Details of VAR-201906-1033

ID

VAR-201906-1033

CVE

CVE-2019-10926

TITLE

SIMATIC Ident MV420 family and MV440 family Cryptographic vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-005574

DESCRIPTION

A vulnerability has been identified in SIMATIC MV400 family (All Versions < V7.0.6). Communication with the device is not encrypted. Data transmitted between the device and the user can be obtained by an attacker in a privileged network position. The security vulnerability can be exploited by an attacker in a privileged network position which allows eavesdropping the communication between the affected device and the user. The user must invoke a session. Successful exploitation of the vulnerability compromises confidentiality of the data transmitted. SIMATIC Ident MV420 family and MV440 family Contains a cryptographic vulnerability.Information may be obtained. The Siemens SIMATIC Ident MV 420 and the Siemens SIMATIC Ident MV 440 are both a code reading system from Siemens AG, Germany. Siemens SIMATIC Ident MV420 and MV440 Families are prone to multiple security vulnerabilities. Attackers can leverage these issues to gain elevated privileges and obtain sensitive information. At the time of advisory publication no public exploitation of this security vulnerability was known

Trust: 2.7

sources: NVD: CVE-2019-10926 // JVNDB: JVNDB-2019-005574 // CNVD: CNVD-2019-21107 // BID: 108725 // IVD: 3bede54c-ec00-4da4-8f33-8ac22c396ed9 // VULHUB: VHN-142521

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 3bede54c-ec00-4da4-8f33-8ac22c396ed9 // CNVD: CNVD-2019-21107

AFFECTED PRODUCTS

vendor:	siemens	model:	simatic mv440	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	simatic mv420	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	simatic ident mv420 family	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	simatic ident mv440 family	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	simatic ident mv440	scope:	-	version:	-	Trust: 0.6
vendor:	siemens	model:	simatic ident mv420	scope:	-	version:	-	Trust: 0.6
vendor:	siemens	model:	simatic ident mv440	scope:	eq	version:	0	Trust: 0.3
vendor:	siemens	model:	simatic ident mv420	scope:	eq	version:	0	Trust: 0.3
vendor:	simatic mv420	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	simatic mv440	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 3bede54c-ec00-4da4-8f33-8ac22c396ed9 // CNVD: CNVD-2019-21107 // BID: 108725 // JVNDB: JVNDB-2019-005574 // NVD: CVE-2019-10926

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-10926
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-10926
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2019-21107
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201906-522
value:	MEDIUM
Trust: 0.6
IVD:	3bede54c-ec00-4da4-8f33-8ac22c396ed9
value:	MEDIUM
Trust: 0.2
VULHUB:	VHN-142521
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2019-10926
severity:	LOW
baseScore:	2.6
vectorString:	AV:N/AC:H/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	4.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-21107
severity:	MEDIUM
baseScore:	5.4
vectorString:	AV:N/AC:H/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	4.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	3bede54c-ec00-4da4-8f33-8ac22c396ed9
severity:	MEDIUM
baseScore:	5.4
vectorString:	AV:N/AC:H/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	4.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-142521
severity:	LOW
baseScore:	2.6
vectorString:	AV:N/AC:H/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	4.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-10926
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.6
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: IVD: 3bede54c-ec00-4da4-8f33-8ac22c396ed9 // CNVD: CNVD-2019-21107 // VULHUB: VHN-142521 // JVNDB: JVNDB-2019-005574 // CNNVD: CNNVD-201906-522 // NVD: CVE-2019-10926

PROBLEMTYPE DATA

problemtype:	CWE-310	Trust: 1.9
problemtype:	CWE-319	Trust: 1.0

sources: VULHUB: VHN-142521 // JVNDB: JVNDB-2019-005574 // NVD: CVE-2019-10926

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201906-522

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201906-522

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-005574

PATCH

title:

SSA-816980

url:

https://cert-portal.siemens.com/productcert/pdf/ssa-816980.pdf

Trust: 0.8

sources: JVNDB: JVNDB-2019-005574

EXTERNAL IDS

db:	NVD	id:	CVE-2019-10926	Trust: 3.6
db:	ICS CERT	id:	ICSA-19-162-02	Trust: 3.4
db:	SIEMENS	id:	SSA-816980	Trust: 2.0
db:	BID	id:	108725	Trust: 2.0
db:	CNNVD	id:	CNNVD-201906-522	Trust: 0.9
db:	CNVD	id:	CNVD-2019-21107	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-005574	Trust: 0.8
db:	IVD	id:	3BEDE54C-EC00-4DA4-8F33-8AC22C396ED9	Trust: 0.2
db:	VULHUB	id:	VHN-142521	Trust: 0.1

sources: IVD: 3bede54c-ec00-4da4-8f33-8ac22c396ed9 // CNVD: CNVD-2019-21107 // VULHUB: VHN-142521 // BID: 108725 // JVNDB: JVNDB-2019-005574 // CNNVD: CNNVD-201906-522 // NVD: CVE-2019-10926

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-19-162-02	Trust: 3.4
url:	http://www.securityfocus.com/bid/108725	Trust: 2.3
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-816980.pdf	Trust: 2.0
url:	http://www.siemens.com/	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-10926	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2019-10926	Trust: 0.8
url:	https://us-cert.cisa.gov/ics/advisories/icsa-19-162-02	Trust: 0.6
url:	https://vigilance.fr/vulnerability/simatic-ident-information-disclosure-via-web-session-29519	Trust: 0.6

sources: CNVD: CNVD-2019-21107 // VULHUB: VHN-142521 // BID: 108725 // JVNDB: JVNDB-2019-005574 // CNNVD: CNNVD-201906-522 // NVD: CVE-2019-10926

CREDITS

The vendor reported these issues.,Siemens PSIRT reported these vulnerabilities to NCCIC.

Trust: 0.6

sources: CNNVD: CNNVD-201906-522

SOURCES

db:	IVD	id:	3bede54c-ec00-4da4-8f33-8ac22c396ed9
db:	CNVD	id:	CNVD-2019-21107
db:	VULHUB	id:	VHN-142521
db:	BID	id:	108725
db:	JVNDB	id:	JVNDB-2019-005574
db:	CNNVD	id:	CNNVD-201906-522
db:	NVD	id:	CVE-2019-10926

LAST UPDATE DATE

2024-08-14T14:38:54.094000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-21107	date:	2019-07-04T00:00:00
db:	VULHUB	id:	VHN-142521	date:	2019-10-09T00:00:00
db:	BID	id:	108725	date:	2019-06-11T00:00:00
db:	JVNDB	id:	JVNDB-2019-005574	date:	2019-06-24T00:00:00
db:	CNNVD	id:	CNNVD-201906-522	date:	2021-08-16T00:00:00
db:	NVD	id:	CVE-2019-10926	date:	2021-03-15T18:15:15.503

SOURCES RELEASE DATE

db:	IVD	id:	3bede54c-ec00-4da4-8f33-8ac22c396ed9	date:	2019-07-04T00:00:00
db:	CNVD	id:	CNVD-2019-21107	date:	2019-07-04T00:00:00
db:	VULHUB	id:	VHN-142521	date:	2019-06-12T00:00:00
db:	BID	id:	108725	date:	2019-06-11T00:00:00
db:	JVNDB	id:	JVNDB-2019-005574	date:	2019-06-24T00:00:00
db:	CNNVD	id:	CNNVD-201906-522	date:	2019-06-11T00:00:00
db:	NVD	id:	CVE-2019-10926	date:	2019-06-12T14:29:04.510