Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2019-6579 (GCVE-0-2019-6579)
Vulnerability from cvelistv5 – Published: 2019-04-17 13:40 – Updated: 2024-08-04 20:23
VLAI?
EPSS
Summary
A vulnerability has been identified in Spectrum Power 4 (with Web Office Portal). An attacker with network access to the web server on port 80/TCP or 443/TCP could execute system commands with administrative privileges. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises confidentiality, integrity or availability of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known.
Severity ?
No CVSS data available.
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Siemens AG | Spectrum Power™ 4 |
Affected:
with Web Office Portal
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:23:22.043Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "107830",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/107830"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-324467.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Spectrum Power\u2122 4",
"vendor": "Siemens AG",
"versions": [
{
"status": "affected",
"version": "with Web Office Portal"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Spectrum Power 4 (with Web Office Portal). An attacker with network access to the web server on port 80/TCP or 443/TCP could execute system commands with administrative privileges. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises confidentiality, integrity or availability of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-24T15:56:28",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"name": "107830",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/107830"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-324467.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "productcert@siemens.com",
"ID": "CVE-2019-6579",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Spectrum Power\u2122 4",
"version": {
"version_data": [
{
"version_value": "with Web Office Portal"
}
]
}
}
]
},
"vendor_name": "Siemens AG"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability has been identified in Spectrum Power 4 (with Web Office Portal). An attacker with network access to the web server on port 80/TCP or 443/TCP could execute system commands with administrative privileges. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises confidentiality, integrity or availability of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "107830",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/107830"
},
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-324467.pdf",
"refsource": "MISC",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-324467.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2019-6579",
"datePublished": "2019-04-17T13:40:24",
"dateReserved": "2019-01-22T00:00:00",
"dateUpdated": "2024-08-04T20:23:22.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:siemens:spectrum_power_4:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3D40B786-1DB0-444A-86F5-C4C8785E1DE7\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"A vulnerability has been identified in Spectrum Power 4 (with Web Office Portal). An attacker with network access to the web server on port 80/TCP or 443/TCP could execute system commands with administrative privileges. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises confidentiality, integrity or availability of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known.\"}, {\"lang\": \"es\", \"value\": \"Se ha encontrado una vulnerabilidad en Spectrum Power versi\\u00f3n 4 (con Web Office Portal). Un atacante con acceso de red al servidor web en el puerto 80/TCP o 443/TCP podr\\u00eda ejecutar comandos de sistema con privilegios administrativos. La vulnerabilidad de la seguridad podr\\u00eda ser aprovechada por un atacante no identificado con acceso de red al servicio afectado. No es necesario la interacci\\u00f3n del usuario para aprvechar esta vulnerabilidad de seguridad. La operaci\\u00f3n exito de la vulnerabilidad de seguridad compromete la confidencialidad, integridad o disponibilidad del sistema destino. En el momento de la publicaci\\u00f3n de asesoramiento, no se conoc\\u00eda la operaci\\u00f3n p\\u00fablica de esta vulnerabilidad de seguridad.\"}]",
"id": "CVE-2019-6579",
"lastModified": "2024-11-21T04:46:44.550",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2019-04-17T14:29:03.793",
"references": "[{\"url\": \"http://www.securityfocus.com/bid/107830\", \"source\": \"productcert@siemens.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://cert-portal.siemens.com/productcert/pdf/ssa-324467.pdf\", \"source\": \"productcert@siemens.com\", \"tags\": [\"Mitigation\", \"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/107830\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://cert-portal.siemens.com/productcert/pdf/ssa-324467.pdf\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mitigation\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "productcert@siemens.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"productcert@siemens.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-77\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2019-6579\",\"sourceIdentifier\":\"productcert@siemens.com\",\"published\":\"2019-04-17T14:29:03.793\",\"lastModified\":\"2024-11-21T04:46:44.550\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability has been identified in Spectrum Power 4 (with Web Office Portal). An attacker with network access to the web server on port 80/TCP or 443/TCP could execute system commands with administrative privileges. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises confidentiality, integrity or availability of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known.\"},{\"lang\":\"es\",\"value\":\"Se ha encontrado una vulnerabilidad en Spectrum Power versi\u00f3n 4 (con Web Office Portal). Un atacante con acceso de red al servidor web en el puerto 80/TCP o 443/TCP podr\u00eda ejecutar comandos de sistema con privilegios administrativos. La vulnerabilidad de la seguridad podr\u00eda ser aprovechada por un atacante no identificado con acceso de red al servicio afectado. No es necesario la interacci\u00f3n del usuario para aprvechar esta vulnerabilidad de seguridad. La operaci\u00f3n exito de la vulnerabilidad de seguridad compromete la confidencialidad, integridad o disponibilidad del sistema destino. En el momento de la publicaci\u00f3n de asesoramiento, no se conoc\u00eda la operaci\u00f3n p\u00fablica de esta vulnerabilidad de seguridad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"productcert@siemens.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:spectrum_power_4:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3D40B786-1DB0-444A-86F5-C4C8785E1DE7\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/107830\",\"source\":\"productcert@siemens.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-324467.pdf\",\"source\":\"productcert@siemens.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/107830\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-324467.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]}]}}"
}
}
CNVD-2019-12906
Vulnerability from cnvd - Published: 2019-05-05
VLAI Severity ?
