Sign-up

ID

VAR-201909-0989


CVE

CVE-2019-13556


TITLE

WebAccess Buffer error vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-009491

DESCRIPTION

In WebAccess versions 8.4.1 and prior, multiple stack-based buffer overflow vulnerabilities are caused by a lack of proper validation of the length of user-supplied data. Exploitation of these vulnerabilities may allow remote code execution. WebAccess Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Authentication is not required to exploit this vulnerability.The specific flaw exists within cnvlgxtag.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process. An attacker can leverage this vulnerability to execute code in the context of Administrator. Advantech WebAccess is a set of browser-based HMI/SCADA software from Advantech. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment. The vulnerability stems from the fact that the program does not properly verify the length of user input data

Trust: 3.69

sources: NVD: CVE-2019-13556 // JVNDB: JVNDB-2019-009491 // ZDI: ZDI-19-847 // ZDI: ZDI-19-843 // CNVD: CNVD-2019-32469 // IVD: 657b7724-95c3-4f17-828d-8047ba03b978 // VULHUB: VHN-145414

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 657b7724-95c3-4f17-828d-8047ba03b978 // CNVD: CNVD-2019-32469

AFFECTED PRODUCTS

vendor:advantechmodel:webaccessscope:lteversion:8.4.1

Trust: 1.8

vendor:advantechmodel:webaccessscope: - version: -

Trust: 1.4

vendor:advantechmodel:webaccessscope:lteversion:<=8.4.1

Trust: 0.6

vendor:webaccessmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 657b7724-95c3-4f17-828d-8047ba03b978 // ZDI: ZDI-19-847 // ZDI: ZDI-19-843 // CNVD: CNVD-2019-32469 // JVNDB: JVNDB-2019-009491 // NVD: CVE-2019-13556

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI: CVE-2019-13556
value: CRITICAL

Trust: 1.4

nvd@nist.gov: CVE-2019-13556
value: HIGH

Trust: 1.0

NVD: CVE-2019-13556
value: HIGH

Trust: 0.8

CNVD: CNVD-2019-32469
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201909-837
value: HIGH

Trust: 0.6

IVD: 657b7724-95c3-4f17-828d-8047ba03b978
value: HIGH

Trust: 0.2

VULHUB: VHN-145414
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-13556
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-32469
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 657b7724-95c3-4f17-828d-8047ba03b978
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-145414
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ZDI: CVE-2019-13556
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.4

nvd@nist.gov: CVE-2019-13556
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2019-13556
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: 657b7724-95c3-4f17-828d-8047ba03b978 // ZDI: ZDI-19-847 // ZDI: ZDI-19-843 // CNVD: CNVD-2019-32469 // VULHUB: VHN-145414 // JVNDB: JVNDB-2019-009491 // CNNVD: CNNVD-201909-837 // NVD: CVE-2019-13556

PROBLEMTYPE DATA

problemtype:CWE-787

Trust: 1.1

problemtype:CWE-121

Trust: 1.0

problemtype:CWE-119

Trust: 0.9

sources: VULHUB: VHN-145414 // JVNDB: JVNDB-2019-009491 // NVD: CVE-2019-13556

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201909-837

TYPE

Buffer error

Trust: 0.8

sources: IVD: 657b7724-95c3-4f17-828d-8047ba03b978 // CNNVD: CNNVD-201909-837

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-009491

PATCH
title:Advantech has issued an update to correct this vulnerability.url:https://www.us-cert.gov/ics/advisories/icsa-19-260-01
Trust: 1.4
title:Advantech WebAccessurl:https://www.advantech.co.jp/industrial-automation/webaccess
Trust: 0.8
title:Patch for Advantech WebAccess Buffer Overflow Vulnerability (CNVD-2019-32469)url:https://www.cnvd.org.cn/patchInfo/show/181513
Trust: 0.6
title:Advantech WebAccess Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=98366
Trust: 0.6
sources:
            
            
            ZDI: ZDI-19-847 // 
            
            
            
            ZDI: ZDI-19-843 // 
            
            
            
            CNVD: CNVD-2019-32469 // 
            
            
            
            JVNDB: JVNDB-2019-009491 // 
            
            
            
