Details of VAR-202001-1489

ID

VAR-202001-1489

CVE

CVE-2019-10958

TITLE

Geutebruck IP Camera G-Code and G-Cam In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-014196

DESCRIPTION

Geutebruck IP Cameras G-Code(EEC-2xxx), G-Cam(EBC-21xx/EFD-22xx/ETHC-22xx/EWPC-22xx): All versions 1.12.0.25 and prior may allow a remote authenticated attacker with access to network configuration to supply system commands to the server, leading to remote code execution as root. Geutebruck IP Camera G-Code and G-Cam for, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. G-Cam is a web camera series launched by Geutebrück. G-Code is an analog video encoder launched by Geutebrück. Geutebrück G-Cam and G-Code have OS command injection vulnerabilities. The vulnerability stems from the fact that external input data constructs executable commands for the operating system, and the network system or product does not properly filter special characters and commands. Attackers can use this vulnerability to execute illegal operating system commands. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user and inject and execute arbitrary commands. Other attacks are also possible. The following products of Geutebruck are affected: G-Code EEC-2xxx version 1.12.0.25 and prior G-Cam EBC-21xx version 1.12.0.25 and prior G-Cam EFD-22xx version 1.12.0.25 and prior G-Cam ETHC-22xx version 1.12.0.25 and prior G-Cam EWPC-22xx version 1.12.0.25 and prior

Trust: 2.43

sources: NVD: CVE-2019-10958 // JVNDB: JVNDB-2019-014196 // CNVD: CNVD-2020-22345 // BID: 108579

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-22345

AFFECTED PRODUCTS

vendor:	geutebrueck	model:	g-code eec-2400	scope:	lte	version:	1.12.0.25	Trust: 1.0
vendor:	geutebrueck	model:	g-cam ebc-2110	scope:	lte	version:	1.12.0.25	Trust: 1.0
vendor:	geutebrueck	model:	g-cam efd-2241	scope:	lte	version:	1.12.0.25	Trust: 1.0
vendor:	geutebrueck	model:	g-cam ethc-2249	scope:	lte	version:	1.12.0.25	Trust: 1.0
vendor:	geutebrueck	model:	g-cam ethc-2239	scope:	lte	version:	1.12.0.25	Trust: 1.0
vendor:	geutebrueck	model:	g-cam ebc-2111	scope:	lte	version:	1.12.0.25	Trust: 1.0
vendor:	geutebrueck	model:	g-cam efd-2250	scope:	lte	version:	1.12.0.25	Trust: 1.0
vendor:	geutebrueck	model:	g-cam ethc-2240	scope:	lte	version:	1.12.0.25	Trust: 1.0
vendor:	geutebrueck	model:	g-cam ewpc-2270	scope:	lte	version:	1.12.0.25	Trust: 1.0
vendor:	geutebrueck	model:	g-cam efd-2240	scope:	lte	version:	1.12.0.25	Trust: 1.0
vendor:	geutebrueck	model:	g-cam ethc-2230	scope:	lte	version:	1.12.0.25	Trust: 1.0
vendor:	geutebruck	model:	g-cam/efd-2240	scope:	-	version:	-	Trust: 0.8
vendor:	geutebruck	model:	g-code/eec-2400	scope:	-	version:	-	Trust: 0.8
vendor:	geutebruck	model:	g-cam/ebc-2111	scope:	-	version:	-	Trust: 0.8
vendor:	geutebruck	model:	g-cam/ethc-2230	scope:	-	version:	-	Trust: 0.8
vendor:	geutebruck	model:	g-cam/efd-2241	scope:	-	version:	-	Trust: 0.8
vendor:	geutebruck	model:	g-cam/ethc-2240	scope:	-	version:	-	Trust: 0.8
vendor:	geutebruck	model:	g-cam/ebc-2110	scope:	-	version:	-	Trust: 0.8
vendor:	geutebruck	model:	g-cam/ethc-2249	scope:	-	version:	-	Trust: 0.8
vendor:	geutebruck	model:	g-cam/ethc-2239	scope:	-	version:	-	Trust: 0.8
vendor:	geutebruck	model:	g-cam/efd-2250	scope:	-	version:	-	Trust: 0.8
vendor:	geutebruck	model:	g-cam	scope:	lte	version:	<=1.12.0.25	Trust: 0.6
vendor:	geutebruck	model:	g-code	scope:	lte	version:	<=1.12.0.25	Trust: 0.6
vendor:	geutebruck	model:	g-code/eec-2xxx	scope:	eq	version:	1.12.0.25	Trust: 0.3
vendor:	geutebruck	model:	g-cam/ewpc-22xx	scope:	eq	version:	1.12.0.25	Trust: 0.3
vendor:	geutebruck	model:	g-cam/ethc-22xx	scope:	eq	version:	1.12.0.25	Trust: 0.3
vendor:	geutebruck	model:	g-cam/efd-22xx	scope:	eq	version:	1.12.0.25	Trust: 0.3
vendor:	geutebruck	model:	g-cam/ebc-21xx	scope:	eq	version:	1.12.0.25	Trust: 0.3
vendor:	geutebruck	model:	g-code/eec-2xxx	scope:	ne	version:	1.12.13.2	Trust: 0.3
vendor:	geutebruck	model:	g-cam/ewpc-22xx	scope:	ne	version:	1.12.13.2	Trust: 0.3
vendor:	geutebruck	model:	g-cam/ethc-22xx	scope:	ne	version:	1.12.13.2	Trust: 0.3
vendor:	geutebruck	model:	g-cam/efd-22xx	scope:	ne	version:	1.12.13.2	Trust: 0.3
vendor:	geutebruck	model:	g-cam/ebc-21xx	scope:	ne	version:	1.12.13.2	Trust: 0.3

