cvelistv5 - cve-2019-5185

CVE-2019-5185 (GCVE-0-2019-5185)

Vulnerability from cvelistv5 – Published: 2020-03-23 13:22 – Updated: 2024-08-04 19:47

Summary

An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1ea28 the extracted state value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=<contents of state node> using sprintf(). The destination buffer sp+0x40 is overflowed with the call to sprintf() for any state values that are greater than 512-len("/etc/config-tools/config_interfaces interface=X1 state=") in length. Later, at 0x1ea08 strcpy() is used to copy the contents of the stack buffer that was overflowed sp+0x40 into sp+0x440. The buffer sp+0x440 is immediately adjacent to sp+0x40 on the stack. Therefore, there is no NULL termination on the buffer sp+0x40 since it overflowed into sp+0x440. The strcpy() will result in invalid memory access. An state value of length 0x3c9 will cause the service to crash.

Severity ?

No CVSS data available.

CWE

stack buffer overflow

Assigner

talos

References

URL

Tags

https://talosintelligence.com/vulnerability_repor…

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	Wago	Affected: WAGO PFC200 Firmware version 03.02.02(14)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:47:56.813Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0966"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Wago",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "WAGO PFC200 Firmware version 03.02.02(14)"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service \"I/O-Check\" functionality of WAGO PFC 200. An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1ea28 the extracted state value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=\u003ccontents of state node\u003e using sprintf(). The destination buffer sp+0x40 is overflowed with the call to sprintf() for any state values that are greater than 512-len(\"/etc/config-tools/config_interfaces interface=X1 state=\") in length. Later, at 0x1ea08 strcpy() is used to copy the contents of the stack buffer that was overflowed sp+0x40 into sp+0x440. The buffer sp+0x440 is immediately adjacent to sp+0x40 on the stack. Therefore, there is no NULL termination on the buffer sp+0x40 since it overflowed into sp+0x440. The strcpy() will result in invalid memory access. An state value of length 0x3c9 will cause the service to crash."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "stack buffer overflow",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-03-23T13:22:52",
        "orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
        "shortName": "talos"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0966"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "talos-cna@cisco.com",
          "ID": "CVE-2019-5185",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Wago",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "WAGO PFC200 Firmware version 03.02.02(14)"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service \"I/O-Check\" functionality of WAGO PFC 200. An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1ea28 the extracted state value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=\u003ccontents of state node\u003e using sprintf(). The destination buffer sp+0x40 is overflowed with the call to sprintf() for any state values that are greater than 512-len(\"/etc/config-tools/config_interfaces interface=X1 state=\") in length. Later, at 0x1ea08 strcpy() is used to copy the contents of the stack buffer that was overflowed sp+0x40 into sp+0x440. The buffer sp+0x440 is immediately adjacent to sp+0x40 on the stack. Therefore, there is no NULL termination on the buffer sp+0x40 since it overflowed into sp+0x440. The strcpy() will result in invalid memory access. An state value of length 0x3c9 will cause the service to crash."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "stack buffer overflow"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0966",
              "refsource": "MISC",
              "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0966"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
    "assignerShortName": "talos",
    "cveId": "CVE-2019-5185",
    "datePublished": "2020-03-23T13:22:52",
    "dateReserved": "2019-01-04T00:00:00",
    "dateUpdated": "2024-08-04T19:47:56.813Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:wago:pfc200_firmware:03.02.02\\\\(14\\\\):*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6274B67D-C65B-4834-9DB5-6FB3D0ADD3A9\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:wago:pfc200:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"688A3248-7EAA-499D-A47C-A4D4900CDBD1\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service \\\"I/O-Check\\\" functionality of WAGO PFC 200. An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1ea28 the extracted state value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=\u003ccontents of state node\u003e using sprintf(). The destination buffer sp+0x40 is overflowed with the call to sprintf() for any state values that are greater than 512-len(\\\"/etc/config-tools/config_interfaces interface=X1 state=\\\") in length. Later, at 0x1ea08 strcpy() is used to copy the contents of the stack buffer that was overflowed sp+0x40 into sp+0x440. The buffer sp+0x440 is immediately adjacent to sp+0x40 on the stack. Therefore, there is no NULL termination on the buffer sp+0x40 since it overflowed into sp+0x440. The strcpy() will result in invalid memory access. An state value of length 0x3c9 will cause the service to crash.