Title
Siemens Spectrum Power命令注入漏洞
Description
Siemens Spectrum Power是一款为控制和监视系统的SCADA,通信和数据建模提供基本组件的系统。
Siemens Spectrum Power存在命令注入漏洞,攻击者可利用该漏洞执行操作系统命令。
Severity
高
Formal description
厂商尚未提供漏洞修复方案,请关注厂商主页更新: https://www.siemens.com/cert/advisories
Reference
https://ics-cert.us-cert.gov/advisories/ICSA-19-099-02
Impacted products
| Name | Siemens Spectrum Power 4 |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2019-6579"
}
},
"description": "Siemens Spectrum Power\u662f\u4e00\u6b3e\u4e3a\u63a7\u5236\u548c\u76d1\u89c6\u7cfb\u7edf\u7684SCADA\uff0c\u901a\u4fe1\u548c\u6570\u636e\u5efa\u6a21\u63d0\u4f9b\u57fa\u672c\u7ec4\u4ef6\u7684\u7cfb\u7edf\u3002\n\nSiemens Spectrum Power\u5b58\u5728\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u3002",
"discovererName": "Applied Risk",
"formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.siemens.com/cert/advisories",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2019-12906",
"openTime": "2019-05-05",
"products": {
"product": "Siemens Spectrum Power 4"
},
"referenceLink": "https://ics-cert.us-cert.gov/advisories/ICSA-19-099-02",
"serverity": "\u9ad8",
"submitTime": "2019-04-10",
"title": "Siemens Spectrum Power\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e"
}
FKIE_CVE-2019-6579
Vulnerability from fkie_nvd - Published: 2019-04-17 14:29 - Updated: 2024-11-21 04:46
Severity ?
Summary
A vulnerability has been identified in Spectrum Power 4 (with Web Office Portal). An attacker with network access to the web server on port 80/TCP or 443/TCP could execute system commands with administrative privileges. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises confidentiality, integrity or availability of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known.
References
| URL | Tags | ||
|---|---|---|---|
| productcert@siemens.com | http://www.securityfocus.com/bid/107830 | Third Party Advisory, VDB Entry | |
| productcert@siemens.com | https://cert-portal.siemens.com/productcert/pdf/ssa-324467.pdf | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/107830 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cert-portal.siemens.com/productcert/pdf/ssa-324467.pdf | Mitigation, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| siemens | spectrum_power_4 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:siemens:spectrum_power_4:-:*:*:*:*:*:*:*",
"matchCriteriaId": "3D40B786-1DB0-444A-86F5-C4C8785E1DE7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Spectrum Power 4 (with Web Office Portal). An attacker with network access to the web server on port 80/TCP or 443/TCP could execute system commands with administrative privileges. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises confidentiality, integrity or availability of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known."
},
{
"lang": "es",
"value": "Se ha encontrado una vulnerabilidad en Spectrum Power versi\u00f3n 4 (con Web Office Portal). Un atacante con acceso de red al servidor web en el puerto 80/TCP o 443/TCP podr\u00eda ejecutar comandos de sistema con privilegios administrativos. La vulnerabilidad de la seguridad podr\u00eda ser aprovechada por un atacante no identificado con acceso de red al servicio afectado. No es necesario la interacci\u00f3n del usuario para aprvechar esta vulnerabilidad de seguridad. La operaci\u00f3n exito de la vulnerabilidad de seguridad compromete la confidencialidad, integridad o disponibilidad del sistema destino. En el momento de la publicaci\u00f3n de asesoramiento, no se conoc\u00eda la operaci\u00f3n p\u00fablica de esta vulnerabilidad de seguridad."
}
],
"id": "CVE-2019-6579",
"lastModified": "2024-11-21T04:46:44.550",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-17T14:29:03.793",
"references": [
{
"source": "productcert@siemens.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/107830"
},
{
"source": "productcert@siemens.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-324467.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/107830"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-324467.pdf"
}
],
"sourceIdentifier": "productcert@siemens.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "productcert@siemens.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-WQ4C-88WR-4H4J
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14
VLAI?
Details
A vulnerability has been identified in Spectrum Power 4 (with Web Office Portal). An attacker with network access to the web server on port 80/TCP or 443/TCP could execute system commands with administrative privileges. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises confidentiality, integrity or availability of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known.
Severity ?
9.8 (Critical)
{
"affected": [],
"aliases": [
"CVE-2019-6579"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-17T14:29:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability has been identified in Spectrum Power 4 (with Web Office Portal). An attacker with network access to the web server on port 80/TCP or 443/TCP could execute system commands with administrative privileges. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises confidentiality, integrity or availability of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known.",
"id": "GHSA-wq4c-88wr-4h4j",
"modified": "2022-05-13T01:14:33Z",
"published": "2022-05-13T01:14:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6579"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-324467.pdf"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107830"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
VAR-201904-0177
Vulnerability from variot - Updated: 2023-12-18 13:43A vulnerability has been identified in Spectrum Power 4 (with Web Office Portal). An attacker with network access to the web server on port 80/TCP or 443/TCP could execute system commands with administrative privileges. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises confidentiality, integrity or availability of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known. Spectrum Power 4 Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SiemensSpectrumPower is a system that provides the basic components for SCADA, communication and data modeling of control and monitoring systems
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201904-0177",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "spectrum power 4",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": null
},
{
"model": "spectrum power 4",
"scope": null,
"trust": 0.8,
"vendor": "siemens",
"version": null
},
{
"model": "spectrum power",
"scope": "eq",
"trust": 0.6,
"vendor": "siemens",
"version": "4"
},
{
"model": "spectrum power",
"scope": "eq",
"trust": 0.3,
"vendor": "siemens",
"version": "4.7"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "spectrum power 4",
"version": null
}
],
"sources": [
{
"db": "IVD",
"id": "83791c2d-3285-4e41-a870-1d0a9c27c954"
},
{
"db": "CNVD",
"id": "CNVD-2019-12906"
},
{
"db": "BID",
"id": "107830"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003489"
},
{
"db": "NVD",
"id": "CVE-2019-6579"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:siemens:spectrum_power_4:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2019-6579"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Applied Risk,Applied Risk reported this vulnerability to Siemens.",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201904-465"
}
],
"trust": 0.6
},
"cve": "CVE-2019-6579",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 7.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2019-6579",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2019-12906",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "83791c2d-3285-4e41-a870-1d0a9c27c954",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.2,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.9 [IVD]"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2019-6579",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2019-6579",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "CNVD",
