Sign-up

ID

VAR-201906-1032


CVE

CVE-2019-10925


TITLE

SIMATIC Ident MV420 family  and  MV440 family  access control vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2019-005573

DESCRIPTION

A vulnerability has been identified in SIMATIC MV400 family (All Versions < V7.0.6). An authenticated attacker could escalate privileges by sending specially crafted requests to the integrated webserver. The security vulnerability can be exploited by an attacker with network access to the device. Valid user credentials, but no user interaction are required. Successful exploitation compromises integrity and availability of the device. At the time of advisory publication no public exploitation of this security vulnerability was known. SIMATIC Ident MV420 family and MV440 family contains an access control vulnerability.Information is tampered with and service operation is interrupted (DoS) It may be in a state. The Siemens SIMATIC Ident MV 420 and the Siemens SIMATIC Ident MV 440 are both a code reading system from Siemens AG, Germany. Permissions and access control issues vulnerabilities exist in SiemensSIMATICIdentMV420 and SiemensSIMATICIdentMV440, which can be exploited by attackers to increase privileges. Siemens SIMATIC Ident MV420 and MV440 Families are prone to multiple security vulnerabilities

Trust: 2.7

sources: NVD: CVE-2019-10925 // JVNDB: JVNDB-2019-005573 // CNVD: CNVD-2019-21108 // BID: 108725 // IVD: 76ec1ef8-02cf-4201-b562-6337ce2affb0 // VULHUB: VHN-142520

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 76ec1ef8-02cf-4201-b562-6337ce2affb0 // CNVD: CNVD-2019-21108

AFFECTED PRODUCTS

vendor:siemensmodel:simatic mv420scope:eqversion:*

Trust: 1.0

vendor:siemensmodel:simatic mv440scope:eqversion:*

Trust: 1.0

vendor:シーメンスmodel:simatic ident mv420 familyscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:simatic ident mv440 familyscope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic ident mv440scope: - version: -

Trust: 0.6

vendor:siemensmodel:simatic ident mv420scope: - version: -

Trust: 0.6

vendor:siemensmodel:simatic ident mv440scope:eqversion:0

Trust: 0.3

vendor:siemensmodel:simatic ident mv420scope:eqversion:0

Trust: 0.3

vendor:simatic mv420model: - scope:eqversion:*

Trust: 0.2

vendor:simatic mv440model: - scope:eqversion:*

Trust: 0.2

sources: IVD: 76ec1ef8-02cf-4201-b562-6337ce2affb0 // CNVD: CNVD-2019-21108 // BID: 108725 // JVNDB: JVNDB-2019-005573 // NVD: CVE-2019-10925

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-10925
value: HIGH

Trust: 1.0

NVD: CVE-2019-10925
value: HIGH

Trust: 0.8

CNVD: CNVD-2019-21108
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201906-523
value: HIGH

Trust: 0.6

IVD: 76ec1ef8-02cf-4201-b562-6337ce2affb0
value: HIGH

Trust: 0.2

VULHUB: VHN-142520
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-10925
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-21108
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 76ec1ef8-02cf-4201-b562-6337ce2affb0
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-142520
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-10925
baseSeverity: HIGH
baseScore: 7.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: LOW
exploitabilityScore: 2.8
impactScore: 4.2
version: 3.1

Trust: 1.0

NVD: CVE-2019-10925
baseSeverity: HIGH
baseScore: 7.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: LOW
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: 76ec1ef8-02cf-4201-b562-6337ce2affb0 // CNVD: CNVD-2019-21108 // VULHUB: VHN-142520 // JVNDB: JVNDB-2019-005573 // CNNVD: CNNVD-201906-523 // NVD: CVE-2019-10925

PROBLEMTYPE DATA

problemtype:CWE-284

Trust: 1.0

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:Inappropriate access control (CWE-284) [ others ]

Trust: 0.8

problemtype: Lack of information (CWE-noinfo) [NVD evaluation ]

