Details of VAR-202003-0676

ID

VAR-202003-0676

CVE

CVE-2019-5149

TITLE

WAGO PFC100 Resource Management Error Vulnerability

Trust: 1.0

sources: IVD: 8c3a524c-6b85-4b7f-a3be-1a8890b51501 // IVD: abe4ff05-654d-43a6-8d55-b27e00db4977 // CNVD: CNVD-2020-17496

DESCRIPTION

The WBM web application on firmwares prior to 03.02.02 and 03.01.07 on the WAGO PFC100 and PFC2000, respectively, runs on a lighttpd web server and makes use of the FastCGI module, which is intended to provide high performance for all Internet applications without the penalties of Web server APIs. However, the default configuration of this module appears to limit the number of concurrent php-cgi processes to two, which can be abused to cause a denial of service of the entire web server. This affects WAGO PFC200 Firmware version 03.00.39(12) and version 03.01.07(13), and WAGO PFC100 Firmware version 03.00.39(12) and version 03.02.02(14). WAGO PFC100 and PFC2000 Exists in a resource exhaustion vulnerability.Service operation interruption (DoS) It may be put into a state. WAGO PFC100 is a programmable logic controller (PLC) of German WAGO company. WAGO PFC100 has a source management error vulnerability, which can be exploited by attackers to cause a denial of service

Trust: 2.61

sources: NVD: CVE-2019-5149 // JVNDB: JVNDB-2019-014879 // CNVD: CNVD-2020-17496 // IVD: 8c3a524c-6b85-4b7f-a3be-1a8890b51501 // IVD: abe4ff05-654d-43a6-8d55-b27e00db4977 // VULMON: CVE-2019-5149

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.4

sources: IVD: 8c3a524c-6b85-4b7f-a3be-1a8890b51501 // IVD: abe4ff05-654d-43a6-8d55-b27e00db4977 // CNVD: CNVD-2020-17496

AFFECTED PRODUCTS

vendor:	wago	model:	pfc200	scope:	eq	version:	03.01.07(13)	Trust: 1.4
vendor:	wago	model:	pfc200	scope:	eq	version:	03.00.39(12)	Trust: 1.4
vendor:	wago	model:	pfc100	scope:	eq	version:	03.00.39(12)	Trust: 1.4
vendor:	wago	model:	pfc100	scope:	eq	version:	03.00.39\(12\)	Trust: 1.0
vendor:	wago	model:	pfc200	scope:	eq	version:	03.01.07\(13\)	Trust: 1.0
vendor:	wago	model:	pfc100	scope:	eq	version:	03.01.07\(13\)	Trust: 1.0
vendor:	wago	model:	pfc200	scope:	eq	version:	03.00.39\(12\)	Trust: 1.0
vendor:	wago	model:	pfc100	scope:	eq	version:	03.02.02(14)	Trust: 0.8
vendor:	pfc200	model:	-	scope:	eq	version:	03.00.39(12)	Trust: 0.4
vendor:	pfc200	model:	-	scope:	eq	version:	03.01.07(13)	Trust: 0.4
vendor:	pfc100	model:	-	scope:	eq	version:	03.00.39(12)	Trust: 0.4
vendor:	pfc100	model:	-	scope:	eq	version:	03.01.07(13)	Trust: 0.4

sources: IVD: 8c3a524c-6b85-4b7f-a3be-1a8890b51501 // IVD: abe4ff05-654d-43a6-8d55-b27e00db4977 // CNVD: CNVD-2020-17496 // JVNDB: JVNDB-2019-014879 // NVD: CVE-2019-5149

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-5149
value:	HIGH
Trust: 1.0
NVD:	JVNDB-2019-014879
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-17496
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202003-365
value:	HIGH
Trust: 0.6
IVD:	8c3a524c-6b85-4b7f-a3be-1a8890b51501
value:	HIGH
Trust: 0.2
IVD:	abe4ff05-654d-43a6-8d55-b27e00db4977
value:	HIGH
Trust: 0.2
VULMON:	CVE-2019-5149
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-5149
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
NVD:	JVNDB-2019-014879
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-17496
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	8c3a524c-6b85-4b7f-a3be-1a8890b51501
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
IVD:	abe4ff05-654d-43a6-8d55-b27e00db4977
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2019-5149
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	JVNDB-2019-014879
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: 8c3a524c-6b85-4b7f-a3be-1a8890b51501 // IVD: abe4ff05-654d-43a6-8d55-b27e00db4977 // CNVD: CNVD-2020-17496 // VULMON: CVE-2019-5149 // JVNDB: JVNDB-2019-014879 // CNNVD: CNNVD-202003-365 // NVD: CVE-2019-5149