sources: CNVD: CNVD-2020-22345 // BID: 108579 // JVNDB: JVNDB-2019-014196 // NVD: CVE-2019-10958

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-10958
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-10958
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-22345
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201906-087
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2019-10958
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2020-22345
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2019-10958
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2019-10958
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-22345 // JVNDB: JVNDB-2019-014196 // CNNVD: CNNVD-201906-087 // NVD: CVE-2019-10958

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.0
problemtype:	OS Command injection (CWE-78) [NVD evaluation ]	Trust: 0.8
problemtype:	OS Command injection (CWE-78) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2019-014196 // NVD: CVE-2019-10958

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201906-087

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201906-087

PATCH

title:	Top Page	url:	https://www.geutebrueck.com/	Trust: 0.8
title:	Patch for Geutebrück G-Cam and G-Code OS command injection vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/213555	Trust: 0.6
title:	Multiple Geutebrück Product Command Injection Vulnerability Fixes	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93176	Trust: 0.6

sources: CNVD: CNVD-2020-22345 // JVNDB: JVNDB-2019-014196 // CNNVD: CNNVD-201906-087

EXTERNAL IDS

db:	NVD	id:	CVE-2019-10958	Trust: 4.1
db:	ICS CERT	id:	ICSA-19-155-03	Trust: 3.3
db:	BID	id:	108579	Trust: 0.9
db:	JVNDB	id:	JVNDB-2019-014196	Trust: 0.8
db:	CNVD	id:	CNVD-2020-22345	Trust: 0.6
db:	CNNVD	id:	CNNVD-201906-087	Trust: 0.6

sources: CNVD: CNVD-2020-22345 // BID: 108579 // JVNDB: JVNDB-2019-014196 // CNNVD: CNNVD-201906-087 // NVD: CVE-2019-10958

REFERENCES

url:	https://www.us-cert.gov/ics/advisories/icsa-19-155-03	Trust: 2.4
url:	https://ics-cert.us-cert.gov/advisories/icsa-19-155-03	Trust: 1.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-10958	Trust: 1.4
url:	https://www.geutebrueck.com/en_en.html	Trust: 0.9
url:	https://www.securityfocus.com/bid/108579	Trust: 0.6

sources: CNVD: CNVD-2020-22345 // BID: 108579 // JVNDB: JVNDB-2019-014196 // CNNVD: CNNVD-201906-087 // NVD: CVE-2019-10958

CREDITS

Romain Luyer and Guillaume Gronnier from CEIS, and Davy Douhine from RandoriSec reported these vulnerabilities to NCCIC., and Davy Douhine from RandoriSec, and Davy Douhine from RandoriSec.

Trust: 0.6

sources: CNNVD: CNNVD-201906-087

SOURCES

db:	CNVD	id:	CNVD-2020-22345
db:	BID	id:	108579
db:	JVNDB	id:	JVNDB-2019-014196
db:	CNNVD	id:	CNNVD-201906-087
db:	NVD	id:	CVE-2019-10958

LAST UPDATE DATE

2024-12-28T22:51:07.538000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-22345	date:	2020-04-12T00:00:00
db:	BID	id:	108579	date:	2019-06-05T00:00:00
db:	JVNDB	id:	JVNDB-2019-014196	date:	2024-12-27T03:07:00
db:	CNNVD	id:	CNNVD-201906-087	date:	2020-01-19T00:00:00
db:	NVD	id:	CVE-2019-10958	date:	2024-11-21T04:20:14.093

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-22345	date:	2020-04-12T00:00:00
db:	BID	id:	108579	date:	2019-06-05T00:00:00
db:	JVNDB	id:	JVNDB-2019-014196	date:	2020-02-06T00:00:00
db:	CNNVD	id:	CNNVD-201906-087	date:	2019-06-04T00:00:00
db:	NVD	id:	CVE-2019-10958	date:	2020-01-17T18:15:12.260