CVE-2019-13553 (GCVE-0-2019-13553)

Vulnerability from cvelistv5 – Published: 2019-10-25 17:46 – Updated: 2024-08-04 23:57
VLAI?
Summary
Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 – B1.2.4. The authentication mechanism on affected systems is configured using hard-coded credentials. These credentials could allow attackers to influence the primary operations of the affected systems, namely turning the cooling unit on and off and setting the temperature set point.
Severity ?
No CVSS data available.
CWE
  • CWE-798 - USE OF HARD-CODED CREDENTIALS CWE-798
Assigner
References
Impacted products
Vendor Product Version
n/a Rittal Chiller SK 3232-Series Affected: Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 – B1.2.4
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T23:57:39.466Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.us-cert.gov/ics/advisories/icsa-19-297-01"
          },
          {
            "name": "20191031 [RT-SA-2019-013] Unsafe Storage of Credentials in Carel pCOWeb HVAC",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2019/Oct/45"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Rittal Chiller SK 3232-Series",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 \u2013 B1.2.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 \u2013 B1.2.4. The authentication mechanism on affected systems is configured using hard-coded credentials. These credentials could allow attackers to influence the primary operations of the affected systems, namely turning the cooling unit on and off and setting the temperature set point."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-798",
              "description": "USE OF HARD-CODED CREDENTIALS CWE-798",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-11-01T02:06:24",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.us-cert.gov/ics/advisories/icsa-19-297-01"
        },
        {
          "name": "20191031 [RT-SA-2019-013] Unsafe Storage of Credentials in Carel pCOWeb HVAC",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2019/Oct/45"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2019-13553",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Rittal Chiller SK 3232-Series",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 \u2013 B1.2.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 \u2013 B1.2.4. The authentication mechanism on affected systems is configured using hard-coded credentials. These credentials could allow attackers to influence the primary operations of the affected systems, namely turning the cooling unit on and off and setting the temperature set point."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "USE OF HARD-CODED CREDENTIALS CWE-798"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.us-cert.gov/ics/advisories/icsa-19-297-01",
              "refsource": "MISC",
              "url": "https://www.us-cert.gov/ics/advisories/icsa-19-297-01"
            },
            {
              "name": "20191031 [RT-SA-2019-013] Unsafe Storage of Credentials in Carel pCOWeb HVAC",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2019/Oct/45"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2019-13553",
    "datePublished": "2019-10-25T17:46:47",
    "dateReserved": "2019-07-11T00:00:00",
    "dateUpdated": "2024-08-04T23:57:39.466Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:carel:pcoweb_firmware:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"a1.5.3\", \"versionEndIncluding\": \"b1.2.4\", \"matchCriteriaId\": \"6B7B4C31-67E0-488A-9297-B8E8E158DC3E\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:rittal:chiller_sk_3232:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3FAC3FD5-429B-48BF-B519-47CAD3E718C0\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 \\u2013 B1.2.4. The authentication mechanism on affected systems is configured using hard-coded credentials. These credentials could allow attackers to influence the primary operations of the affected systems, namely turning the cooling unit on and off and setting the temperature set point.\"}, {\"lang\": \"es\", \"value\": \"Interfaz web Rittal Chiller SK 3232-Series seg\\u00fan el firmware Carel pCOWeb A1.5.3 - B1.2.4. El mecanismo de autenticaci\\u00f3n en los sistemas afectados se configura mediante credenciales codificadas. Estas credenciales podr\\u00edan permitir a los atacantes influir en las operaciones primarias de los sistemas afectados, es decir, encender y apagar la unidad de enfriamiento y establecer el punto de ajuste de temperatura.\"}]",
      "id": "CVE-2019-13553",
      "lastModified": "2024-11-21T04:25:08.087",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:C/I:C/A:C\", \"baseScore\": 10.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"COMPLETE\", \"integrityImpact\": \"COMPLETE\", \"availabilityImpact\": \"COMPLETE\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 10.0, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2019-10-25T18:15:10.943",
      "references": "[{\"url\": \"http://seclists.org/fulldisclosure/2019/Oct/45\", \"source\": \"ics-cert@hq.dhs.gov\"}, {\"url\": \"https://www.us-cert.gov/ics/advisories/icsa-19-297-01\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2019/Oct/45\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.us-cert.gov/ics/advisories/icsa-19-297-01\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}]",
      "sourceIdentifier": "ics-cert@hq.dhs.gov",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-798\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-798\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-13553\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2019-10-25T18:15:10.943\",\"lastModified\":\"2024-11-21T04:25:08.087\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 \u2013 B1.2.4. The authentication mechanism on affected systems is configured using hard-coded credentials. These credentials could allow attackers to influence the primary operations of the affected systems, namely turning the cooling unit on and off and setting the temperature set point.\"},{\"lang\":\"es\",\"value\":\"Interfaz web Rittal Chiller SK 3232-Series seg\u00fan el firmware Carel pCOWeb A1.5.3 - B1.2.4. El mecanismo de autenticaci\u00f3n en los sistemas afectados se configura mediante credenciales codificadas. Estas credenciales podr\u00edan permitir a los atacantes influir en las operaciones primarias de los sistemas afectados, es decir, encender y apagar la unidad de enfriamiento y establecer el punto de ajuste de temperatura.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:C/I:C/A:C\",\"baseScore\":10.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:carel:pcoweb_firmware:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"a1.5.3\",\"versionEndIncluding\":\"b1.2.4\",\"matchCriteriaId\":\"6B7B4C31-67E0-488A-9297-B8E8E158DC3E\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:rittal:chiller_sk_3232:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3FAC3FD5-429B-48BF-B519-47CAD3E718C0\"}]}]}],\"references\":[{\"url\":\"http://seclists.org/fulldisclosure/2019/Oct/45\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://www.us-cert.gov/ics/advisories/icsa-19-297-01\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"http://seclists.org/fulldisclosure/2019/Oct/45\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.us-cert.gov/ics/advisories/icsa-19-297-01\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.