"id": "CNVD-2019-12906",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201904-465",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "IVD",
"id": "83791c2d-3285-4e41-a870-1d0a9c27c954",
"trust": 0.2,
"value": "CRITICAL"
},
{
"author": "VULMON",
"id": "CVE-2019-6579",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "83791c2d-3285-4e41-a870-1d0a9c27c954"
},
{
"db": "CNVD",
"id": "CNVD-2019-12906"
},
{
"db": "VULMON",
"id": "CVE-2019-6579"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003489"
},
{
"db": "NVD",
"id": "CVE-2019-6579"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-465"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A vulnerability has been identified in Spectrum Power 4 (with Web Office Portal). An attacker with network access to the web server on port 80/TCP or 443/TCP could execute system commands with administrative privileges. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises confidentiality, integrity or availability of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known. Spectrum Power 4 Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SiemensSpectrumPower is a system that provides the basic components for SCADA, communication and data modeling of control and monitoring systems",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-6579"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003489"
},
{
"db": "CNVD",
"id": "CNVD-2019-12906"
},
{
"db": "BID",
"id": "107830"
},
{
"db": "IVD",
"id": "83791c2d-3285-4e41-a870-1d0a9c27c954"
},
{
"db": "VULMON",
"id": "CVE-2019-6579"
}
],
"trust": 2.7
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2019-6579",
"trust": 3.6
},
{
"db": "ICS CERT",
"id": "ICSA-19-099-02",
"trust": 2.4
},
{
"db": "BID",
"id": "107830",
"trust": 2.0
},
{
"db": "SIEMENS",
"id": "SSA-324467",
"trust": 2.0
},
{
"db": "CNVD",
"id": "CNVD-2019-12906",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201904-465",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003489",
"trust": 0.8
},
{
"db": "AUSCERT",
"id": "ESB-2019.1222",
"trust": 0.6
},
{
"db": "IVD",
"id": "83791C2D-3285-4E41-A870-1D0A9C27C954",
"trust": 0.2
},
{
"db": "VULMON",
"id": "CVE-2019-6579",
"trust": 0.1
}
],
"sources": [
{
"db": "IVD",
"id": "83791c2d-3285-4e41-a870-1d0a9c27c954"
},
{
"db": "CNVD",
"id": "CNVD-2019-12906"
},
{
"db": "VULMON",
"id": "CVE-2019-6579"
},
{
"db": "BID",
"id": "107830"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003489"
},
{
"db": "NVD",
"id": "CVE-2019-6579"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-465"
}
]
},
"id": "VAR-201904-0177",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "83791c2d-3285-4e41-a870-1d0a9c27c954"
},
{
"db": "CNVD",
"id": "CNVD-2019-12906"
}
],
"trust": 1.27142857
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS",
"Network device"
],
"sub_category": null,
"trust": 0.6
},
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.2
}
],
"sources": [
{
"db": "IVD",
"id": "83791c2d-3285-4e41-a870-1d0a9c27c954"
},
{
"db": "CNVD",
"id": "CNVD-2019-12906"
}
]
},
"last_update_date": "2023-12-18T13:43:24.328000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SSA-324467",
"trust": 0.8,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-324467.pdf"
},
{
"title": "Siemens Spectrum Power Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=91293"
},
{
"title": "Siemens Security Advisories: Siemens Security Advisory",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories\u0026qid=734d25d8df94a8c5e8326d29effa044c"
},
{
"title": "Attack-Defense-Analysis-of-a-Vulnerable-Network",
"trust": 0.1,
"url": "https://github.com/actualsalt/attack-defense-analysis-of-a-vulnerable-network "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2019-6579"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003489"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-465"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-noinfo",
"trust": 1.0
},
{
"problemtype": "CWE-264",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-003489"
},
{
"db": "NVD",
"id": "CVE-2019-6579"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "http://www.securityfocus.com/bid/107830"
},
{
"trust": 2.0,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-324467.pdf"
},
{
"trust": 1.6,
"url": "https://ics-cert.us-cert.gov/advisories/icsa-19-099-02"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-6579"
},
{
"trust": 0.9,
"url": "http://subscriber.communications.siemens.com/"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6579"
},
{
"trust": 0.8,
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-099-02"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/siemens-spectrum-power-code-execution-via-os-command-injection-28975"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/78778"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-12906"
},
{
"db": "VULMON",
"id": "CVE-2019-6579"
},
{
"db": "BID",
"id": "107830"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003489"
},
{
"db": "NVD",
"id": "CVE-2019-6579"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-465"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "83791c2d-3285-4e41-a870-1d0a9c27c954"
},
{
"db": "CNVD",
"id": "CNVD-2019-12906"
},
{
"db": "VULMON",
"id": "CVE-2019-6579"
},
{
"db": "BID",
"id": "107830"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003489"
},
{
"db": "NVD",
"id": "CVE-2019-6579"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-465"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-05-05T00:00:00",
"db": "IVD",
"id": "83791c2d-3285-4e41-a870-1d0a9c27c954"
},
{
"date": "2019-05-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-12906"
},
{
"date": "2019-04-17T00:00:00",
"db": "VULMON",
"id": "CVE-2019-6579"
},
{
"date": "2019-04-09T00:00:00",
"db": "BID",
"id": "107830"
},
{
"date": "2019-05-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-003489"
},
{
"date": "2019-04-17T14:29:03.793000",
"db": "NVD",
"id": "CVE-2019-6579"
},
{
"date": "2019-04-09T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201904-465"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-05-07T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-12906"
},
{
"date": "2020-10-16T00:00:00",
"db": "VULMON",
"id": "CVE-2019-6579"
},
{
"date": "2019-04-09T00:00:00",
"db": "BID",
"id": "107830"
},
{
"date": "2019-07-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-003489"
},
{
"date": "2020-10-16T13:03:03.300000",
"db": "NVD",
"id": "CVE-2019-6579"
},
{
"date": "2020-10-19T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201904-465"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201904-465"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Siemens Spectrum Power Command injection vulnerability",
"sources": [
{
"db": "IVD",
"id": "83791c2d-3285-4e41-a870-1d0a9c27c954"
},
{
"db": "CNVD",
"id": "CNVD-2019-12906"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "permissions and access control issues",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201904-465"
}
],
"trust": 0.6
}
}
ICSA-19-099-02
Vulnerability from csaf_cisa - Published: 2019-04-09 00:00 - Updated: 2019-04-09 00:00Summary
Siemens Spectrum Power 4.7
Notes
CISA Disclaimer
This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Risk evaluation
Successful exploitation of this vulnerability in versions of Spectrum Power 4 using the user-specific project enhancement (PE) Web Office Portal (WOP) are affected by an OS command injection vulnerability. The vulnerability could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this vulnerability. Successful exploitation compromises confidentiality, integrity, or availability of the targeted system.