            CNNVD: CNNVD-201909-837

EXTERNAL IDS
db:NVDid:CVE-2019-13556
Trust: 4.7
db:ICS CERTid:ICSA-19-260-01
Trust: 3.1
db:ZDIid:ZDI-19-847
Trust: 1.3
db:CNNVDid:CNNVD-201909-837
Trust: 0.9
db:CNVDid:CNVD-2019-32469
Trust: 0.8
db:JVNDBid:JVNDB-2019-009491
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-9272
Trust: 0.7
db:ZDI_CANid:ZDI-CAN-9236
Trust: 0.7
db:ZDIid:ZDI-19-843
Trust: 0.7
db:AUSCERTid:ESB-2019.3558
Trust: 0.6
db:IVDid:657B7724-95C3-4F17-828D-8047BA03B978
Trust: 0.2
db:VULHUBid:VHN-145414
Trust: 0.1
sources:
            
            
            IVD: 657b7724-95c3-4f17-828d-8047ba03b978 // 
            
            
            
            ZDI: ZDI-19-847 // 
            
            
            
            ZDI: ZDI-19-843 // 
            
            
            
            CNVD: CNVD-2019-32469 // 
            
            
            
            VULHUB: VHN-145414 // 
            
            
            
            JVNDB: JVNDB-2019-009491 // 
            
            
            
            CNNVD: CNNVD-201909-837 // 
            
            
            
            NVD: CVE-2019-13556

REFERENCES
url:https://www.us-cert.gov/ics/advisories/icsa-19-260-01
Trust: 4.5
url:https://nvd.nist.gov/vuln/detail/cve-2019-13556
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-13556
Trust: 0.8
url:https://www.zerodayinitiative.com/advisories/zdi-19-847/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2019.3558/
Trust: 0.6
sources:
            
            
            ZDI: ZDI-19-847 // 
            
            
            
            ZDI: ZDI-19-843 // 
            
            
            
            CNVD: CNVD-2019-32469 // 
            
            
            
            VULHUB: VHN-145414 // 
            
            
            
            JVNDB: JVNDB-2019-009491 // 
            
            
            
            CNNVD: CNNVD-201909-837 // 
            
            
            
            NVD: CVE-2019-13556

CREDITS
Mat Powell of Trend Micro Zero Day Initiative
Trust: 2.0
sources:
            
            
            ZDI: ZDI-19-847 // 
            
            
            
            ZDI: ZDI-19-843 // 
            
            
            
            CNNVD: CNNVD-201909-837

SOURCES
db:IVDid:657b7724-95c3-4f17-828d-8047ba03b978
db:ZDIid:ZDI-19-847
db:ZDIid:ZDI-19-843
db:CNVDid:CNVD-2019-32469
db:VULHUBid:VHN-145414
db:JVNDBid:JVNDB-2019-009491
db:CNNVDid:CNNVD-201909-837
db:NVDid:CVE-2019-13556

LAST UPDATE DATE
2024-08-14T14:56:40.794000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-19-847date:2019-09-17T00:00:00
db:ZDIid:ZDI-19-843date:2019-09-17T00:00:00
db:CNVDid:CNVD-2019-32469date:2019-09-21T00:00:00
db:VULHUBid:VHN-145414date:2020-10-16T00:00:00
db:JVNDBid:JVNDB-2019-009491date:2019-09-24T00:00:00
db:CNNVDid:CNNVD-201909-837date:2020-10-19T00:00:00
db:NVDid:CVE-2019-13556date:2020-10-16T13:18:37.930

SOURCES RELEASE DATE
db:IVDid:657b7724-95c3-4f17-828d-8047ba03b978date:2019-09-21T00:00:00
db:ZDIid:ZDI-19-847date:2019-09-17T00:00:00
db:ZDIid:ZDI-19-843date:2019-09-17T00:00:00
db:CNVDid:CNVD-2019-32469date:2019-09-21T00:00:00
db:VULHUBid:VHN-145414date:2019-09-18T00:00:00
db:JVNDBid:JVNDB-2019-009491date:2019-09-24T00:00:00
db:CNNVDid:CNNVD-201909-837date:2019-09-17T00:00:00
db:NVDid:CVE-2019-13556date:2019-09-18T22:15:11.217