PROBLEMTYPE DATA

problemtype:

CWE-400

Trust: 1.8

sources: JVNDB: JVNDB-2019-014879 // NVD: CVE-2019-5149

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202003-365

TYPE

Resource management error

Trust: 1.0

sources: IVD: 8c3a524c-6b85-4b7f-a3be-1a8890b51501 // IVD: abe4ff05-654d-43a6-8d55-b27e00db4977 // CNNVD: CNNVD-202003-365

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-014879

PATCH

title:

Top Page

url:

https://www.wago.com/us/

Trust: 0.8

sources: JVNDB: JVNDB-2019-014879

EXTERNAL IDS

db:	NVD	id:	CVE-2019-5149	Trust: 3.5
db:	TALOS	id:	TALOS-2019-0939	Trust: 2.3
db:	CNVD	id:	CNVD-2020-17496	Trust: 1.0
db:	CNNVD	id:	CNNVD-202003-365	Trust: 1.0
db:	TALOS	id:	TALOS-2019-0953	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-014879	Trust: 0.8
db:	IVD	id:	8C3A524C-6B85-4B7F-A3BE-1A8890B51501	Trust: 0.2
db:	IVD	id:	ABE4FF05-654D-43A6-8D55-B27E00DB4977	Trust: 0.2
db:	VULMON	id:	CVE-2019-5149	Trust: 0.1

REFERENCES

url:	https://talosintelligence.com/vulnerability_reports/talos-2019-0939	Trust: 2.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-5149	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-5149	Trust: 0.8
url:	https://talosintelligence.com/vulnerability_reports/talos-2019-0953	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/400.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2020-17496 // VULMON: CVE-2019-5149 // JVNDB: JVNDB-2019-014879 // CNNVD: CNNVD-202003-365 // NVD: CVE-2019-5149

SOURCES

db:	IVD	id:	8c3a524c-6b85-4b7f-a3be-1a8890b51501
db:	IVD	id:	abe4ff05-654d-43a6-8d55-b27e00db4977
db:	CNVD	id:	CNVD-2020-17496
db:	VULMON	id:	CVE-2019-5149
db:	JVNDB	id:	JVNDB-2019-014879
db:	CNNVD	id:	CNNVD-202003-365
db:	NVD	id:	CVE-2019-5149

LAST UPDATE DATE

2024-11-23T22:29:41.589000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-17496	date:	2020-03-18T00:00:00
db:	VULMON	id:	CVE-2019-5149	date:	2020-03-13T00:00:00
db:	JVNDB	id:	JVNDB-2019-014879	date:	2020-03-25T00:00:00
db:	CNNVD	id:	CNNVD-202003-365	date:	2020-03-20T00:00:00
db:	NVD	id:	CVE-2019-5149	date:	2024-11-21T04:44:26.647

SOURCES RELEASE DATE

db:	IVD	id:	8c3a524c-6b85-4b7f-a3be-1a8890b51501	date:	2020-03-09T00:00:00
db:	IVD	id:	abe4ff05-654d-43a6-8d55-b27e00db4977	date:	2020-03-09T00:00:00
db:	CNVD	id:	CNVD-2020-17496	date:	2020-03-18T00:00:00
db:	VULMON	id:	CVE-2019-5149	date:	2020-03-11T00:00:00
db:	JVNDB	id:	JVNDB-2019-014879	date:	2020-03-25T00:00:00
db:	CNNVD	id:	CNNVD-202003-365	date:	2020-03-09T00:00:00
db:	NVD	id:	CVE-2019-5149	date:	2020-03-11T22:27:40.583