Critical infrastructure sectors
Chemical, Critical Manufacturing, Energy, Food and Agriculture, Water and Wastewater Systems
Countries/areas deployed
Worldwide
Company headquarters location
Germany
Recommended Practices
NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
Recommended Practices
NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices
Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.
Additional Resources
For further inquiries on security vulnerabilities in Siemens products and
solutions, please contact the Siemens ProductCERT:
https://www.siemens.com/cert/advisories
Additional Resources
For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories
Exploitability
No known public exploits specifically target this vulnerability.
{
"document": {
"acknowledgments": [
{
"organization": "Applied Risk",
"summary": "reporting this vulnerability to Siemens"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
"title": "CISA Disclaimer"
},
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "summary",
"text": "Successful exploitation of this vulnerability in versions of Spectrum Power 4 using the user-specific project enhancement (PE) Web Office Portal (WOP) are affected by an OS command injection vulnerability. The vulnerability could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this vulnerability. Successful exploitation compromises confidentiality, integrity, or availability of the targeted system.",
"title": "Risk evaluation"
},
{
"category": "other",
"text": "Chemical, Critical Manufacturing, Energy, Food and Agriculture, Water and Wastewater Systems",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "Germany",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "For further inquiries on security vulnerabilities in Siemens products and \nsolutions, please contact the Siemens ProductCERT:\n\nhttps://www.siemens.com/cert/advisories",
"title": "Additional Resources"
},
{
"category": "general",
"text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
"title": "Additional Resources"
},
{
"category": "other",
"text": "No known public exploits specifically target this vulnerability.",
"title": "Exploitability"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSA-19-099-02 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2019/icsa-19-099-02.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-19-099-02 Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-19-099-02"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
},
{
"category": "external",
"summary": "SSA-496604: SSA-324467: OS Command Injection in Spectrum Power 4.7 - TXT Version",
"url": "https://cert-portal.siemens.com/productcert/txt/SSA-324467.txt"
}
],
"title": "Siemens Spectrum Power 4.7",
"tracking": {
"current_release_date": "2019-04-09T00:00:00.000000Z",
"generator": {
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSA-19-099-02",
"initial_release_date": "2019-04-09T00:00:00.000000Z",
"revision_history": [
{
"date": "2019-04-09T00:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "ICSA-19-099-02 Siemens Spectrum Power 4.7"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "with Web Office Portal",
"product": {
"name": "Spectrum Power\u2122 4: with Web Office Portal",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "Spectrum Power\u2122 4"
}
],
"category": "vendor",
"name": "Siemens"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-6579",
"cwe": {
"id": "CWE-77",
"name": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
},
"notes": [
{
"category": "summary",
"text": "An attacker with network access to the web server on port 80/TCP or 443/TCP could execute system commands with administrative privileges.",
"title": "Summary"
},
{
"category": "summary",
"text": "The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises confidentiality, integrity or availability of the targeted system.",
"title": "Summary"
},
{
"category": "summary",
"text": "At the time of advisory publication no public exploitation of this security vulnerability was known.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6579"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Turn off the web server or limit access to the web server by an external\nfirewall.",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "mitigation",
"details": "Siemens strongly recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens strongly recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment. As a general security measure Siemens strongly recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment. Recommended security guidelines to Secure Substations can be found at: https://www.siemens.com/gridsecurity",
"product_ids": [
"CSAFPID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
]
}
]
}
GSD-2019-6579
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
A vulnerability has been identified in Spectrum Power 4 (with Web Office Portal). An attacker with network access to the web server on port 80/TCP or 443/TCP could execute system commands with administrative privileges. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises confidentiality, integrity or availability of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2019-6579",
"description": "A vulnerability has been identified in Spectrum Power 4 (with Web Office Portal). An attacker with network access to the web server on port 80/TCP or 443/TCP could execute system commands with administrative privileges. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises confidentiality, integrity or availability of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known.",
"id": "GSD-2019-6579"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2019-6579"
],
"details": "A vulnerability has been identified in Spectrum Power 4 (with Web Office Portal). An attacker with network access to the web server on port 80/TCP or 443/TCP could execute system commands with administrative privileges. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises confidentiality, integrity or availability of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known.",
"id": "GSD-2019-6579",
"modified": "2023-12-13T01:23:49.750461Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "productcert@siemens.com",
"ID": "CVE-2019-6579",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Spectrum Power\u2122 4",
"version": {
"version_data": [
{
"version_value": "with Web Office Portal"
}
]
}
}
]
},
"vendor_name": "Siemens AG"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability has been identified in Spectrum Power 4 (with Web Office Portal). An attacker with network access to the web server on port 80/TCP or 443/TCP could execute system commands with administrative privileges. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises confidentiality, integrity or availability of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "107830",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/107830"
},
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-324467.pdf",
"refsource": "MISC",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-324467.pdf"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:siemens:spectrum_power_4:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "productcert@siemens.com",
