Details of VAR-201909-0043

ID

VAR-201909-0043

CVE

CVE-2019-6826

TITLE

SoMachine HVAC Vulnerabilities related to untrusted search paths

Trust: 0.8

sources: JVNDB: JVNDB-2019-009527

DESCRIPTION

A CWE-426: Untrusted Search Path vulnerability exists in SoMachine HVAC v2.4.1 and earlier versions, which could cause arbitrary code execution on the system running SoMachine HVAC when a malicious DLL library is loaded by the product. SoMachine HVAC Contains an unreliable search path vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Schneider Electric SoMachine HVAC is a set of programming software dedicated to Schneider Electric logic controllers by Schneider Electric in France. Schneider Electric SoMachine HVAC v2.4.1 and previous versions have code issue vulnerabilities. The vulnerability stems from the problem of improper design or implementation in the code development process of network systems or products. There is currently no detailed vulnerability details provided

Trust: 2.16

sources: NVD: CVE-2019-6826 // JVNDB: JVNDB-2019-009527 // CNVD: CNVD-2020-28493

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-28493

AFFECTED PRODUCTS

vendor:	schneider electric	model:	somachine hvac	scope:	lte	version:	2.4.1	Trust: 1.0
vendor:	schneider electric	model:	somachine hvac programming software	scope:	lte	version:	2.4.1	Trust: 0.8
vendor:	schneider	model:	electric schneider electric somachine hvac	scope:	lt	version:	v2.4.1	Trust: 0.6

sources: CNVD: CNVD-2020-28493 // JVNDB: JVNDB-2019-009527 // NVD: CVE-2019-6826

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-6826
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-6826
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-28493
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201909-820
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2019-6826
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2020-28493
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2019-6826
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2019-6826
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-28493 // JVNDB: JVNDB-2019-009527 // CNNVD: CNNVD-201909-820 // NVD: CVE-2019-6826

PROBLEMTYPE DATA

problemtype:

CWE-426

Trust: 1.8

sources: JVNDB: JVNDB-2019-009527 // NVD: CVE-2019-6826

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201909-820

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201909-820

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-009527

PATCH

title:	SEVD-2019-225-04	url:	https://www.schneider-electric.com/en/download/document/SEVD-2019-225-04/	Trust: 0.8
title:	Patch for Schneider Electric SoMachine HVAC code issue vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/217741	Trust: 0.6
title:	Schneider Electric SoMachine HVAC Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=98351	Trust: 0.6

sources: CNVD: CNVD-2020-28493 // JVNDB: JVNDB-2019-009527 // CNNVD: CNNVD-201909-820

EXTERNAL IDS

db:	NVD	id:	CVE-2019-6826	Trust: 3.0
db:	SCHNEIDER	id:	SEVD-2019-225-04	Trust: 2.2
db:	JVNDB	id:	JVNDB-2019-009527	Trust: 0.8
db:	CNVD	id:	CNVD-2020-28493	Trust: 0.6
db:	CNNVD	id:	CNNVD-201909-820	Trust: 0.6

sources: CNVD: CNVD-2020-28493 // JVNDB: JVNDB-2019-009527 // CNNVD: CNNVD-201909-820 // NVD: CVE-2019-6826

REFERENCES

url:	https://www.schneider-electric.com/en/download/document/sevd-2019-225-04/	Trust: 2.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6826	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6826	Trust: 0.8

sources: CNVD: CNVD-2020-28493 // JVNDB: JVNDB-2019-009527 // CNNVD: CNNVD-201909-820 // NVD: CVE-2019-6826

SOURCES

db:	CNVD	id:	CNVD-2020-28493
db:	JVNDB	id:	JVNDB-2019-009527
db:	CNNVD	id:	CNNVD-201909-820
db:	NVD	id:	CVE-2019-6826

LAST UPDATE DATE

2024-11-23T22:51:40.344000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-28493	date:	2020-05-17T00:00:00
db:	JVNDB	id:	JVNDB-2019-009527	date:	2019-09-24T00:00:00
db:	CNNVD	id:	CNNVD-201909-820	date:	2022-03-10T00:00:00
db:	NVD	id:	CVE-2019-6826	date:	2024-11-21T04:47:13.780

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-28493	date:	2020-05-17T00:00:00
db:	JVNDB	id:	JVNDB-2019-009527	date:	2019-09-24T00:00:00
db:	CNNVD	id:	CNNVD-201909-820	date:	2019-09-17T00:00:00
db:	NVD	id:	CVE-2019-6826	date:	2019-09-17T20:15:12.077