\"}, {\"lang\": \"es\", \"value\": \"Se presenta una vulnerabilidad de desbordamiento del b\\u00fafer de la pila explotable en la funcionalidad \\\"I/O-Check\\\" del servicio iocheckd de WAGO PFC 200. Un atacante puede enviar un paquete especialmente dise\\u00f1ado para activar el an\\u00e1lisis de este archivo cach\\u00e9. En 0x1ea28, el valor de estado extra\\u00eddo del archivo xml es usado como un argumento para /etc/config-tools/config_interfaces interface=X1 state= usando la funci\\u00f3n sprintf(). El b\\u00fafer de destino sp+0x40 es desbordado con la llamada a la funci\\u00f3n sprintf() para cualquier valor de estado que sea mayor de 512-len(\\\"/etc/config-tools/config_interfaces interface=X1 state=\\\") de longitud. M\\u00e1s tarde, en 0x1ea08 la funci\\u00f3n strcpy() es usada para copiar el contenido del b\\u00fafer de la pila que se desbord\\u00f3 sp+0x40 en sp+0x440. El b\\u00fafer sp+0x440 est\\u00e1 inmediatamente adyacente a sp+0x40 sobre la pila. Por lo tanto, no presenta terminaci\\u00f3n NULL en el b\\u00fafer sp+0x40 ya que se desbord\\u00f3 en sp+0x440. La funci\\u00f3n strcpy() resultar\\u00e1 en un acceso no v\\u00e1lido a la memoria. Un valor de estado de longitud 0x3c9 causar\\u00e1 que el servicio se bloquee.\"}]",
      "id": "CVE-2019-5185",
      "lastModified": "2024-11-21T04:44:30.733",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.0, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.0, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 4.4, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 3.4, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2020-03-23T14:15:13.283",
      "references": "[{\"url\": \"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0966\", \"source\": \"talos-cna@cisco.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0966\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "talos-cna@cisco.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-787\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-5185\",\"sourceIdentifier\":\"talos-cna@cisco.com\",\"published\":\"2020-03-23T14:15:13.283\",\"lastModified\":\"2024-11-21T04:44:30.733\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service \\\"I/O-Check\\\" functionality of WAGO PFC 200. An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1ea28 the extracted state value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=\u003ccontents of state node\u003e using sprintf(). The destination buffer sp+0x40 is overflowed with the call to sprintf() for any state values that are greater than 512-len(\\\"/etc/config-tools/config_interfaces interface=X1 state=\\\") in length. Later, at 0x1ea08 strcpy() is used to copy the contents of the stack buffer that was overflowed sp+0x40 into sp+0x440. The buffer sp+0x440 is immediately adjacent to sp+0x40 on the stack. Therefore, there is no NULL termination on the buffer sp+0x40 since it overflowed into sp+0x440. The strcpy() will result in invalid memory access. An state value of length 0x3c9 will cause the service to crash.\"},{\"lang\":\"es\",\"value\":\"Se presenta una vulnerabilidad de desbordamiento del b\u00fafer de la pila explotable en la funcionalidad \\\"I/O-Check\\\" del servicio iocheckd de WAGO PFC 200. Un atacante puede enviar un paquete especialmente dise\u00f1ado para activar el an\u00e1lisis de este archivo cach\u00e9. En 0x1ea28, el valor de estado extra\u00eddo del archivo xml es usado como un argumento para /etc/config-tools/config_interfaces interface=X1 state= usando la funci\u00f3n sprintf(). El b\u00fafer de destino sp+0x40 es desbordado con la llamada a la funci\u00f3n sprintf() para cualquier valor de estado que sea mayor de 512-len(\\\"/etc/config-tools/config_interfaces interface=X1 state=\\\") de longitud. M\u00e1s tarde, en 0x1ea08 la funci\u00f3n strcpy() es usada para copiar el contenido del b\u00fafer de la pila que se desbord\u00f3 sp+0x40 en sp+0x440. El b\u00fafer sp+0x440 est\u00e1 inmediatamente adyacente a sp+0x40 sobre la pila. Por lo tanto, no presenta terminaci\u00f3n NULL en el b\u00fafer sp+0x40 ya que se desbord\u00f3 en sp+0x440. La funci\u00f3n strcpy() resultar\u00e1 en un acceso no v\u00e1lido a la memoria. Un valor de estado de longitud 0x3c9 causar\u00e1 que el servicio se bloquee.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":4.4,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.4,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:wago:pfc200_firmware:03.02.02\\\\(14\\\\):*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6274B67D-C65B-4834-9DB5-6FB3D0ADD3A9\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:wago:pfc200:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"688A3248-7EAA-499D-A47C-A4D4900CDBD1\"}]}]}],\"references\":[{\"url\":\"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0966\",\"source\":\"talos-cna@cisco.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0966\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}