"ID": "CVE-2019-6579"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "A vulnerability has been identified in Spectrum Power 4 (with Web Office Portal). An attacker with network access to the web server on port 80/TCP or 443/TCP could execute system commands with administrative privileges. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises confidentiality, integrity or availability of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-324467.pdf",
"refsource": "MISC",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-324467.pdf"
},
{
"name": "107830",
"refsource": "BID",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/107830"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2020-10-16T13:03Z",
"publishedDate": "2019-04-17T14:29Z"
}
}
}
CERTFR-2019-AVI-151
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Siemens. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Siemens | N/A | SIMATIC S7-1500 Software Controller toutes versions | ||
| Siemens | N/A | SIMATIC NET PC Software toutes versions | ||
| Siemens | N/A | SINAMICS S150 V4.7 toutes versions | ||
| Siemens | N/A | SITOP UPS1600 toutes versions | ||
| Siemens | N/A | SINAMICS S120 V4.6 toutes versions | ||
| Siemens | N/A | SINAMICS G130 V5.1 toutes versions | ||
| Siemens | N/A | SITOP Manager toutes versions | ||
| Siemens | N/A | SIMATIC WinCC Runtime Mobile toutes versions | ||
| Siemens | N/A | SIMATIC CP343-1 Advanced toutes versions | ||
| Siemens | N/A | SIMATIC Teleservice Adapter IE Basic toutes versions | ||
| Siemens | N/A | SIMATIC HMI Comfort Panels 4" - 22" toutes versions | ||
| Siemens | N/A | SINAMICS S120 V5.1 SP1 toutes versions antérieures à V5.1 SP1 HF4 | ||
| Siemens | N/A | SIMATIC HMI Comfort Outdoor Panels 7" & 15" toutes versions | ||
| Siemens | N/A | SINAMICS G130 V4.8 toutes versions antérieures à V4.8 HF6 | ||
| Siemens | N/A | SINAMICS S150 V4.7 SP1 toutes versions | ||
| Siemens | N/A | SINAMICS G150 V5.1 SP1 toutes versions antérieures à V5.1 SP1 HF4 | ||
| Siemens | N/A | SINAMICS G150 V4.7 SP1 toutes versions | ||
| Siemens | N/A | SIMATIC ET 200 SP Open Controller CPU1515SP PC2 toutes versions | ||
| Siemens | N/A | SIMATIC CP443-1 Advanced toutes versions | ||
| Siemens | N/A | SINAMICS S120 V4.7 toutes versions | ||
| Siemens | N/A | Spectrum Power 4 avec Web Office Portal | ||
| Siemens | N/A | SIMATIC ET 200 Open Controller CPU 1515SPPC2 toutes versions | ||
| Siemens | N/A | SIMATIC CP443-1 OPC UA toutes versions | ||
| Siemens | N/A | SINEC-NMS toutes versions | ||
| Siemens | N/A | SIMATIC Teleservice Adapter IE Advanced toutes versions | ||
| Siemens | N/A | SINAMICS G150 V4.8 toutes versions antérieures à V4.8 HF6 | ||
| Siemens | N/A | SIMATIC RF181-EIP toutes versions | ||
| Siemens | N/A | SINAMICS G150 V4.7 toutes versions | ||
| Siemens | N/A | SIMATIC IPC DiagMonitor toutes versions | ||
| Siemens | N/A | SINAMICS S120 V4.8 toutes versions antérieures à V4.8 HF | ||
| Siemens | N/A | SINAMICS G150 V4.6 toutes versions | ||
| Siemens | N/A | SINAMICS S150 V5.1 toutes versions | ||
| Siemens | N/A | SIMATIC Teleservice Adapter IE Standard toutes versions | ||
| Siemens | N/A | SINEMA Remote Connect Server toutes versions antérieures à V2 | ||
| Siemens | N/A | SIMOCODE pro V PN toutes versions | ||
| Siemens | N/A | SIMATIC WinCC Runtime HSP Comfort toutes versions | ||
| Siemens | N/A | SIMATIC CP443-1 toutes versions | ||
| Siemens | N/A | SIMOCODE pro V EIP toutes versions | ||
| Siemens | N/A | SINAMICS S150 V4.8 toutes versions antérieures à V4.8 HF6 | ||
| Siemens | N/A | SINAMICS S120 V4.7 SP1 toutes versions | ||
| Siemens | N/A | SIMOCODE pro V EIP toutes versions antérieures à V1.0.2 | ||
| Siemens | N/A | SIMATIC S7-400 PN (incl. F) V6 et antérieures toutes versions | ||
| Siemens | N/A | SIMATIC WinCC Runtime Comfort toutes versions | ||
| Siemens | N/A | SIMATIC HMI KTP Mobile Panels KTP400F,KTP700, KTP700F, KTP900 et KTP900F toutes versions | ||
| Siemens | N/A | RUGGEDCOM ROX II toutes versions antérieures à V2.13.0 | ||
| Siemens | N/A | SIMATIC ET 200 SP Open Controller CPU1515SP PC toutes versions antérieures à V2.1.6 | ||
| Siemens | N/A | SITOP PSU8600 toutes versions | ||
| Siemens | N/A | SIMATIC WinCC OA toutes versions antérieures à V3.15-P018 | ||
| Siemens | N/A | SINAMICS S120 V5.1 toutes versions | ||
| Siemens | N/A | SINAMICS G130 V4.7 SP1 toutes versions | ||
| Siemens | N/A | SIAMTIC RF185C toutes versions | ||
| Siemens | N/A | SINAMICS G130 V4.7 toutes versions | ||
| Siemens | N/A | TeleControl Server Basic toutes versions | ||
| Siemens | N/A | SIMATIC S7-1500 Software Controller toutes versions V2.5 et postérieures | ||
| Siemens | N/A | SIMATIC WinAC RTX 2010 toutes versions | ||
| Siemens | N/A | SIMATIC S7-1500 CPU family toutes versions V2.5 et postérieures | ||
| Siemens | N/A | SIMATIC RF188C toutes versions | ||
| Siemens | N/A | SIMATIC RF186C toutes versions | ||
| Siemens | N/A | SINAMICS G130 V5.1 SP1 toutes versions antérieures à V5.1 SP1 HF4 | ||
| Siemens | N/A | CP1616 toutes versions | ||
| Siemens | N/A | SINEMA Server toutes versions | ||
| Siemens | N/A | SINAMICS S150 V4.6 toutes versions | ||
| Siemens | N/A | SINAMICS S210 V5.1 toutes versions | ||
| Siemens | N/A | SINAMICS S150 V5.1 SP1 toutes versions antérieures à V5.1 SP1 HF4 | ||
| Siemens | N/A | SINUMERIK OPC UA Server toutes versions antérieures à V2.1 | ||
| Siemens | N/A | SIMATIC S7-1500 CPU family toutes versions | ||
| Siemens | N/A | CP1604 toutes versions | ||
| Siemens | N/A | SINAMICS G130 V4.6 toutes versions | ||
| Siemens | N/A | SINAMICS S210 V5.1 SP1 toutes versions | ||
| Siemens | N/A | TIM 1531 IRC toutes versions | ||
| Siemens | N/A | SIMATIC RF600R toutes versions | ||
| Siemens | N/A | SINAMICS G150 V5.1 toutes versions | ||
| Siemens | N/A | SIMATIC RF182C toutes versions | ||
| Siemens | N/A | SIMATIC S7-300 CPU family toutes versions antérieures à V3.X.16 | ||
| Siemens | N/A | SIMATIC S7-400 PN/DP V7 (incl. F) toutes versions | ||
| Siemens | N/A | SINEMA Remote Connect Client toutes versions antérieures à V2.0 HF1 | ||
| Siemens | N/A | SIMATIC S7-PLCSIM Advanced toutes versions | ||
| Siemens | N/A | SIMATIC WinCC Runtime Advanced toutes versions |
References
