ID

VAR-201908-1834


CVE

CVE-2019-10928


TITLE

Siemens SCALANCE SC-600 command injection vulnerability

Trust: 1.2

sources: CNVD: CNVD-2020-10472 // CNNVD: CNNVD-201908-893

DESCRIPTION

A vulnerability has been identified in SCALANCE SC-600 (V2.0). An authenticated attacker with access to port 22/tcp as well as physical access to an affected device may trigger the device to allow execution of arbitrary commands. The security vulnerability could be exploited by an authenticated attacker with physical access to the affected device. No user interaction is required to exploit this vulnerability. The vulnerability impacts the confidentiality, integrity and availability of the affected device. SCALANCE SC-600 Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Siemens SCALANCE SC-600 is an industrial safety device from Germany's Siemens. This product mainly protects equipment and networks in discrete manufacturing and process industries, and protects industrial communications through mechanisms such as stateful packet inspection firewalls (SPI firewalls) and virtual private networks (VPNs). Command injection vulnerability exists in Siemens SCALANCE SC-600 V2.0. The vulnerability stems from the fact that the network system or product did not properly filter the special elements in the process of constructing executable commands from external input data. An attacker could use this vulnerability to execute an illegal command. SCALANCE SC firewall is used to protect trusted industrial networks from untrusted networks. It allows filtering of input and output network connections in different ways

Trust: 2.79

sources: NVD: CVE-2019-10928 // JVNDB: JVNDB-2019-008095 // CNVD: CNVD-2020-10472 // CNVD: CNVD-2019-27706 // VULHUB: VHN-142523

IOT TAXONOMY

category:['ICS', 'Network device']sub_category: -

Trust: 1.2

sources: CNVD: CNVD-2020-10472 // CNVD: CNVD-2019-27706

AFFECTED PRODUCTS

vendor:siemensmodel:scalance sc-600scope:eqversion:2.0

Trust: 1.8

vendor:siemensmodel:scalance sc-600scope:eqversion:v2.0

Trust: 1.2

vendor:siemensmodel:scalance xb-200scope:eqversion:v4.1

Trust: 0.6

vendor:siemensmodel:scalance xc-200scope:eqversion:v4.1

Trust: 0.6

vendor:siemensmodel:scalance xf-200bascope:eqversion:v4.1

Trust: 0.6

vendor:siemensmodel:scalance xp-200scope:eqversion:v4.1

Trust: 0.6

vendor:siemensmodel:scalance xr-300wgscope:eqversion:v4.1

Trust: 0.6

sources: CNVD: CNVD-2020-10472 // CNVD: CNVD-2019-27706 // JVNDB: JVNDB-2019-008095 // NVD: CVE-2019-10928

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-10928
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-10928
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2020-10472
value: MEDIUM

Trust: 0.6

CNVD: CNVD-2019-27706
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201908-893
value: MEDIUM

Trust: 0.6

VULHUB: VHN-142523
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-10928
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2020-10472
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

CNVD: CNVD-2019-27706
severity: HIGH
baseScore: 8.3
vectorString: AV:A/AC:L/AU:N/C:C/I:C/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.5
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-142523
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-10928
baseSeverity: MEDIUM
baseScore: 6.6
vectorString: CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: PHYSICAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 0.7
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2019-10928
baseSeverity: MEDIUM
baseScore: 6.6
vectorString: CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: PHYSICAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-10472 // CNVD: CNVD-2019-27706 // VULHUB: VHN-142523 // JVNDB: JVNDB-2019-008095 // CNNVD: CNNVD-201908-893 // NVD: CVE-2019-10928

PROBLEMTYPE DATA

problemtype:CWE-703

Trust: 1.0

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:CWE-77

Trust: 0.9

sources: VULHUB: VHN-142523 // JVNDB: JVNDB-2019-008095 // NVD: CVE-2019-10928

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201908-893

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-008095

PATCH

title:SSA-671286url:https://cert-portal.siemens.com/productcert/pdf/ssa-671286.pdf

Trust: 0.8

title:Patch for Siemens SCALANCE SC-600 command injection vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/201863

Trust: 0.6

title:Patch for Siemens SCALANCE SC-600 Command Execution Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/175789

Trust: 0.6

title:SCALANCE SC-600 Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=96581

Trust: 0.6

sources: CNVD: CNVD-2020-10472 // CNVD: CNVD-2019-27706 // JVNDB: JVNDB-2019-008095 // CNNVD: CNNVD-201908-893

EXTERNAL IDS

db:NVDid:CVE-2019-10928

Trust: 3.1

db:SIEMENSid:SSA-671286

Trust: 2.9

db:ICS CERTid:ICSA-19-227-03

Trust: 1.4

db:JVNDBid:JVNDB-2019-008095

Trust: 0.8

db:CNNVDid:CNNVD-201908-893

Trust: 0.7

db:CNVDid:CNVD-2020-10472

Trust: 0.6

db:CNVDid:CNVD-2019-27706

Trust: 0.6

db:AUSCERTid:ESB-2019.3149

Trust: 0.6

db:VULHUBid:VHN-142523

Trust: 0.1

sources: CNVD: CNVD-2020-10472 // CNVD: CNVD-2019-27706 // VULHUB: VHN-142523 // JVNDB: JVNDB-2019-008095 // CNNVD: CNNVD-201908-893 // NVD: CVE-2019-10928

REFERENCES

url:https://cert-portal.siemens.com/productcert/pdf/ssa-671286.pdf

Trust: 2.9

url:https://www.us-cert.gov/ics/advisories/icsa-19-227-03

Trust: 1.4

url:https://nvd.nist.gov/vuln/detail/cve-2019-10928

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-10928

Trust: 0.8

url:https://us-cert.cisa.gov/ics/advisories/icsa-19-227-03

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.3149/

Trust: 0.6

sources: CNVD: CNVD-2020-10472 // CNVD: CNVD-2019-27706 // VULHUB: VHN-142523 // JVNDB: JVNDB-2019-008095 // CNNVD: CNNVD-201908-893 // NVD: CVE-2019-10928

SOURCES

db:CNVDid:CNVD-2020-10472
db:CNVDid:CNVD-2019-27706
db:VULHUBid:VHN-142523
db:JVNDBid:JVNDB-2019-008095
db:CNNVDid:CNNVD-201908-893
db:NVDid:CVE-2019-10928

LAST UPDATE DATE

2024-08-14T14:04:17.102000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2020-10472date:2020-02-19T00:00:00
db:CNVDid:CNVD-2019-27706date:2019-08-15T00:00:00
db:VULHUBid:VHN-142523date:2020-10-02T00:00:00
db:JVNDBid:JVNDB-2019-008095date:2019-10-04T00:00:00
db:CNNVDid:CNNVD-201908-893date:2020-10-09T00:00:00
db:NVDid:CVE-2019-10928date:2020-10-02T14:09:24.937

SOURCES RELEASE DATE

db:CNVDid:CNVD-2020-10472date:2020-02-19T00:00:00
db:CNVDid:CNVD-2019-27706date:2019-08-15T00:00:00
db:VULHUBid:VHN-142523date:2019-08-13T00:00:00
db:JVNDBid:JVNDB-2019-008095date:2019-08-26T00:00:00
db:CNNVDid:CNNVD-201908-893date:2019-08-13T00:00:00
db:NVDid:CVE-2019-10928date:2019-08-13T19:15:14.767