CNVD-2020-16629

Vulnerability from cnvd - Published: 2020-03-10

Title

WAGO PFC 200缓冲区溢出漏洞（CNVD-2020-16629）

Description

WAGO PFC 200是德国WAGO公司的一款可编程逻辑控制器（PLC）。 WAGO PFC 200中的iocheckd服务的I/O-Check功能存在缓冲区溢出漏洞。攻击者可借助特制的xml缓存文件利用该漏洞造成拒绝服务或可能执行代码。

Severity

中

Formal description

目前厂商暂未发布修复措施解决此安全问题，建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法：

https://www.wago.com/

Reference

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0966

Impacted products

Name
WAGO PFC 200

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-5185"
    }
  },
  "description": "WAGO PFC 200\u662f\u5fb7\u56fdWAGO\u516c\u53f8\u7684\u4e00\u6b3e\u53ef\u7f16\u7a0b\u903b\u8f91\u63a7\u5236\u5668\uff08PLC\uff09\u3002\n\nWAGO PFC 200\u4e2d\u7684iocheckd\u670d\u52a1\u7684I/O-Check\u529f\u80fd\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236\u7684xml\u7f13\u5b58\u6587\u4ef6\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u62d2\u7edd\u670d\u52a1\u6216\u53ef\u80fd\u6267\u884c\u4ee3\u7801\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u6682\u672a\u53d1\u5e03\u4fee\u590d\u63aa\u65bd\u89e3\u51b3\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u6216\u53c2\u8003\u7f51\u5740\u4ee5\u83b7\u53d6\u89e3\u51b3\u529e\u6cd5\uff1a\r\n\r\nhttps://www.wago.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-16629",
  "openTime": "2020-03-10",
  "products": {
    "product": "WAGO PFC 200"
  },
  "referenceLink": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0966",
  "serverity": "\u4e2d",
  "submitTime": "2020-03-10",
  "title": "WAGO PFC 200\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff08CNVD-2020-16629\uff09"
}

GSD-2019-5185

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2019-5185

Aliases

CVE-2019-5185

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-5185",
    "description": "An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service \"I/O-Check\" functionality of WAGO PFC 200. An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1ea28 the extracted state value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=\u003ccontents of state node\u003e using sprintf(). The destination buffer sp+0x40 is overflowed with the call to sprintf() for any state values that are greater than 512-len(\"/etc/config-tools/config_interfaces interface=X1 state=\") in length. Later, at 0x1ea08 strcpy() is used to copy the contents of the stack buffer that was overflowed sp+0x40 into sp+0x440. The buffer sp+0x440 is immediately adjacent to sp+0x40 on the stack. Therefore, there is no NULL termination on the buffer sp+0x40 since it overflowed into sp+0x440. The strcpy() will result in invalid memory access. An state value of length 0x3c9 will cause the service to crash.",
    "id": "GSD-2019-5185"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-5185"
      ],
      "details": "An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service \"I/O-Check\" functionality of WAGO PFC 200. An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1ea28 the extracted state value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=\u003ccontents of state node\u003e using sprintf(). The destination buffer sp+0x40 is overflowed with the call to sprintf() for any state values that are greater than 512-len(\"/etc/config-tools/config_interfaces interface=X1 state=\") in length. Later, at 0x1ea08 strcpy() is used to copy the contents of the stack buffer that was overflowed sp+0x40 into sp+0x440. The buffer sp+0x440 is immediately adjacent to sp+0x40 on the stack. Therefore, there is no NULL termination on the buffer sp+0x40 since it overflowed into sp+0x440. The strcpy() will result in invalid memory access. An state value of length 0x3c9 will cause the service to crash.",
      "id": "GSD-2019-5185",
      "modified": "2023-12-13T01:23:55.978449Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "talos-cna@cisco.com",
        "ID": "CVE-2019-5185",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Wago",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "WAGO PFC200 Firmware version 03.02.02(14)"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service \"I/O-Check\" functionality of WAGO PFC 200. An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1ea28 the extracted state value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=\u003ccontents of state node\u003e using sprintf(). The destination buffer sp+0x40 is overflowed with the call to sprintf() for any state values that are greater than 512-len(\"/etc/config-tools/config_interfaces interface=X1 state=\") in length. Later, at 0x1ea08 strcpy() is used to copy the contents of the stack buffer that was overflowed sp+0x40 into sp+0x440. The buffer sp+0x440 is immediately adjacent to sp+0x40 on the stack. Therefore, there is no NULL termination on the buffer sp+0x40 since it overflowed into sp+0x440. The strcpy() will result in invalid memory access. An state value of length 0x3c9 will cause the service to crash."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "stack buffer overflow"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0966",
            "refsource": "MISC",
            "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0966"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:wago:pfc200_firmware:03.02.02\\(14\\):*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:wago:pfc200:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "talos-cna@cisco.com",
          "ID": "CVE-2019-5185"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service \"I/O-Check\" functionality of WAGO PFC 200. An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1ea28 the extracted state value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=\u003ccontents of state node\u003e using sprintf(). The destination buffer sp+0x40 is overflowed with the call to sprintf() for any state values that are greater than 512-len(\"/etc/config-tools/config_interfaces interface=X1 state=\") in length. Later, at 0x1ea08 strcpy() is used to copy the contents of the stack buffer that was overflowed sp+0x40 into sp+0x440. The buffer sp+0x440 is immediately adjacent to sp+0x40 on the stack. Therefore, there is no NULL termination on the buffer sp+0x40 since it overflowed into sp+0x440. The strcpy() will result in invalid memory access. An state value of length 0x3c9 will cause the service to crash."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-787"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0966",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0966"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.4,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 3.4,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.0,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.0,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2021-07-21T11:39Z",
      "publishedDate": "2020-03-23T14:15Z"
    }
  }
}