| Title | Publication Time | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "SIMATIC S7-1500 Software Controller toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC NET PC Software toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S150 V4.7 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SITOP UPS1600 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S120 V4.6 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS G130 V5.1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SITOP Manager toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC Runtime Mobile toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC CP343-1 Advanced toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC Teleservice Adapter IE Basic toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC HMI Comfort Panels 4\" - 22\" toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S120 V5.1 SP1 toutes versions ant\u00e9rieures \u00e0 V5.1 SP1 HF4",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC HMI Comfort Outdoor Panels 7\" \u0026 15\" toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS G130 V4.8 toutes versions ant\u00e9rieures \u00e0 V4.8 HF6",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S150 V4.7 SP1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS G150 V5.1 SP1 toutes versions ant\u00e9rieures \u00e0 V5.1 SP1 HF4",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS G150 V4.7 SP1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ET 200 SP Open Controller CPU1515SP PC2 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC CP443-1 Advanced toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S120 V4.7 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Spectrum Power 4 avec Web Office Portal",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ET 200 Open Controller CPU 1515SPPC2 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC CP443-1 OPC UA toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINEC-NMS toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC Teleservice Adapter IE Advanced toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS G150 V4.8 toutes versions ant\u00e9rieures \u00e0 V4.8 HF6",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC RF181-EIP toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS G150 V4.7 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC IPC DiagMonitor toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S120 V4.8 toutes versions ant\u00e9rieures \u00e0 V4.8 HF",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS G150 V4.6 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S150 V5.1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC Teleservice Adapter IE Standard toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINEMA Remote Connect Server toutes versions ant\u00e9rieures \u00e0 V2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMOCODE pro V PN toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC Runtime HSP Comfort toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC CP443-1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMOCODE pro V EIP toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S150 V4.8 toutes versions ant\u00e9rieures \u00e0 V4.8 HF6",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S120 V4.7 SP1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMOCODE pro V EIP toutes versions ant\u00e9rieures \u00e0 V1.0.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-400 PN (incl. F) V6 et ant\u00e9rieures toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC Runtime Comfort toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC HMI KTP Mobile Panels KTP400F,KTP700, KTP700F, KTP900 et KTP900F toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "RUGGEDCOM ROX II toutes versions ant\u00e9rieures \u00e0 V2.13.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ET 200 SP Open Controller CPU1515SP PC toutes versions ant\u00e9rieures \u00e0 V2.1.6",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SITOP PSU8600 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC OA toutes versions ant\u00e9rieures \u00e0 V3.15-P018",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S120 V5.1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS G130 V4.7 SP1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIAMTIC RF185C toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS G130 V4.7 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "TeleControl Server Basic toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-1500 Software Controller toutes versions V2.5 et post\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinAC RTX 2010 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-1500 CPU family toutes versions V2.5 et post\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC RF188C toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC RF186C toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS G130 V5.1 SP1 toutes versions ant\u00e9rieures \u00e0 V5.1 SP1 HF4",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "CP1616 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINEMA Server toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S150 V4.6 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S210 V5.1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S150 V5.1 SP1 toutes versions ant\u00e9rieures \u00e0 V5.1 SP1 HF4",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINUMERIK OPC UA Server toutes versions ant\u00e9rieures \u00e0 V2.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-1500 CPU family toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "CP1604 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS G130 V4.6 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S210 V5.1 SP1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "TIM 1531 IRC toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC RF600R toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS G150 V5.1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC RF182C toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-300 CPU family toutes versions ant\u00e9rieures \u00e0 V3.X.16",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-400 PN/DP V7 (incl. F) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINEMA Remote Connect Client toutes versions ant\u00e9rieures \u00e0 V2.0 HF1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-PLCSIM Advanced toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC Runtime Advanced toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2019-6579",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6579"
},
{
"name": "CVE-2019-6575",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6575"
},
{
"name": "CVE-2019-6568",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6568"
},
{
"name": "CVE-2018-5380",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-5380"
},
{
"name": "CVE-2017-12741",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-12741"
},
{
"name": "CVE-2018-5381",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-5381"
},
{
"name": "CVE-2018-14618",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14618"
},
{
"name": "CVE-2019-3822",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-3822"
},
{
"name": "CVE-2018-5379",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-5379"
},
{
"name": "CVE-2018-16890",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16890"
},
{
"name": "CVE-2019-6570",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6570"
}
],
"links": [],
"reference": "CERTFR-2019-AVI-151",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2019-04-09T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSiemens. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et un\ncontournement de la politique de s\u00e9curit\u00e9.\n",
"title": "SCADA Multiples vuln\u00e9rabilit\u00e9s dans les produits Siemens",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens SSA-436177 du 09 avril 2019",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens SSA-480230 du 09 avril 2019",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-480230.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens SSA-141614 du 09 avril 2019",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-141614.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens SSA-324467 du 09 avril 2019",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-324467.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens SSA-451142 du 09 avril 2019",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-451142.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens SSA-307392 du 09 avril 2019",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-307392.pdf"
