Details of VAR-201912-1175

ID

VAR-201912-1175

CVE

CVE-2019-13944

TITLE

Siemens EN100 Ethernet Module Path traversal vulnerability

Trust: 1.4

sources: IVD: d176b4b8-d228-4e18-a61a-7a4a8b6b6c77 // CNVD: CNVD-2019-46391 // CNNVD: CNNVD-201912-407

DESCRIPTION

A vulnerability has been identified in EN100 Ethernet module DNP3 variant (All versions), EN100 Ethernet module IEC 61850 variant (All versions < V4.37), EN100 Ethernet module IEC104 variant (All versions), EN100 Ethernet module Modbus TCP variant (All versions), EN100 Ethernet module PROFINET IO variant (All versions). A vulnerability in the integrated web server of the affected devices could allow unauthorized attackers to obtain sensitive information about the device, including logs and configurations. At the time of advisory publication no public exploitation of this security vulnerability was known. plural EN100 Ethernet The module contains a path traversal vulnerability.Information may be obtained

Trust: 2.34

sources: NVD: CVE-2019-13944 // JVNDB: JVNDB-2019-013232 // CNVD: CNVD-2019-46391 // IVD: d176b4b8-d228-4e18-a61a-7a4a8b6b6c77

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: d176b4b8-d228-4e18-a61a-7a4a8b6b6c77 // CNVD: CNVD-2019-46391

AFFECTED PRODUCTS

vendor:	siemens	model:	en100 ethernet module with variant iec 61850	scope:	lt	version:	4.37	Trust: 1.0
vendor:	siemens	model:	en100 ethernet module with variant dnp3 tcp	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	en100 ethernet module with variant iec104	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	en100 ethernet module with variant modbus tcp	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	en100 ethernet module with variant profinet io	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	en100 ethernet module dnp3	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	en100 ethernet module iec 104	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	en100 ethernet module iec 61850	scope:	lt	version:	4.37	Trust: 0.8
vendor:	siemens	model:	en100 ethernet module modbus tcp	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	en100 ethernet module profinet io	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	en100 ethernet module profinet io variant	scope:	-	version:	-	Trust: 0.6
vendor:	siemens	model:	en100 ethernet module modbus tcp variant	scope:	-	version:	-	Trust: 0.6
vendor:	siemens	model:	en100 ethernet module dnp3 variant	scope:	-	version:	-	Trust: 0.6
vendor:	siemens	model:	en100 ethernet module iec variant	scope:	eq	version:	61850<v4.37	Trust: 0.6
vendor:	siemens	model:	en100 ethernet module iec104 variant	scope:	-	version:	-	Trust: 0.6
vendor:	siemens	model:	en100 ethernet module with variant iec104	scope:	-	version:	-	Trust: 0.6
vendor:	siemens	model:	en100 ethernet module with variant profinet io	scope:	-	version:	-	Trust: 0.6
vendor:	siemens	model:	en100 ethernet module	scope:	eq	version:	-	Trust: 0.6
vendor:	siemens	model:	en100 ethernet module with variant modbus tcp	scope:	-	version:	-	Trust: 0.6
vendor:	siemens	model:	en100 ethernet module with variant dnp3 tcp	scope:	-	version:	-	Trust: 0.6
vendor:	en100 ethernet module with variant dnp3 tcp	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	en100 ethernet module with variant iec104	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	en100 ethernet module with variant iec 61850	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	en100 ethernet module with variant modbus tcp	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	en100 ethernet module with variant profinet io	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: d176b4b8-d228-4e18-a61a-7a4a8b6b6c77 // CNVD: CNVD-2019-46391 // JVNDB: JVNDB-2019-013232 // CNNVD: CNNVD-201912-407 // NVD: CVE-2019-13944