FKIE_CVE-2019-5185

Vulnerability from fkie_nvd - Published: 2020-03-23 14:15 - Updated: 2024-11-21 04:44

Severity ?

7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	talos-cna@cisco.com	https://talosintelligence.com/vulnerability_reports/TALOS-2019-0966	Exploit, Third Party Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://talosintelligence.com/vulnerability_reports/TALOS-2019-0966	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	wago	pfc200_firmware	03.02.02\(14\)
	wago	pfc200	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:wago:pfc200_firmware:03.02.02\\(14\\):*:*:*:*:*:*:*",
              "matchCriteriaId": "6274B67D-C65B-4834-9DB5-6FB3D0ADD3A9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:wago:pfc200:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "688A3248-7EAA-499D-A47C-A4D4900CDBD1",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service \"I/O-Check\" functionality of WAGO PFC 200. An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1ea28 the extracted state value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=\u003ccontents of state node\u003e using sprintf(). The destination buffer sp+0x40 is overflowed with the call to sprintf() for any state values that are greater than 512-len(\"/etc/config-tools/config_interfaces interface=X1 state=\") in length. Later, at 0x1ea08 strcpy() is used to copy the contents of the stack buffer that was overflowed sp+0x40 into sp+0x440. The buffer sp+0x440 is immediately adjacent to sp+0x40 on the stack. Therefore, there is no NULL termination on the buffer sp+0x40 since it overflowed into sp+0x440. The strcpy() will result in invalid memory access. An state value of length 0x3c9 will cause the service to crash."
    },
    {
      "lang": "es",
      "value": "Se presenta una vulnerabilidad de desbordamiento del b\u00fafer de la pila explotable en la funcionalidad \"I/O-Check\" del servicio iocheckd de WAGO PFC 200. Un atacante puede enviar un paquete especialmente dise\u00f1ado para activar el an\u00e1lisis de este archivo cach\u00e9. En 0x1ea28, el valor de estado extra\u00eddo del archivo xml es usado como un argumento para /etc/config-tools/config_interfaces interface=X1 state= usando la funci\u00f3n sprintf(). El b\u00fafer de destino sp+0x40 es desbordado con la llamada a la funci\u00f3n sprintf() para cualquier valor de estado que sea mayor de 512-len(\"/etc/config-tools/config_interfaces interface=X1 state=\") de longitud. M\u00e1s tarde, en 0x1ea08 la funci\u00f3n strcpy() es usada para copiar el contenido del b\u00fafer de la pila que se desbord\u00f3 sp+0x40 en sp+0x440. El b\u00fafer sp+0x440 est\u00e1 inmediatamente adyacente a sp+0x40 sobre la pila. Por lo tanto, no presenta terminaci\u00f3n NULL en el b\u00fafer sp+0x40 ya que se desbord\u00f3 en sp+0x440. La funci\u00f3n strcpy() resultar\u00e1 en un acceso no v\u00e1lido a la memoria. Un valor de estado de longitud 0x3c9 causar\u00e1 que el servicio se bloquee."
    }
  ],
  "id": "CVE-2019-5185",
  "lastModified": "2024-11-21T04:44:30.733",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 4.4,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 3.4,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.0,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.0,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-03-23T14:15:13.283",
  "references": [
    {
      "source": "talos-cna@cisco.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0966"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0966"
    }
  ],
  "sourceIdentifier": "talos-cna@cisco.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-787"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-QVF9-MMGW-GR4R

