Details of VAR-202003-0675

ID

VAR-202003-0675

CVE

CVE-2019-5135

TITLE

WAGO PFC100 and PFC200 Vulnerability related to information leakage caused by different responses to security-related processing in

Trust: 0.8

sources: JVNDB: JVNDB-2019-014894

DESCRIPTION

An exploitable timing discrepancy vulnerability exists in the authentication functionality of the Web-Based Management (WBM) web application on WAGO PFC100/200 controllers. The WBM application makes use of the PHP crypt() function which can be exploited to disclose hashed user credentials. This affects WAGO PFC200 Firmware version 03.00.39(12) and version 03.01.07(13), and WAGO PFC100 Firmware version 03.00.39(12). WAGO PFC100 and PFC200 There is a vulnerability related to information leakage due to the difference in response to security-related processing.Information may be obtained. WAGO PFC 200 and WAGO PFC100 are both programmable logic controllers (PLCs) of the German WAGO company

Trust: 2.52

sources: NVD: CVE-2019-5135 // JVNDB: JVNDB-2019-014894 // CNVD: CNVD-2020-17497 // IVD: f2a4a6cd-d1d6-4070-b77f-fe0839ba6814 // IVD: d76ec9c3-0538-43bd-9a04-3266577faeac

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.4

sources: IVD: f2a4a6cd-d1d6-4070-b77f-fe0839ba6814 // IVD: d76ec9c3-0538-43bd-9a04-3266577faeac // CNVD: CNVD-2020-17497

AFFECTED PRODUCTS

vendor:	wago	model:	pfc200	scope:	eq	version:	03.01.07(13)	Trust: 1.4
vendor:	wago	model:	pfc200	scope:	eq	version:	03.00.39(12)	Trust: 1.4
vendor:	wago	model:	pfc100	scope:	eq	version:	03.00.39(12)	Trust: 1.4
vendor:	wago	model:	pfc100	scope:	eq	version:	03.00.39\(12\)	Trust: 1.0
vendor:	wago	model:	pfc200	scope:	eq	version:	03.01.07\(13\)	Trust: 1.0
vendor:	wago	model:	pfc200	scope:	eq	version:	03.00.39\(12\)	Trust: 1.0
vendor:	pfc200	model:	-	scope:	eq	version:	03.00.39(12)	Trust: 0.4
vendor:	pfc200	model:	-	scope:	eq	version:	03.01.07(13)	Trust: 0.4
vendor:	pfc100	model:	-	scope:	eq	version:	03.00.39(12)	Trust: 0.4

sources: IVD: f2a4a6cd-d1d6-4070-b77f-fe0839ba6814 // IVD: d76ec9c3-0538-43bd-9a04-3266577faeac // CNVD: CNVD-2020-17497 // JVNDB: JVNDB-2019-014894 // NVD: CVE-2019-5135

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-5135
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2019-014894
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-17497
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202003-357
value:	MEDIUM
Trust: 0.6
IVD:	f2a4a6cd-d1d6-4070-b77f-fe0839ba6814
value:	MEDIUM
Trust: 0.2
IVD:	d76ec9c3-0538-43bd-9a04-3266577faeac
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2019-5135
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2019-014894
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-17497
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	f2a4a6cd-d1d6-4070-b77f-fe0839ba6814
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
IVD:	d76ec9c3-0538-43bd-9a04-3266577faeac
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2019-5135
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	JVNDB-2019-014894
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: f2a4a6cd-d1d6-4070-b77f-fe0839ba6814 // IVD: d76ec9c3-0538-43bd-9a04-3266577faeac // CNVD: CNVD-2020-17497 // JVNDB: JVNDB-2019-014894 // CNNVD: CNNVD-202003-357 // NVD: CVE-2019-5135

PROBLEMTYPE DATA

problemtype:	CWE-327	Trust: 1.0
problemtype:	CWE-203	Trust: 0.8

sources: JVNDB: JVNDB-2019-014894 // NVD: CVE-2019-5135

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202003-357

TYPE

other

Trust: 1.0

sources: IVD: f2a4a6cd-d1d6-4070-b77f-fe0839ba6814 // IVD: d76ec9c3-0538-43bd-9a04-3266577faeac // CNNVD: CNNVD-202003-357

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-014894

PATCH

title:	PFC200 Controller	url:	https://www.wago.com/us/pfc200	Trust: 0.8
title:	PFC100 Controller	url:	https://www.wago.com/us/pfc100	Trust: 0.8

sources: JVNDB: JVNDB-2019-014894

EXTERNAL IDS

db:	NVD	id:	CVE-2019-5135	Trust: 3.4
db:	TALOS	id:	TALOS-2019-0924	Trust: 2.4
db:	CNVD	id:	CNVD-2020-17497	Trust: 1.0
db:	CNNVD	id:	CNNVD-202003-357	Trust: 1.0
db:	JVNDB	id:	JVNDB-2019-014894	Trust: 0.8
db:	IVD	id:	F2A4A6CD-D1D6-4070-B77F-FE0839BA6814	Trust: 0.2
db:	IVD	id:	D76EC9C3-0538-43BD-9A04-3266577FAEAC	Trust: 0.2

REFERENCES

url:	https://talosintelligence.com/vulnerability_reports/talos-2019-0924	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-5135	Trust: 2.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-5135	Trust: 0.8

sources: CNVD: CNVD-2020-17497 // JVNDB: JVNDB-2019-014894 // CNNVD: CNNVD-202003-357 // NVD: CVE-2019-5135

SOURCES

db:	IVD	id:	f2a4a6cd-d1d6-4070-b77f-fe0839ba6814
db:	IVD	id:	d76ec9c3-0538-43bd-9a04-3266577faeac
db:	CNVD	id:	CNVD-2020-17497
db:	JVNDB	id:	JVNDB-2019-014894
db:	CNNVD	id:	CNNVD-202003-357
db:	NVD	id:	CVE-2019-5135

LAST UPDATE DATE

2024-11-23T21:36:03.413000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-17497	date:	2020-03-18T00:00:00
db:	JVNDB	id:	JVNDB-2019-014894	date:	2020-03-26T00:00:00
db:	CNNVD	id:	CNNVD-202003-357	date:	2020-03-17T00:00:00
db:	NVD	id:	CVE-2019-5135	date:	2024-11-21T04:44:25.020

SOURCES RELEASE DATE

db:	IVD	id:	f2a4a6cd-d1d6-4070-b77f-fe0839ba6814	date:	2020-03-09T00:00:00
db:	IVD	id:	d76ec9c3-0538-43bd-9a04-3266577faeac	date:	2020-03-09T00:00:00
db:	CNVD	id:	CNVD-2020-17497	date:	2020-03-18T00:00:00
db:	JVNDB	id:	JVNDB-2019-014894	date:	2020-03-26T00:00:00
db:	CNNVD	id:	CNNVD-202003-357	date:	2020-03-09T00:00:00
db:	NVD	id:	CVE-2019-5135	date:	2020-03-11T22:27:40.253