}
]
}
CERTFR-2019-AVI-151
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Siemens. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Siemens | N/A | SIMATIC S7-1500 Software Controller toutes versions | ||
| Siemens | N/A | SIMATIC NET PC Software toutes versions | ||
| Siemens | N/A | SINAMICS S150 V4.7 toutes versions | ||
| Siemens | N/A | SITOP UPS1600 toutes versions | ||
| Siemens | N/A | SINAMICS S120 V4.6 toutes versions | ||
| Siemens | N/A | SINAMICS G130 V5.1 toutes versions | ||
| Siemens | N/A | SITOP Manager toutes versions | ||
| Siemens | N/A | SIMATIC WinCC Runtime Mobile toutes versions | ||
| Siemens | N/A | SIMATIC CP343-1 Advanced toutes versions | ||
| Siemens | N/A | SIMATIC Teleservice Adapter IE Basic toutes versions | ||
| Siemens | N/A | SIMATIC HMI Comfort Panels 4" - 22" toutes versions | ||
| Siemens | N/A | SINAMICS S120 V5.1 SP1 toutes versions antérieures à V5.1 SP1 HF4 | ||
| Siemens | N/A | SIMATIC HMI Comfort Outdoor Panels 7" & 15" toutes versions | ||
| Siemens | N/A | SINAMICS G130 V4.8 toutes versions antérieures à V4.8 HF6 | ||
| Siemens | N/A | SINAMICS S150 V4.7 SP1 toutes versions | ||
| Siemens | N/A | SINAMICS G150 V5.1 SP1 toutes versions antérieures à V5.1 SP1 HF4 | ||
| Siemens | N/A | SINAMICS G150 V4.7 SP1 toutes versions | ||
| Siemens | N/A | SIMATIC ET 200 SP Open Controller CPU1515SP PC2 toutes versions | ||
| Siemens | N/A | SIMATIC CP443-1 Advanced toutes versions | ||
| Siemens | N/A | SINAMICS S120 V4.7 toutes versions | ||
| Siemens | N/A | Spectrum Power 4 avec Web Office Portal | ||
| Siemens | N/A | SIMATIC ET 200 Open Controller CPU 1515SPPC2 toutes versions | ||
| Siemens | N/A | SIMATIC CP443-1 OPC UA toutes versions | ||
| Siemens | N/A | SINEC-NMS toutes versions | ||
| Siemens | N/A | SIMATIC Teleservice Adapter IE Advanced toutes versions | ||
| Siemens | N/A | SINAMICS G150 V4.8 toutes versions antérieures à V4.8 HF6 | ||
| Siemens | N/A | SIMATIC RF181-EIP toutes versions | ||
| Siemens | N/A | SINAMICS G150 V4.7 toutes versions | ||
| Siemens | N/A | SIMATIC IPC DiagMonitor toutes versions | ||
| Siemens | N/A | SINAMICS S120 V4.8 toutes versions antérieures à V4.8 HF | ||
| Siemens | N/A | SINAMICS G150 V4.6 toutes versions | ||
| Siemens | N/A | SINAMICS S150 V5.1 toutes versions | ||
| Siemens | N/A | SIMATIC Teleservice Adapter IE Standard toutes versions | ||
| Siemens | N/A | SINEMA Remote Connect Server toutes versions antérieures à V2 | ||
| Siemens | N/A | SIMOCODE pro V PN toutes versions | ||
| Siemens | N/A | SIMATIC WinCC Runtime HSP Comfort toutes versions | ||
| Siemens | N/A | SIMATIC CP443-1 toutes versions | ||
| Siemens | N/A | SIMOCODE pro V EIP toutes versions | ||
| Siemens | N/A | SINAMICS S150 V4.8 toutes versions antérieures à V4.8 HF6 | ||
| Siemens | N/A | SINAMICS S120 V4.7 SP1 toutes versions | ||
| Siemens | N/A | SIMOCODE pro V EIP toutes versions antérieures à V1.0.2 | ||
| Siemens | N/A | SIMATIC S7-400 PN (incl. F) V6 et antérieures toutes versions | ||
| Siemens | N/A | SIMATIC WinCC Runtime Comfort toutes versions | ||
| Siemens | N/A | SIMATIC HMI KTP Mobile Panels KTP400F,KTP700, KTP700F, KTP900 et KTP900F toutes versions | ||
| Siemens | N/A | RUGGEDCOM ROX II toutes versions antérieures à V2.13.0 | ||
| Siemens | N/A | SIMATIC ET 200 SP Open Controller CPU1515SP PC toutes versions antérieures à V2.1.6 | ||
| Siemens | N/A | SITOP PSU8600 toutes versions | ||
| Siemens | N/A | SIMATIC WinCC OA toutes versions antérieures à V3.15-P018 | ||
| Siemens | N/A | SINAMICS S120 V5.1 toutes versions | ||
| Siemens | N/A | SINAMICS G130 V4.7 SP1 toutes versions | ||
| Siemens | N/A | SIAMTIC RF185C toutes versions | ||
| Siemens | N/A | SINAMICS G130 V4.7 toutes versions | ||
| Siemens | N/A | TeleControl Server Basic toutes versions | ||
| Siemens | N/A | SIMATIC S7-1500 Software Controller toutes versions V2.5 et postérieures | ||
| Siemens | N/A | SIMATIC WinAC RTX 2010 toutes versions | ||
| Siemens | N/A | SIMATIC S7-1500 CPU family toutes versions V2.5 et postérieures | ||
| Siemens | N/A | SIMATIC RF188C toutes versions | ||
| Siemens | N/A | SIMATIC RF186C toutes versions | ||
| Siemens | N/A | SINAMICS G130 V5.1 SP1 toutes versions antérieures à V5.1 SP1 HF4 | ||
| Siemens | N/A | CP1616 toutes versions | ||
| Siemens | N/A | SINEMA Server toutes versions | ||
| Siemens | N/A | SINAMICS S150 V4.6 toutes versions | ||
| Siemens | N/A | SINAMICS S210 V5.1 toutes versions | ||
| Siemens | N/A | SINAMICS S150 V5.1 SP1 toutes versions antérieures à V5.1 SP1 HF4 | ||
| Siemens | N/A | SINUMERIK OPC UA Server toutes versions antérieures à V2.1 | ||
| Siemens | N/A | SIMATIC S7-1500 CPU family toutes versions | ||
| Siemens | N/A | CP1604 toutes versions | ||
| Siemens | N/A | SINAMICS G130 V4.6 toutes versions | ||
| Siemens | N/A | SINAMICS S210 V5.1 SP1 toutes versions | ||
| Siemens | N/A | TIM 1531 IRC toutes versions | ||
| Siemens | N/A | SIMATIC RF600R toutes versions | ||
| Siemens | N/A | SINAMICS G150 V5.1 toutes versions | ||
| Siemens | N/A | SIMATIC RF182C toutes versions | ||
| Siemens | N/A | SIMATIC S7-300 CPU family toutes versions antérieures à V3.X.16 | ||
| Siemens | N/A | SIMATIC S7-400 PN/DP V7 (incl. F) toutes versions | ||
| Siemens | N/A | SINEMA Remote Connect Client toutes versions antérieures à V2.0 HF1 | ||
| Siemens | N/A | SIMATIC S7-PLCSIM Advanced toutes versions | ||
| Siemens | N/A | SIMATIC WinCC Runtime Advanced toutes versions |
References
| Title | Publication Time | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "SIMATIC S7-1500 Software Controller toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC NET PC Software toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S150 V4.7 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SITOP UPS1600 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S120 V4.6 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS G130 V5.1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SITOP Manager toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC Runtime Mobile toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC CP343-1 Advanced toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC Teleservice Adapter IE Basic toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC HMI Comfort Panels 4\" - 22\" toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S120 V5.1 SP1 toutes versions ant\u00e9rieures \u00e0 V5.1 SP1 HF4",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC HMI Comfort Outdoor Panels 7\" \u0026 15\" toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS G130 V4.8 toutes versions ant\u00e9rieures \u00e0 V4.8 HF6",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S150 V4.7 SP1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS G150 V5.1 SP1 toutes versions ant\u00e9rieures \u00e0 V5.1 SP1 HF4",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS G150 V4.7 SP1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ET 