Trust: 0.8

problemtype:CWE-264

Trust: 0.1

sources: VULHUB: VHN-142520 // JVNDB: JVNDB-2019-005573 // NVD: CVE-2019-10925

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201906-523

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201906-523

PATCH

title:SSA-816980url:https://cert-portal.siemens.com/productcert/pdf/ssa-816980.pdf

Trust: 0.8

sources: JVNDB: JVNDB-2019-005573

EXTERNAL IDS

db:NVDid:CVE-2019-10925

Trust: 4.4

db:ICS CERTid:ICSA-19-162-02

Trust: 3.4

db:SIEMENSid:SSA-816980

Trust: 2.0

db:BIDid:108725

Trust: 2.0

db:CNNVDid:CNNVD-201906-523

Trust: 0.9

db:CNVDid:CNVD-2019-21108

Trust: 0.8

db:JVNDBid:JVNDB-2019-005573

Trust: 0.8

db:IVDid:76EC1EF8-02CF-4201-B562-6337CE2AFFB0

Trust: 0.2

db:VULHUBid:VHN-142520

Trust: 0.1

sources: IVD: 76ec1ef8-02cf-4201-b562-6337ce2affb0 // CNVD: CNVD-2019-21108 // VULHUB: VHN-142520 // BID: 108725 // JVNDB: JVNDB-2019-005573 // CNNVD: CNNVD-201906-523 // NVD: CVE-2019-10925

REFERENCES

url:https://ics-cert.us-cert.gov/advisories/icsa-19-162-02

Trust: 3.4

url:http://www.securityfocus.com/bid/108725

Trust: 2.3

url:https://cert-portal.siemens.com/productcert/pdf/ssa-816980.pdf

Trust: 2.0

url:http://www.siemens.com/

Trust: 0.9

url:https://nvd.nist.gov/vuln/detail/cve-2019-10925

Trust: 0.8

url:https://us-cert.cisa.gov/ics/advisories/icsa-19-162-02

Trust: 0.6

url:https://vigilance.fr/vulnerability/simatic-ident-information-disclosure-via-web-session-29519

Trust: 0.6

sources: CNVD: CNVD-2019-21108 // VULHUB: VHN-142520 // BID: 108725 // JVNDB: JVNDB-2019-005573 // CNNVD: CNNVD-201906-523 // NVD: CVE-2019-10925

CREDITS

The vendor reported these issues.,Siemens PSIRT reported these vulnerabilities to NCCIC.

Trust: 0.6

sources: CNNVD: CNNVD-201906-523

SOURCES

db:IVDid:76ec1ef8-02cf-4201-b562-6337ce2affb0
db:CNVDid:CNVD-2019-21108
db:VULHUBid:VHN-142520
db:BIDid:108725
db:JVNDBid:JVNDB-2019-005573
db:CNNVDid:CNNVD-201906-523
db:NVDid:CVE-2019-10925

LAST UPDATE DATE

2024-12-28T23:00:25.515000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2019-21108date:2019-07-04T00:00:00
db:VULHUBid:VHN-142520date:2020-10-02T00:00:00
db:BIDid:108725date:2019-06-11T00:00:00
db:JVNDBid:JVNDB-2019-005573date:2024-12-27T03:24:00
db:CNNVDid:CNNVD-201906-523date:2021-08-16T00:00:00
db:NVDid:CVE-2019-10925date:2024-11-21T04:20:09.977

SOURCES RELEASE DATE

db:IVDid:76ec1ef8-02cf-4201-b562-6337ce2affb0date:2019-07-04T00:00:00
db:CNVDid:CNVD-2019-21108date:2019-07-04T00:00:00
db:VULHUBid:VHN-142520date:2019-06-12T00:00:00
db:BIDid:108725date:2019-06-11T00:00:00
db:JVNDBid:JVNDB-2019-005573date:2019-06-24T00:00:00
db:CNNVDid:CNNVD-201906-523date:2019-06-11T00:00:00
db:NVDid:CVE-2019-10925date:2019-06-12T14:29:04.477