Sign-up

ID

VAR-201906-0217


CVE

CVE-2019-7227


TITLE

ABB PB610 IDAL FTP server Path traversal vulnerability

Trust: 0.8

sources: IVD: 4ebf8afa-e0ac-4426-9433-e6e1b8e57ccc // CNVD: CNVD-2019-19479

DESCRIPTION

In the ABB IDAL FTP server, an authenticated attacker can traverse to arbitrary directories on the hard disk with "CWD ../" and then use the FTP server functionality to download and upload files. An unauthenticated attacker can take advantage of the hardcoded or default credential pair exor/exor to become an authenticated attacker. ABB IDAL FTP The server contains a path traversal vulnerability.Information may be obtained and information may be altered. ABBPB610 is a software designed by ABB of Switzerland for the graphical user interface of the CP600 control panel platform. IDALFTPserver is one of the FTP (File Transfer Protocol) servers. A path traversal vulnerability exists in IDALFTPserver in ABBPB610. The vulnerability stems from a network system or product failing to properly filter specific elements in a resource or file path. An attacker could exploit this vulnerability to access a location outside of a restricted directory. ABB PB610 Panel Builder 600 is prone to the following vulnerabilities: 1. An authentication-bypass vulnerability 2. A directory-traversal vulnerability 3. Multiple memory corruption vulnerabilities 4. A stack-based buffer-overflow vulnerability 5. Failed exploit attempts will likely cause denial-of-service conditions. ABB PB610 Panel Builder 600 version 1.91 through 2.8.0.367 are vulnerable

Trust: 2.7

sources: NVD: CVE-2019-7227 // JVNDB: JVNDB-2019-005796 // CNVD: CNVD-2019-19479 // BID: 108886 // IVD: 4ebf8afa-e0ac-4426-9433-e6e1b8e57ccc // VULMON: CVE-2019-7227

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 4ebf8afa-e0ac-4426-9433-e6e1b8e57ccc // CNVD: CNVD-2019-19479

AFFECTED PRODUCTS

vendor:abbmodel:pb610 panel builder 600scope:lteversion:2.8.0.367

Trust: 1.0

vendor:abbmodel:pb610 panel builder 600scope:gteversion:1.91

Trust: 1.0

vendor:abbmodel:pb610 panel builder 600scope: - version: -

Trust: 0.8

vendor:abbmodel:pb610scope: - version: -

Trust: 0.6

vendor:abbmodel:pb610 panel builderscope:eqversion:6002.8.0.367

Trust: 0.3

vendor:abbmodel:pb610 panel builderscope:eqversion:6001.91

Trust: 0.3

vendor:abbmodel:pb610 panel builderscope:neversion:6002.8.0.424

Trust: 0.3

vendor:pb610 panel builder 600model: - scope:eqversion:*

Trust: 0.2

sources: IVD: 4ebf8afa-e0ac-4426-9433-e6e1b8e57ccc // CNVD: CNVD-2019-19479 // BID: 108886 // JVNDB: JVNDB-2019-005796 // NVD: CVE-2019-7227

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-7227
value: HIGH

Trust: 1.0

NVD: CVE-2019-7227
value: HIGH

Trust: 0.8

CNVD: CNVD-2019-19479
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201906-892
value: HIGH

Trust: 0.6

IVD: 4ebf8afa-e0ac-4426-9433-e6e1b8e57ccc
value: HIGH

Trust: 0.2

VULMON: CVE-2019-7227
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-7227
severity: MEDIUM
baseScore: 4.1
vectorString: AV:A/AC:L/AU:S/C:P/I:P/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 5.1
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2019-19479
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 4ebf8afa-e0ac-4426-9433-e6e1b8e57ccc
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2019-7227
baseSeverity: HIGH
baseScore: 7.3
vectorString: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.1
impactScore: 5.2
version: 3.1

Trust: 1.0

NVD: CVE-2019-7227
baseSeverity: HIGH
baseScore: 7.3
vectorString: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: 4ebf8afa-e0ac-4426-9433-e6e1b8e57ccc // CNVD: CNVD-2019-19479 // VULMON: CVE-2019-7227 // JVNDB: JVNDB-2019-005796 // CNNVD: CNNVD-201906-892 // NVD: CVE-2019-7227

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.8

sources: JVNDB: JVNDB-2019-005796 // NVD: CVE-2019-7227

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201906-892

TYPE

Path traversal

Trust: 0.8

sources: IVD: 4ebf8afa-e0ac-4426-9433-e6e1b8e57ccc // CNNVD: CNNVD-201906-892

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-005796

PATCH
title:Multiple Vulnerabilities in ABB PB610url:https://search.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&DocumentPartId=&Action=Launch
Trust: 0.8
title:ABBPB610IDALFTPserver path traversal vulnerability patchurl:https://www.cnvd.org.cn/patchInfo/show/165545
Trust: 0.6
title:ABB PB610 IDAL FTP server Repair measures for path traversal vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=94027
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-19479 // 
            