200 SP Open Controller CPU1515SP PC2 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC CP443-1 Advanced toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S120 V4.7 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Spectrum Power 4 avec Web Office Portal",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ET 200 Open Controller CPU 1515SPPC2 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC CP443-1 OPC UA toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINEC-NMS toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC Teleservice Adapter IE Advanced toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS G150 V4.8 toutes versions ant\u00e9rieures \u00e0 V4.8 HF6",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC RF181-EIP toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS G150 V4.7 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC IPC DiagMonitor toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S120 V4.8 toutes versions ant\u00e9rieures \u00e0 V4.8 HF",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS G150 V4.6 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S150 V5.1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC Teleservice Adapter IE Standard toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINEMA Remote Connect Server toutes versions ant\u00e9rieures \u00e0 V2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMOCODE pro V PN toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC Runtime HSP Comfort toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC CP443-1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMOCODE pro V EIP toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S150 V4.8 toutes versions ant\u00e9rieures \u00e0 V4.8 HF6",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S120 V4.7 SP1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMOCODE pro V EIP toutes versions ant\u00e9rieures \u00e0 V1.0.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-400 PN (incl. F) V6 et ant\u00e9rieures toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC Runtime Comfort toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC HMI KTP Mobile Panels KTP400F,KTP700, KTP700F, KTP900 et KTP900F toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "RUGGEDCOM ROX II toutes versions ant\u00e9rieures \u00e0 V2.13.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ET 200 SP Open Controller CPU1515SP PC toutes versions ant\u00e9rieures \u00e0 V2.1.6",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SITOP PSU8600 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC OA toutes versions ant\u00e9rieures \u00e0 V3.15-P018",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S120 V5.1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS G130 V4.7 SP1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIAMTIC RF185C toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS G130 V4.7 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "TeleControl Server Basic toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-1500 Software Controller toutes versions V2.5 et post\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinAC RTX 2010 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-1500 CPU family toutes versions V2.5 et post\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC RF188C toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC RF186C toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS G130 V5.1 SP1 toutes versions ant\u00e9rieures \u00e0 V5.1 SP1 HF4",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "CP1616 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINEMA Server toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S150 V4.6 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S210 V5.1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S150 V5.1 SP1 toutes versions ant\u00e9rieures \u00e0 V5.1 SP1 HF4",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINUMERIK OPC UA Server toutes versions ant\u00e9rieures \u00e0 V2.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-1500 CPU family toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "CP1604 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS G130 V4.6 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS S210 V5.1 SP1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "TIM 1531 IRC toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC RF600R toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS G150 V5.1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC RF182C toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-300 CPU family toutes versions ant\u00e9rieures \u00e0 V3.X.16",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-400 PN/DP V7 (incl. F) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINEMA Remote Connect Client toutes versions ant\u00e9rieures \u00e0 V2.0 HF1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-PLCSIM Advanced toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC Runtime Advanced toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2019-6579",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6579"
},
{
"name": "CVE-2019-6575",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6575"
},
{
"name": "CVE-2019-6568",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6568"
},
{
"name": "CVE-2018-5380",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-5380"
},
{
"name": "CVE-2017-12741",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-12741"
},
{
"name": "CVE-2018-5381",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-5381"
},
{
"name": "CVE-2018-14618",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14618"
},
{
"name": "CVE-2019-3822",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-3822"
},
{
"name": "CVE-2018-5379",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-5379"
},
{
"name": "CVE-2018-16890",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16890"
},
{
"name": "CVE-2019-6570",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6570"
}
],
"links": [],
"reference": "CERTFR-2019-AVI-151",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2019-04-09T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSiemens. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et un\ncontournement de la politique de s\u00e9curit\u00e9.\n",
"title": "SCADA Multiples vuln\u00e9rabilit\u00e9s dans les produits Siemens",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens SSA-436177 du 09 avril 2019",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens SSA-480230 du 09 avril 2019",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-480230.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens SSA-141614 du 09 avril 2019",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-141614.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens SSA-324467 du 09 avril 2019",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-324467.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens SSA-451142 du 09 avril 2019",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-451142.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens SSA-307392 du 09 avril 2019",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-307392.pdf"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…