cnvd - cnvd-2019-39583

CNVD-2019-39583

Vulnerability from cnvd - Published: 2019-11-07

Title

Rittal Chiller SK 3232-Series信任管理问题漏洞

Description

Rittal Chiller SK 3232-Series是德国威图（Rittal）公司的一款液体冷却设备。 Rittal Chiller SK 3232-Series中的Web接口存在信任管理问题漏洞，在使用Carel pCOWeb（A1.5.3版本至B1.2.4版本固件）时，攻击者可利用该漏洞影响基本操作，例如打开或关闭制冷设备。

Severity

高

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://www.rittal.com

Reference

https://www.us-cert.gov/ics/advisories/icsa-19-297-01

Impacted products

Name
Rittal Chiller SK 3232-Series

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-13553"
    }
  },
  "description": "Rittal Chiller SK 3232-Series\u662f\u5fb7\u56fd\u5a01\u56fe\uff08Rittal\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u6db2\u4f53\u51b7\u5374\u8bbe\u5907\u3002\n\nRittal Chiller SK 3232-Series\u4e2d\u7684Web\u63a5\u53e3\u5b58\u5728\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff0c\u5728\u4f7f\u7528Carel pCOWeb\uff08A1.5.3\u7248\u672c\u81f3B1.2.4\u7248\u672c\u56fa\u4ef6\uff09\u65f6\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5f71\u54cd\u57fa\u672c\u64cd\u4f5c\uff0c\u4f8b\u5982\u6253\u5f00\u6216\u5173\u95ed\u5236\u51b7\u8bbe\u5907\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.rittal.com",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-39583",
  "openTime": "2019-11-07",
  "products": {
    "product": "Rittal Chiller SK 3232-Series"
  },
  "referenceLink": "https://www.us-cert.gov/ics/advisories/icsa-19-297-01",
  "serverity": "\u9ad8",
  "submitTime": "2019-10-28",
  "title": "Rittal Chiller SK 3232-Series\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2019-13553 (GCVE-0-2019-13553)

Vulnerability from cvelistv5 – Published: 2019-10-25 17:46 – Updated: 2024-08-04 23:57

Summary

Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 – B1.2.4. The authentication mechanism on affected systems is configured using hard-coded credentials. These credentials could allow attackers to influence the primary operations of the affected systems, namely turning the cooling unit on and off and setting the temperature set point.

Severity ?

No CVSS data available.

CWE

CWE-798 - USE OF HARD-CODED CREDENTIALS CWE-798

Assigner

icscert

References

URL

Tags

	https://www.us-cert.gov/ics/advisories/icsa-19-297-01	x_refsource_MISC
	http://seclists.org/fulldisclosure/2019/Oct/45	mailing-listx_refsource_FULLDISC

Impacted products

	Vendor	Product	Version
	n/a	Rittal Chiller SK 3232-Series	Affected: Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 – B1.2.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T23:57:39.466Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.us-cert.gov/ics/advisories/icsa-19-297-01"
          },
          {
            "name": "20191031 [RT-SA-2019-013] Unsafe Storage of Credentials in Carel pCOWeb HVAC",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2019/Oct/45"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Rittal Chiller SK 3232-Series",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 \u2013 B1.2.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 \u2013 B1.2.4. The authentication mechanism on affected systems is configured using hard-coded credentials. These credentials could allow attackers to influence the primary operations of the affected systems, namely turning the cooling unit on and off and setting the temperature set point."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-798",
              "description": "USE OF HARD-CODED CREDENTIALS CWE-798",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-11-01T02:06:24",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.us-cert.gov/ics/advisories/icsa-19-297-01"
        },
        {
          "name": "20191031 [RT-SA-2019-013] Unsafe Storage of Credentials in Carel pCOWeb HVAC",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2019/Oct/45"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2019-13553",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Rittal Chiller SK 3232-Series",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 \u2013 B1.2.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 \u2013 B1.2.4. The authentication mechanism on affected systems is configured using hard-coded credentials. These credentials could allow attackers to influence the primary operations of the affected systems, namely turning the cooling unit on and off and setting the temperature set point."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "USE OF HARD-CODED CREDENTIALS CWE-798"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.us-cert.gov/ics/advisories/icsa-19-297-01",
              "refsource": "MISC",
              "url": "https://www.us-cert.gov/ics/advisories/icsa-19-297-01"
            },
            {
              "name": "20191031 [RT-SA-2019-013] Unsafe Storage of Credentials in Carel pCOWeb HVAC",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2019/Oct/45"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2019-13553",
    "datePublished": "2019-10-25T17:46:47",
    "dateReserved": "2019-07-11T00:00:00",
    "dateUpdated": "2024-08-04T23:57:39.466Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2019-39583

CVE-2019-13553 (GCVE-0-2019-13553)

Tags

Sightings

Nomenclature