Details of VAR-202003-0682

ID

VAR-202003-0682

CVE

CVE-2019-5160

TITLE

WAGO PFC200 Input validation error vulnerability

Trust: 1.0

sources: IVD: 8131a6f8-7d34-497e-b837-3c3a9ecd1e06 // IVD: 51ef958e-045e-4ff7-9809-f60a4d94b2b8 // CNNVD: CNNVD-202003-311

DESCRIPTION

An exploitable improper host validation vulnerability exists in the Cloud Connectivity functionality of WAGO PFC200 Firmware versions 03.02.02(14), 03.01.07(13), and 03.00.39(12). A specially crafted HTTPS POST request can cause the software to connect to an unauthorized host, resulting in unauthorized access to firmware update functionality. An attacker can send an authenticated HTTPS POST request to direct the Cloud Connectivity software to connect to an attacker controlled Azure IoT Hub node. WAGO PFC 200 There is an input verification vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. WAGO PFC 200 is a programmable logic controller (PLC) of the German WAGO company

Trust: 2.52

sources: NVD: CVE-2019-5160 // JVNDB: JVNDB-2019-014880 // CNVD: CNVD-2020-17492 // IVD: 8131a6f8-7d34-497e-b837-3c3a9ecd1e06 // IVD: 51ef958e-045e-4ff7-9809-f60a4d94b2b8

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.4

sources: IVD: 8131a6f8-7d34-497e-b837-3c3a9ecd1e06 // IVD: 51ef958e-045e-4ff7-9809-f60a4d94b2b8 // CNVD: CNVD-2020-17492

AFFECTED PRODUCTS

vendor:	wago	model:	pfc200	scope:	eq	version:	03.01.07(13)	Trust: 1.4
vendor:	wago	model:	pfc200	scope:	eq	version:	03.00.39(12)	Trust: 1.4
vendor:	wago	model:	pfc200	scope:	eq	version:	03.02.02(14)	Trust: 1.4
vendor:	wago	model:	pfc200	scope:	eq	version:	03.01.07\(13\)	Trust: 1.0
vendor:	wago	model:	pfc200	scope:	eq	version:	03.02.02\(14\)	Trust: 1.0
vendor:	wago	model:	pfc200	scope:	eq	version:	03.00.39\(12\)	Trust: 1.0
vendor:	pfc200	model:	-	scope:	eq	version:	03.00.39(12)	Trust: 0.4
vendor:	pfc200	model:	-	scope:	eq	version:	03.01.07(13)	Trust: 0.4
vendor:	pfc200	model:	-	scope:	eq	version:	03.02.02(14)	Trust: 0.4

sources: IVD: 8131a6f8-7d34-497e-b837-3c3a9ecd1e06 // IVD: 51ef958e-045e-4ff7-9809-f60a4d94b2b8 // CNVD: CNVD-2020-17492 // JVNDB: JVNDB-2019-014880 // NVD: CVE-2019-5160

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-5160
value:	CRITICAL
Trust: 1.0
NVD:	JVNDB-2019-014880
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2020-17492
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202003-311
value:	CRITICAL
Trust: 0.6
IVD:	8131a6f8-7d34-497e-b837-3c3a9ecd1e06
value:	HIGH
Trust: 0.2
IVD:	51ef958e-045e-4ff7-9809-f60a4d94b2b8
value:	HIGH
Trust: 0.2

nvd@nist.gov:	CVE-2019-5160
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2019-014880
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-17492
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	8131a6f8-7d34-497e-b837-3c3a9ecd1e06
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
IVD:	51ef958e-045e-4ff7-9809-f60a4d94b2b8
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2019-5160
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.3
impactScore:	6.0
version:	3.1
Trust: 1.0
NVD:	JVNDB-2019-014880
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: 8131a6f8-7d34-497e-b837-3c3a9ecd1e06 // IVD: 51ef958e-045e-4ff7-9809-f60a4d94b2b8 // CNVD: CNVD-2020-17492 // JVNDB: JVNDB-2019-014880 // CNNVD: CNNVD-202003-311 // NVD: CVE-2019-5160

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-20	Trust: 0.8

sources: JVNDB: JVNDB-2019-014880 // NVD: CVE-2019-5160

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202003-311

TYPE

Input validation error

Trust: 1.0

sources: IVD: 8131a6f8-7d34-497e-b837-3c3a9ecd1e06 // IVD: 51ef958e-045e-4ff7-9809-f60a4d94b2b8 // CNNVD: CNNVD-202003-311

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-014880

PATCH

title:

Top Page

url:

https://www.wago.com/us/

Trust: 0.8

sources: JVNDB: JVNDB-2019-014880

EXTERNAL IDS

db:	NVD	id:	CVE-2019-5160	Trust: 3.4
db:	TALOS	id:	TALOS-2019-0953	Trust: 3.0
db:	CNVD	id:	CNVD-2020-17492	Trust: 1.0
db:	CNNVD	id:	CNNVD-202003-311	Trust: 1.0
db:	JVNDB	id:	JVNDB-2019-014880	Trust: 0.8
db:	IVD	id:	8131A6F8-7D34-497E-B837-3C3A9ECD1E06	Trust: 0.2
db:	IVD	id:	51EF958E-045E-4FF7-9809-F60A4D94B2B8	Trust: 0.2

REFERENCES

url:	https://talosintelligence.com/vulnerability_reports/talos-2019-0953	Trust: 3.0
url:	https://nvd.nist.gov/vuln/detail/cve-2019-5160	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-5160	Trust: 0.8

sources: CNVD: CNVD-2020-17492 // JVNDB: JVNDB-2019-014880 // CNNVD: CNNVD-202003-311 // NVD: CVE-2019-5160

SOURCES

db:	IVD	id:	8131a6f8-7d34-497e-b837-3c3a9ecd1e06
db:	IVD	id:	51ef958e-045e-4ff7-9809-f60a4d94b2b8
db:	CNVD	id:	CNVD-2020-17492
db:	JVNDB	id:	JVNDB-2019-014880
db:	CNNVD	id:	CNNVD-202003-311
db:	NVD	id:	CVE-2019-5160

LAST UPDATE DATE

2024-11-23T22:29:41.626000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-17492	date:	2020-03-18T00:00:00
db:	JVNDB	id:	JVNDB-2019-014880	date:	2020-03-25T00:00:00
db:	CNNVD	id:	CNNVD-202003-311	date:	2020-03-17T00:00:00
db:	NVD	id:	CVE-2019-5160	date:	2024-11-21T04:44:27.900

SOURCES RELEASE DATE

db:	IVD	id:	8131a6f8-7d34-497e-b837-3c3a9ecd1e06	date:	2020-03-09T00:00:00
db:	IVD	id:	51ef958e-045e-4ff7-9809-f60a4d94b2b8	date:	2020-03-09T00:00:00
db:	CNVD	id:	CNVD-2020-17492	date:	2020-03-18T00:00:00
db:	JVNDB	id:	JVNDB-2019-014880	date:	2020-03-25T00:00:00
db:	CNNVD	id:	CNNVD-202003-311	date:	2020-03-09T00:00:00
db:	NVD	id:	CVE-2019-5160	date:	2020-03-11T22:27:41.097