Details of VAR-201908-1836

ID

VAR-201908-1836

CVE

CVE-2019-10938

TITLE

SIPROTEC 5 Access control vulnerabilities in devices

Trust: 0.8

sources: JVNDB: JVNDB-2019-007605

DESCRIPTION

A vulnerability has been identified in SIPROTEC 5 devices with CPU variants CP200 (All versions < V7.59), SIPROTEC 5 devices with CPU variants CP300 and CP100 (All versions < V8.01), Siemens Power Meters Series 9410 (All versions < V2.2.1), Siemens Power Meters Series 9810 (All versions). An unauthenticated attacker with network access to the device could potentially insert arbitrary code which is executed before firmware verification in the device. At the time of advisory publication no public exploitation of this security vulnerability was known. SIPROTEC 5 The device contains an access control vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. The SiemensSIPROTEC5 is a multi-function relay. There is a security hole in SiemensSIPROTEC5

Trust: 2.43

sources: NVD: CVE-2019-10938 // JVNDB: JVNDB-2019-007605 // CNVD: CNVD-2019-25928 // IVD: 2465d402-af66-48d7-8e2c-5d4ad536de9a // VULMON: CVE-2019-10938

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: 2465d402-af66-48d7-8e2c-5d4ad536de9a // CNVD: CNVD-2019-25928

AFFECTED PRODUCTS

vendor:	siemens	model:	siprotec 5 digsi device driver	scope:	eq	version:	*	Trust: 1.1
vendor:	siemens	model:	siprotec 5 digsi device driver	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	siprotec	scope:	eq	version:	5	Trust: 0.6
vendor:	siprotec 5 digsi device driver	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 2465d402-af66-48d7-8e2c-5d4ad536de9a // CNVD: CNVD-2019-25928 // VULMON: CVE-2019-10938 // JVNDB: JVNDB-2019-007605 // NVD: CVE-2019-10938

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-10938
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2019-10938
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2019-25928
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201908-207
value:	CRITICAL
Trust: 0.6
IVD:	2465d402-af66-48d7-8e2c-5d4ad536de9a
value:	CRITICAL
Trust: 0.2
VULMON:	CVE-2019-10938
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-10938
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2019-25928
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	2465d402-af66-48d7-8e2c-5d4ad536de9a
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2019-10938
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2019-10938
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: 2465d402-af66-48d7-8e2c-5d4ad536de9a // CNVD: CNVD-2019-25928 // VULMON: CVE-2019-10938 // JVNDB: JVNDB-2019-007605 // CNNVD: CNNVD-201908-207 // NVD: CVE-2019-10938

PROBLEMTYPE DATA

problemtype:	CWE-284	Trust: 1.8
problemtype:	NVD-CWE-Other	Trust: 1.0

sources: JVNDB: JVNDB-2019-007605 // NVD: CVE-2019-10938

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-207

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201908-207

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-007605

PATCH

title:	SSA-632562	url:	https://cert-portal.siemens.com/productcert/pdf/ssa-632562.pdf	Trust: 0.8
title:	Patch for SiemensSIPROTEC5 Access Rights Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/173137	Trust: 0.6
title:	SIPROTEC 5 Ethernet plug-in Repair measures for communication module security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=95975	Trust: 0.6
title:	Siemens Security Advisories: Siemens Security Advisory	url:	https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=2dd69ca01b84b80e09672fedb1c26f51	Trust: 0.1
title:	Siemens Security Advisories: Siemens Security Advisory	url:	https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=1f919286ef48798d96223ef4d2143337	Trust: 0.1

sources: CNVD: CNVD-2019-25928 // VULMON: CVE-2019-10938 // JVNDB: JVNDB-2019-007605 // CNNVD: CNNVD-201908-207

EXTERNAL IDS

db:	NVD	id:	CVE-2019-10938	Trust: 3.3
db:	SIEMENS	id:	SSA-632562	Trust: 2.3
db:	SIEMENS	id:	SSA-352504	Trust: 1.7
db:	CNVD	id:	CNVD-2019-25928	Trust: 0.8
db:	CNNVD	id:	CNNVD-201908-207	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-007605	Trust: 0.8
db:	IVD	id:	2465D402-AF66-48D7-8E2C-5D4AD536DE9A	Trust: 0.2
db:	VULMON	id:	CVE-2019-10938	Trust: 0.1

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-632562.pdf	Trust: 2.3
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-352504.pdf	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2019-10938	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-10938	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/284.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://cert-portal.siemens.com/productcert/txt/ssa-352504.txt	Trust: 0.1

sources: CNVD: CNVD-2019-25928 // VULMON: CVE-2019-10938 // JVNDB: JVNDB-2019-007605 // CNNVD: CNNVD-201908-207 // NVD: CVE-2019-10938

SOURCES

db:	IVD	id:	2465d402-af66-48d7-8e2c-5d4ad536de9a
db:	CNVD	id:	CNVD-2019-25928
db:	VULMON	id:	CVE-2019-10938
db:	JVNDB	id:	JVNDB-2019-007605
db:	CNNVD	id:	CNNVD-201908-207
db:	NVD	id:	CVE-2019-10938

LAST UPDATE DATE

2024-11-23T19:54:26.867000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-25928	date:	2019-08-05T00:00:00
db:	VULMON	id:	CVE-2019-10938	date:	2020-10-02T00:00:00
db:	JVNDB	id:	JVNDB-2019-007605	date:	2019-08-15T00:00:00
db:	CNNVD	id:	CNNVD-201908-207	date:	2020-10-09T00:00:00
db:	NVD	id:	CVE-2019-10938	date:	2024-11-21T04:20:11.667

SOURCES RELEASE DATE

db:	IVD	id:	2465d402-af66-48d7-8e2c-5d4ad536de9a	date:	2019-08-05T00:00:00
db:	CNVD	id:	CNVD-2019-25928	date:	2019-08-05T00:00:00
db:	VULMON	id:	CVE-2019-10938	date:	2019-08-02T00:00:00
db:	JVNDB	id:	JVNDB-2019-007605	date:	2019-08-15T00:00:00
db:	CNNVD	id:	CNNVD-201908-207	date:	2019-08-02T00:00:00
db:	NVD	id:	CVE-2019-10938	date:	2019-08-02T14:15:14.147