Vulnerability from github – Published: 2022-05-24 17:12 – Updated: 2022-05-24 17:12

Details

An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1ea28 the extracted state value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state= using sprintf(). The destination buffer sp+0x40 is overflowed with the call to sprintf() for any state values that are greater than 512-len("/etc/config-tools/config_interfaces interface=X1 state=") in length. Later, at 0x1ea08 strcpy() is used to copy the contents of the stack buffer that was overflowed sp+0x40 into sp+0x440. The buffer sp+0x440 is immediately adjacent to sp+0x40 on the stack. Therefore, there is no NULL termination on the buffer sp+0x40 since it overflowed into sp+0x440. The strcpy() will result in invalid memory access. An state value of length 0x3c9 will cause the service to crash.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2019-5185"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-120"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-23T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service \"I/O-Check\" functionality of WAGO PFC 200. An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1ea28 the extracted state value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=\u003ccontents of state node\u003e using sprintf(). The destination buffer sp+0x40 is overflowed with the call to sprintf() for any state values that are greater than 512-len(\"/etc/config-tools/config_interfaces interface=X1 state=\") in length. Later, at 0x1ea08 strcpy() is used to copy the contents of the stack buffer that was overflowed sp+0x40 into sp+0x440. The buffer sp+0x440 is immediately adjacent to sp+0x40 on the stack. Therefore, there is no NULL termination on the buffer sp+0x40 since it overflowed into sp+0x440. The strcpy() will result in invalid memory access. An state value of length 0x3c9 will cause the service to crash.",
  "id": "GHSA-qvf9-mmgw-gr4r",
  "modified": "2022-05-24T17:12:12Z",
  "published": "2022-05-24T17:12:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5185"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0966"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

VAR-202003-0702

Vulnerability from variot - Updated: 2023-12-18 11:58

An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1ea28 the extracted state value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state= using sprintf(). The destination buffer sp+0x40 is overflowed with the call to sprintf() for any state values that are greater than 512-len("/etc/config-tools/config_interfaces interface=X1 state=") in length. Later, at 0x1ea08 strcpy() is used to copy the contents of the stack buffer that was overflowed sp+0x40 into sp+0x440. The buffer sp+0x440 is immediately adjacent to sp+0x40 on the stack. Therefore, there is no NULL termination on the buffer sp+0x40 since it overflowed into sp+0x440. The strcpy() will result in invalid memory access. An state value of length 0x3c9 will cause the service to crash. (DoS) It may be put into a state. WAGO PFC 200 is a programmable logic controller (PLC) from the German company WAGO