            
            
            JVNDB: JVNDB-2019-005796 // 
            
            
            
            CNNVD: CNNVD-201906-892

EXTERNAL IDS
db:NVDid:CVE-2019-7227
Trust: 3.6
db:BIDid:108886
Trust: 2.6
db:PACKETSTORMid:153396
Trust: 1.7
db:ICS CERTid:ICSA-19-178-01
Trust: 1.4
db:CNVDid:CNVD-2019-19479
Trust: 0.8
db:CNNVDid:CNNVD-201906-892
Trust: 0.8
db:JVNDBid:JVNDB-2019-005796
Trust: 0.8
db:CXSECURITYid:WLB-2019060157
Trust: 0.6
db:AUSCERTid:ESB-2019.2346
Trust: 0.6
db:IVDid:4EBF8AFA-E0AC-4426-9433-E6E1B8E57CCC
Trust: 0.2
db:VULMONid:CVE-2019-7227
Trust: 0.1
sources:
            
            
            IVD: 4ebf8afa-e0ac-4426-9433-e6e1b8e57ccc // 
            
            
            
            CNVD: CNVD-2019-19479 // 
            
            
            
            VULMON: CVE-2019-7227 // 
            
            
            
            BID: 108886 // 
            
            
            
            JVNDB: JVNDB-2019-005796 // 
            
            
            
            CNNVD: CNNVD-201906-892 // 
            
            
            
            NVD: CVE-2019-7227

REFERENCES
url:http://packetstormsecurity.com/files/153396/abb-idal-ftp-server-path-traversal.html
Trust: 2.4
url:https://search.abb.com/library/download.aspx?documentid=3adr010377&languagecode=en&documentpartid=&action=launch
Trust: 2.0
url:http://www.securityfocus.com/bid/108886
Trust: 1.8
url:https://www.darkmatter.ae/xen1thlabs/abb-idal-ftp-server-path-traversal-vulnerability-xl-19-008/
Trust: 1.7
url:http://seclists.org/fulldisclosure/2019/jun/37
Trust: 1.7
url:https://www.us-cert.gov/ics/advisories/icsa-19-178-01
Trust: 1.4
url:https://nvd.nist.gov/vuln/detail/cve-2019-7227
Trust: 1.4
url:https://new.abb.com
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-7227
Trust: 0.8
url:https://cxsecurity.com/issue/wlb-2019060157http
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2019.2346/
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/22.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2019-19479 // 
            
            
            
            VULMON: CVE-2019-7227 // 
            
            
            
            BID: 108886 // 
            
            
            
            JVNDB: JVNDB-2019-005796 // 
            
            
            
            CNNVD: CNNVD-201906-892 // 
            
            
            
            NVD: CVE-2019-7227

CREDITS
Eldar Marcussen,Xen1thLabs.
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201906-892

SOURCES
db:IVDid:4ebf8afa-e0ac-4426-9433-e6e1b8e57ccc
db:CNVDid:CNVD-2019-19479
db:VULMONid:CVE-2019-7227
db:BIDid:108886
db:JVNDBid:JVNDB-2019-005796
db:CNNVDid:CNNVD-201906-892
db:NVDid:CVE-2019-7227

LAST UPDATE DATE
2024-11-23T21:52:11.789000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-19479date:2019-06-28T00:00:00
db:VULMONid:CVE-2019-7227date:2019-10-09T00:00:00
db:BIDid:108886date:2019-06-13T00:00:00
db:JVNDBid:JVNDB-2019-005796date:2019-07-09T00:00:00
db:CNNVDid:CNNVD-201906-892date:2019-07-02T00:00:00
db:NVDid:CVE-2019-7227date:2024-11-21T04:47:47.720

SOURCES RELEASE DATE
db:IVDid:4ebf8afa-e0ac-4426-9433-e6e1b8e57cccdate:2019-06-28T00:00:00
db:CNVDid:CNVD-2019-19479date:2019-06-28T00:00:00
db:VULMONid:CVE-2019-7227date:2019-06-27T00:00:00
db:BIDid:108886date:2019-06-13T00:00:00
db:JVNDBid:JVNDB-2019-005796date:2019-07-01T00:00:00
db:CNNVDid:CNNVD-201906-892date:2019-06-21T00:00:00
db:NVDid:CVE-2019-7227date:2019-06-27T16:15:12.243