Details of VAR-201912-0779

ID

VAR-201912-0779

CVE

CVE-2019-5080

TITLE

WAGO PFC 200 and PFC100 Vulnerability related to lack of certification for critical functions in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2019-013723

DESCRIPTION

An exploitable denial-of-service vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200 Firmware versions 03.01.07(13) and 03.00.39(12), and WAGO PFC100 Firmware version 03.00.39(12). A single packet can cause a denial of service and weaken credentials resulting in the default documented credentials being applied to the device. An attacker can send an unauthenticated packet to trigger this vulnerability. WAGO PFC 200 and PFC100 Firmware is vulnerable to a lack of authentication for critical functions.Tampering with information and disrupting service operations (DoS) There is a possibility of being put into a state. WAGO PFC200 and WAGO PFC100 are both programmable logic controllers (PLCs) from the German company WAGO. Attackers can Exploitation of this vulnerability resulted in a denial of service

Trust: 2.34

sources: NVD: CVE-2019-5080 // JVNDB: JVNDB-2019-013723 // CNVD: CNVD-2019-46629 // IVD: ac656be7-caa8-4d9a-bd23-a4a8ae420da6

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: ac656be7-caa8-4d9a-bd23-a4a8ae420da6 // CNVD: CNVD-2019-46629

AFFECTED PRODUCTS

vendor:	wago	model:	pfc200	scope:	eq	version:	03.01.07(13)	Trust: 1.4
vendor:	wago	model:	pfc200	scope:	eq	version:	03.00.39(12)	Trust: 1.4
vendor:	wago	model:	pfc100	scope:	eq	version:	03.00.39(12)	Trust: 1.4
vendor:	wago	model:	pfc 100	scope:	eq	version:	03.00.39\(12\)	Trust: 1.0
vendor:	wago	model:	pfc 200	scope:	eq	version:	03.00.39\(12\)	Trust: 1.0
vendor:	wago	model:	pfc 200	scope:	eq	version:	03.01.07\(13\)	Trust: 1.0
vendor:	pfc 200	model:	-	scope:	eq	version:	03.00.39(12)	Trust: 0.2
vendor:	pfc 200	model:	-	scope:	eq	version:	03.01.07(13)	Trust: 0.2
vendor:	pfc 100	model:	-	scope:	eq	version:	03.00.39(12)	Trust: 0.2

sources: IVD: ac656be7-caa8-4d9a-bd23-a4a8ae420da6 // CNVD: CNVD-2019-46629 // JVNDB: JVNDB-2019-013723 // NVD: CVE-2019-5080

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-5080
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2019-5080
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2019-46629
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201912-742
value:	CRITICAL
Trust: 0.6
IVD:	ac656be7-caa8-4d9a-bd23-a4a8ae420da6
value:	CRITICAL
Trust: 0.2

nvd@nist.gov:	CVE-2019-5080
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-46629
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	ac656be7-caa8-4d9a-bd23-a4a8ae420da6
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2019-5080
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.2
version:	3.1
Trust: 1.0
NVD:	CVE-2019-5080
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: ac656be7-caa8-4d9a-bd23-a4a8ae420da6 // CNVD: CNVD-2019-46629 // JVNDB: JVNDB-2019-013723 // CNNVD: CNNVD-201912-742 // NVD: CVE-2019-5080

PROBLEMTYPE DATA

problemtype:

CWE-306

Trust: 1.8

sources: JVNDB: JVNDB-2019-013723 // NVD: CVE-2019-5080

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201912-742

TYPE

Access control error

Trust: 0.8

sources: IVD: ac656be7-caa8-4d9a-bd23-a4a8ae420da6 // CNNVD: CNNVD-201912-742

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-013723

PATCH

title:

Top Page

url:

https://www.wago.com/us/

Trust: 0.8

sources: JVNDB: JVNDB-2019-013723

EXTERNAL IDS

db:	NVD	id:	CVE-2019-5080	Trust: 3.2
db:	TALOS	id:	TALOS-2019-0872	Trust: 3.0
db:	CNVD	id:	CNVD-2019-46629	Trust: 0.8
db:	CNNVD	id:	CNNVD-201912-742	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-013723	Trust: 0.8
db:	AUSCERT	id:	ESB-2020.0842	Trust: 0.6
db:	NSFOCUS	id:	47155	Trust: 0.6
db:	ICS CERT	id:	ICSA-20-065-01	Trust: 0.6
db:	IVD	id:	AC656BE7-CAA8-4D9A-BD23-A4A8AE420DA6	Trust: 0.2

sources: IVD: ac656be7-caa8-4d9a-bd23-a4a8ae420da6 // CNVD: CNVD-2019-46629 // JVNDB: JVNDB-2019-013723 // CNNVD: CNNVD-201912-742 // NVD: CVE-2019-5080

REFERENCES

url:	https://www.talosintelligence.com/vulnerability_reports/talos-2019-0872	Trust: 1.8
url:	https://talosintelligence.com/vulnerability_reports/talos-2019-0872	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2019-5080	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-5080	Trust: 0.8
url:	https://www.us-cert.gov/ics/advisories/icsa-20-065-01	Trust: 0.6
url:	http://www.nsfocus.net/vulndb/47155	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.0842/	Trust: 0.6

sources: CNVD: CNVD-2019-46629 // JVNDB: JVNDB-2019-013723 // CNNVD: CNNVD-201912-742 // NVD: CVE-2019-5080

CREDITS

Discovered by Kelly Leuschner of Cisco Talos

Trust: 0.6

sources: CNNVD: CNNVD-201912-742

SOURCES

db:	IVD	id:	ac656be7-caa8-4d9a-bd23-a4a8ae420da6
db:	CNVD	id:	CNVD-2019-46629
db:	JVNDB	id:	JVNDB-2019-013723
db:	CNNVD	id:	CNNVD-201912-742
db:	NVD	id:	CVE-2019-5080

LAST UPDATE DATE

2024-11-23T21:51:49.278000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-46629	date:	2019-12-24T00:00:00
db:	JVNDB	id:	JVNDB-2019-013723	date:	2020-01-15T00:00:00
db:	CNNVD	id:	CNNVD-201912-742	date:	2020-07-16T00:00:00
db:	NVD	id:	CVE-2019-5080	date:	2024-11-21T04:44:18.750

SOURCES RELEASE DATE

db:	IVD	id:	ac656be7-caa8-4d9a-bd23-a4a8ae420da6	date:	2019-12-24T00:00:00
db:	CNVD	id:	CNVD-2019-46629	date:	2019-12-24T00:00:00
db:	JVNDB	id:	JVNDB-2019-013723	date:	2020-01-15T00:00:00
db:	CNNVD	id:	CNNVD-201912-742	date:	2019-12-16T00:00:00
db:	NVD	id:	CVE-2019-5080	date:	2019-12-18T21:15:14.240