Details of VAR-201909-0863

ID

VAR-201909-0863

CVE

CVE-2019-13920

TITLE

Siemens SINEMA Remote Connect Server Cross-Site Request Forgery Vulnerability

Trust: 1.4

sources: IVD: a8e7cf93-5249-402a-8e79-e25440dc623a // CNVD: CNVD-2019-31663 // CNNVD: CNNVD-201909-683

DESCRIPTION

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). Some parts of the web application are not protected against Cross Site Request Forgery (CSRF) attacks. The security vulnerability could be exploited by an attacker that is able to trigger requests of a logged-in user to the application. The vulnerability could allow switching the connectivity state of a user or a device. At the time of advisory publication no public exploitation of this security vulnerability was known. SINEMA Remote Connect helps users access remote devices or machines for easy and safe maintenance. The platform is mainly used for remote access, maintenance, control and diagnosis of the underlying network

Trust: 2.43

sources: NVD: CVE-2019-13920 // JVNDB: JVNDB-2019-009304 // CNVD: CNVD-2019-31663 // IVD: a8e7cf93-5249-402a-8e79-e25440dc623a // VULHUB: VHN-145815

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: a8e7cf93-5249-402a-8e79-e25440dc623a // CNVD: CNVD-2019-31663

AFFECTED PRODUCTS

vendor:	siemens	model:	sinema remote connect server	scope:	eq	version:	2.0	Trust: 1.6
vendor:	siemens	model:	sinema remote connect server	scope:	lte	version:	2.0	Trust: 1.0
vendor:	siemens	model:	sinema remote connect server	scope:	lt	version:	2.0 sp1	Trust: 0.8
vendor:	siemens	model:	sinema remote connect server sp1	scope:	lt	version:	v2.0	Trust: 0.6
vendor:	sinema remote connect server	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	sinema remote connect server	model:	-	scope:	eq	version:	2.0	Trust: 0.2

sources: IVD: a8e7cf93-5249-402a-8e79-e25440dc623a // CNVD: CNVD-2019-31663 // JVNDB: JVNDB-2019-009304 // CNNVD: CNNVD-201909-683 // NVD: CVE-2019-13920

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-13920
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-13920
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2019-31663
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-201909-683
value:	MEDIUM
Trust: 0.6
IVD:	a8e7cf93-5249-402a-8e79-e25440dc623a
value:	MEDIUM
Trust: 0.2
VULHUB:	VHN-145815
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-13920
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-31663
severity:	LOW
baseScore:	2.6
vectorString:	AV:N/AC:H/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	4.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	a8e7cf93-5249-402a-8e79-e25440dc623a
severity:	LOW
baseScore:	2.6
vectorString:	AV:N/AC:H/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	4.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-145815
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-13920
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	CVE-2019-13920
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: a8e7cf93-5249-402a-8e79-e25440dc623a // CNVD: CNVD-2019-31663 // VULHUB: VHN-145815 // JVNDB: JVNDB-2019-009304 // CNNVD: CNNVD-201909-683 // NVD: CVE-2019-13920

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-145815 // JVNDB: JVNDB-2019-009304 // NVD: CVE-2019-13920

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201909-683

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201909-683

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-009304

PATCH

title:	SSA-884497	url:	https://cert-portal.siemens.com/productcert/pdf/ssa-884497.pdf	Trust: 0.8
title:	Patch for Siemens SINEMA Remote Connect Server cross-site request forgery vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/180407	Trust: 0.6
title:	SINEMA Remote Connect Server Fixes for cross-site request forgery vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=98250	Trust: 0.6

sources: CNVD: CNVD-2019-31663 // JVNDB: JVNDB-2019-009304 // CNNVD: CNNVD-201909-683

EXTERNAL IDS

db:	NVD	id:	CVE-2019-13920	Trust: 3.3
db:	SIEMENS	id:	SSA-884497	Trust: 2.3
db:	ICS CERT	id:	ICSA-19-260-02	Trust: 1.4
db:	CNNVD	id:	CNNVD-201909-683	Trust: 0.9
db:	CNVD	id:	CNVD-2019-31663	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-009304	Trust: 0.8
db:	AUSCERT	id:	ESB-2019.3559	Trust: 0.6
db:	IVD	id:	A8E7CF93-5249-402A-8E79-E25440DC623A	Trust: 0.2
db:	VULHUB	id:	VHN-145815	Trust: 0.1

sources: IVD: a8e7cf93-5249-402a-8e79-e25440dc623a // CNVD: CNVD-2019-31663 // VULHUB: VHN-145815 // JVNDB: JVNDB-2019-009304 // CNNVD: CNNVD-201909-683 // NVD: CVE-2019-13920

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-884497.pdf	Trust: 2.3
url:	https://www.us-cert.gov/ics/advisories/icsa-19-260-02	Trust: 1.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-13920	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-13920	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2019.3559/	Trust: 0.6

sources: CNVD: CNVD-2019-31663 // VULHUB: VHN-145815 // JVNDB: JVNDB-2019-009304 // CNNVD: CNNVD-201909-683 // NVD: CVE-2019-13920

SOURCES

db:	IVD	id:	a8e7cf93-5249-402a-8e79-e25440dc623a
db:	CNVD	id:	CNVD-2019-31663
db:	VULHUB	id:	VHN-145815
db:	JVNDB	id:	JVNDB-2019-009304
db:	CNNVD	id:	CNNVD-201909-683
db:	NVD	id:	CVE-2019-13920

LAST UPDATE DATE

2024-11-23T22:11:49.308000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-31663	date:	2019-09-16T00:00:00
db:	VULHUB	id:	VHN-145815	date:	2019-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2019-009304	date:	2019-09-18T00:00:00
db:	CNNVD	id:	CNNVD-201909-683	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2019-13920	date:	2024-11-21T04:25:42.087

SOURCES RELEASE DATE

db:	IVD	id:	a8e7cf93-5249-402a-8e79-e25440dc623a	date:	2019-09-16T00:00:00
db:	CNVD	id:	CNVD-2019-31663	date:	2019-09-16T00:00:00
db:	VULHUB	id:	VHN-145815	date:	2019-09-13T00:00:00
db:	JVNDB	id:	JVNDB-2019-009304	date:	2019-09-18T00:00:00
db:	CNNVD	id:	CNNVD-201909-683	date:	2019-09-13T00:00:00
db:	NVD	id:	CVE-2019-13920	date:	2019-09-13T17:15:11.867