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202003-0702",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "pfc200",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "wago",
        "version": "03.02.02\\(14\\)"
      },
      {
        "model": "pfc200",
        "scope": null,
        "trust": 0.8,
        "vendor": "wago",
        "version": null
      },
      {
        "model": "pfc",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "wago",
        "version": "200"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "pfc200",
        "version": "03.02.02(14)"
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "95a5a5b2-e3a6-42cf-88ba-0c970444c3d3"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-16629"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-015201"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-5185"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:wago:pfc200_firmware:03.02.02\\(14\\):*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:wago:pfc200:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2019-5185"
      }
    ]
  },
  "cve": "CVE-2019-5185",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "MEDIUM",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.4,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 3.4,
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "MEDIUM",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Medium",
            "accessVector": "Local",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Partial",
            "baseScore": 4.4,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "JVNDB-2019-015201",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2020-16629",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "IVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 10.0,
            "id": "95a5a5b2-e3a6-42cf-88ba-0c970444c3d3",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.2,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.9 [IVD]"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 7.0,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 1.0,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "High",
            "attackVector": "Local",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 7.0,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "JVNDB-2019-015201",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "Low",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2019-5185",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "NVD",
            "id": "JVNDB-2019-015201",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2020-16629",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202003-380",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "IVD",
            "id": "95a5a5b2-e3a6-42cf-88ba-0c970444c3d3",
            "trust": 0.2,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "95a5a5b2-e3a6-42cf-88ba-0c970444c3d3"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-16629"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-015201"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-5185"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202003-380"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service \"I/O-Check\" functionality of WAGO PFC 200. An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1ea28 the extracted state value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=\u003ccontents of state node\u003e using sprintf(). The destination buffer sp+0x40 is overflowed with the call to sprintf() for any state values that are greater than 512-len(\"/etc/config-tools/config_interfaces interface=X1 state=\") in length. Later, at 0x1ea08 strcpy() is used to copy the contents of the stack buffer that was overflowed sp+0x40 into sp+0x440. The buffer sp+0x440 is immediately adjacent to sp+0x40 on the stack. Therefore, there is no NULL termination on the buffer sp+0x40 since it overflowed into sp+0x440. The strcpy() will result in invalid memory access. An state value of length 0x3c9 will cause the service to crash. (DoS) It may be put into a state. WAGO PFC 200 is a programmable logic controller (PLC) from the German company WAGO",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2019-5185"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-015201"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-16629"
      },
      {
        "db": "IVD",
        "id": "95a5a5b2-e3a6-42cf-88ba-0c970444c3d3"
      }
    ],
    "trust": 2.34
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2019-5185",
        "trust": 3.2
      },
      {
        "db": "TALOS",
        "id": "TALOS-2019-0966",
        "trust": 3.0
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-16629",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202003-380",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-015201",
        "trust": 0.8
      },
      {
        "db": "IVD",
        "id": "95A5A5B2-E3A6-42CF-88BA-0C970444C3D3",
        "trust": 0.2
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "95a5a5b2-e3a6-42cf-88ba-0c970444c3d3"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-16629"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-015201"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-5185"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202003-380"
      }
    ]
  },
  "id": "VAR-202003-0702",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "IVD",
        "id": "95a5a5b2-e3a6-42cf-88ba-0c970444c3d3"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-16629"
      }
    ],
    "trust": 1.57779658
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "ICS",
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      },
      {
        "category": [
          "ICS"
        ],
        "sub_category": null,
        "trust": 0.2
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "95a5a5b2-e3a6-42cf-88ba-0c970444c3d3"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-16629"
      }
    ]
  },
  "last_update_date": "2023-12-18T11:58:38.478000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Top Page",
        "trust": 0.8,
        "url": "https://www.wago.com/us/https://www.wago.com/us/"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-015201"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-787",
        "trust": 1.0
      },
      {
        "problemtype": "CWE-120",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-015201"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-5185"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 3.0,
        "url": "https://talosintelligence.com/vulnerability_reports/talos-2019-0966"
      },
      {
        "trust": 1.4,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-5185"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-5185"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2020-16629"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-015201"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-5185"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202003-380"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "IVD",
        "id": "95a5a5b2-e3a6-42cf-88ba-0c970444c3d3"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-16629"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-015201"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-5185"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202003-380"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-03-09T00:00:00",
        "db": "IVD",
        "id": "95a5a5b2-e3a6-42cf-88ba-0c970444c3d3"
      },
      {
        "date": "2020-03-10T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2020-16629"
      },
      {
        "date": "2020-04-15T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2019-015201"
      },
      {
        "date": "2020-03-23T14:15:13.283000",
        "db": "NVD",
        "id": "CVE-2019-5185"
      },
      {
        "date": "2020-03-09T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202003-380"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-03-10T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2020-16629"
      },
      {
        "date": "2020-04-15T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2019-015201"
      },
      {
        "date": "2021-07-21T11:39:23.747000",
        "db": "NVD",
        "id": "CVE-2019-5185"
      },
      {
        "date": "2020-03-27T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202003-380"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "local",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202003-380"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "WAGO PFC 200 Classic buffer overflow vulnerability in",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-015201"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Buffer error",
    "sources": [
      {
        "db": "IVD",
        "id": "95a5a5b2-e3a6-42cf-88ba-0c970444c3d3"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202003-380"
      }
    ],
    "trust": 0.8
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2019-5185 (GCVE-0-2019-5185)

CNVD-2020-16629

GSD-2019-5185

FKIE_CVE-2019-5185

GHSA-QVF9-MMGW-GR4R

VAR-202003-0702

Tags

Sightings

Nomenclature