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-13944
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-13944
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2019-46391
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201912-407
value:	MEDIUM
Trust: 0.6
IVD:	d176b4b8-d228-4e18-a61a-7a4a8b6b6c77
value:	HIGH
Trust: 0.2

nvd@nist.gov:	CVE-2019-13944
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-46391
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	d176b4b8-d228-4e18-a61a-7a4a8b6b6c77
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2019-13944
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	CVE-2019-13944
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: d176b4b8-d228-4e18-a61a-7a4a8b6b6c77 // CNVD: CNVD-2019-46391 // JVNDB: JVNDB-2019-013232 // CNNVD: CNNVD-201912-407 // NVD: CVE-2019-13944

PROBLEMTYPE DATA

problemtype:	CWE-22	Trust: 1.8
problemtype:	CWE-23	Trust: 1.0

sources: JVNDB: JVNDB-2019-013232 // NVD: CVE-2019-13944

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201912-407

TYPE

Path traversal

Trust: 0.8

sources: IVD: d176b4b8-d228-4e18-a61a-7a4a8b6b6c77 // CNNVD: CNNVD-201912-407

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-013232

PATCH

title:	SSA-418979	url:	https://cert-portal.siemens.com/productcert/pdf/ssa-418979.pdf	Trust: 0.8
title:	Patch for Siemens EN100 Ethernet Module path traversal vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/194751	Trust: 0.6

sources: CNVD: CNVD-2019-46391 // JVNDB: JVNDB-2019-013232

EXTERNAL IDS

db:	NVD	id:	CVE-2019-13944	Trust: 3.2
db:	ICS CERT	id:	ICSA-19-344-07	Trust: 2.4
db:	SIEMENS	id:	SSA-418979	Trust: 1.6
db:	CNVD	id:	CNVD-2019-46391	Trust: 0.8
db:	CNNVD	id:	CNNVD-201912-407	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-013232	Trust: 0.8
db:	AUSCERT	id:	ESB-2019.4620	Trust: 0.6
db:	IVD	id:	D176B4B8-D228-4E18-A61A-7A4A8B6B6C77	Trust: 0.2

sources: IVD: d176b4b8-d228-4e18-a61a-7a4a8b6b6c77 // CNVD: CNVD-2019-46391 // JVNDB: JVNDB-2019-013232 // CNNVD: CNNVD-201912-407 // NVD: CVE-2019-13944

REFERENCES

url:	https://www.us-cert.gov/ics/advisories/icsa-19-344-07	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-13944	Trust: 2.0
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-418979.pdf	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-13944	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2019.4620/	Trust: 0.6

sources: CNVD: CNVD-2019-46391 // JVNDB: JVNDB-2019-013232 // CNNVD: CNNVD-201912-407 // NVD: CVE-2019-13944

SOURCES

db:	IVD	id:	d176b4b8-d228-4e18-a61a-7a4a8b6b6c77
db:	CNVD	id:	CNVD-2019-46391
db:	JVNDB	id:	JVNDB-2019-013232
db:	CNNVD	id:	CNNVD-201912-407
db:	NVD	id:	CVE-2019-13944

LAST UPDATE DATE

2024-11-23T21:51:48.295000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-46391	date:	2019-12-20T00:00:00
db:	JVNDB	id:	JVNDB-2019-013232	date:	2019-12-23T00:00:00
db:	CNNVD	id:	CNNVD-201912-407	date:	2019-12-27T00:00:00
db:	NVD	id:	CVE-2019-13944	date:	2024-11-21T04:25:44.813

SOURCES RELEASE DATE

db:	IVD	id:	d176b4b8-d228-4e18-a61a-7a4a8b6b6c77	date:	2019-12-20T00:00:00
db:	CNVD	id:	CNVD-2019-46391	date:	2019-12-20T00:00:00
db:	JVNDB	id:	JVNDB-2019-013232	date:	2019-12-23T00:00:00
db:	CNNVD	id:	CNNVD-201912-407	date:	2019-12-10T00:00:00
db:	NVD	id:	CVE-2019-13944	date:	2019-12-12T19:15:15.157