRODUCTS

vendor:	siemens	model:	logo\! soft comfort	scope:	lt	version:	8.3	Trust: 1.0
vendor:	siemens	model:	logo! soft comfort	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	logo! soft comfort	scope:	eq	version:	8.2	Trust: 0.3
vendor:	siemens	model:	logo! soft comfort	scope:	eq	version:	8.0	Trust: 0.3
vendor:	siemens	model:	logo! soft comfort	scope:	eq	version:	7.0	Trust: 0.3
vendor:	siemens	model:	logo! soft comfort	scope:	eq	version:	6.0	Trust: 0.3
vendor:	siemens	model:	logo! soft comfort	scope:	eq	version:	5.0	Trust: 0.3
vendor:	siemens	model:	logo! soft comfort	scope:	eq	version:	4.0	Trust: 0.3
vendor:	siemens	model:	logo! soft comfort	scope:	eq	version:	3.0	Trust: 0.3
vendor:	siemens	model:	logo! soft comfort	scope:	eq	version:	2.0	Trust: 0.3
vendor:	siemens	model:	logo! soft comfort	scope:	eq	version:	1.0	Trust: 0.3

sources: BID: 108368 // JVNDB: JVNDB-2019-004560 // NVD: CVE-2019-10924

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-10924
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-10924
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201905-602
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2019-10924
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2019-10924
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2019-10924
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2019-004560 // CNNVD: CNNVD-201905-602 // NVD: CVE-2019-10924

PROBLEMTYPE DATA

problemtype:	CWE-502	Trust: 1.0
problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-284	Trust: 0.8

sources: JVNDB: JVNDB-2019-004560 // NVD: CVE-2019-10924

THREAT TYPE

local

Trust: 0.9

sources: BID: 108368 // CNNVD: CNNVD-201905-602

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201905-602

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-004560

PATCH

title:

SSA-102144

url:

https://cert-portal.siemens.com/productcert/pdf/ssa-102144.pdf

Trust: 0.8

sources: JVNDB: JVNDB-2019-004560

EXTERNAL IDS

db:	NVD	id:	CVE-2019-10924	Trust: 2.7
db:	BID	id:	108368	Trust: 1.9
db:	ICS CERT	id:	ICSA-19-134-03	Trust: 1.7
db:	SIEMENS	id:	SSA-102144	Trust: 1.6
db:	JVNDB	id:	JVNDB-2019-004560	Trust: 0.8
db:	ICS CERT	id:	ICSA-19-134-02	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.1716.2	Trust: 0.6
db:	CNNVD	id:	CNNVD-201905-602	Trust: 0.6

sources: BID: 108368 // JVNDB: JVNDB-2019-004560 // CNNVD: CNNVD-201905-602 // NVD: CVE-2019-10924

REFERENCES

url:	http://www.securityfocus.com/bid/108368	Trust: 2.8
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-102144.pdf	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2019-10924	Trust: 1.4
url:	http://subscriber.communications.siemens.com/	Trust: 0.9
url:	https://ics-cert.us-cert.gov/advisories/icsa-19-134-03	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-10924	Trust: 0.8
url:	https://www.us-cert.gov/ics/advisories/icsa-19-134-03	Trust: 0.8
url:	https://ics-cert.us-cert.gov/advisories/icsa-19-134-02-0	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-19-134-03	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/80946	Trust: 0.6

sources: BID: 108368 // JVNDB: JVNDB-2019-004560 // CNNVD: CNNVD-201905-602 // NVD: CVE-2019-10924

CREDITS

axt working with iDefense Labs reported this vulnerability to Siemens.

Trust: 0.6

sources: CNNVD: CNNVD-201905-602

SOURCES

db:	BID	id:	108368
db:	JVNDB	id:	JVNDB-2019-004560
db:	CNNVD	id:	CNNVD-201905-602
db:	NVD	id:	CVE-2019-10924

LAST UPDATE DATE

2024-11-23T21:37:17.110000+00:00

SOURCES UPDATE DATE

db:	BID	id:	108368	date:	2019-05-14T00:00:00
db:	JVNDB	id:	JVNDB-2019-004560	date:	2019-07-08T00:00:00
db:	CNNVD	id:	CNNVD-201905-602	date:	2020-12-15T00:00:00
db:	NVD	id:	CVE-2019-10924	date:	2024-11-21T04:20:09.860

SOURCES RELEASE DATE

db:	BID	id:	108368	date:	2019-05-14T00:00:00
db:	JVNDB	id:	JVNDB-2019-004560	date:	2019-06-04T00:00:00
db:	CNNVD	id:	CNNVD-201905-602	date:	2019-05-14T00:00:00
db:	NVD	id:	CVE-2019-10924	date:	2019-05-14T20:29:02.840