Lucene search

[email protected]CVE-2019-10922

HistoryMay 14, 2019 - 8:29 p.m.

CVE-2019-10922

2019-05-1420:29:02

CWE-306

[email protected]

web.nvd.nist.gov

cve-2019-10922

simatic

pcs 7

wincc

arbitrary code execution

network access

unauthenticated attacker

security vulnerability

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

71.7%

JSON

A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier (All versions), SIMATIC PCS 7 V8.1 and newer (All versions), SIMATIC WinCC V7.2 and earlier (All versions), SIMATIC WinCC V7.3 and newer (All versions). An attacker with network access to affected installations, which are configured without “Encrypted Communication”, can execute arbitrary code. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected installation. No user interaction is required to exploit this security vulnerability. The vulnerability impacts confidentiality, integrity, and availability of the device. At the time of advisory publication no public exploitation of this security vulnerability was known.

Affected configurations

NVD

Node

siemenssimatic_pcs_7Range≤8.0

siemenssimatic_pcs_7Range8.1≥

siemenssimatic_winccRange≤7.2

siemenssimatic_winccRange7.3≥

CPENameOperatorVersion
siemens:simatic_pcs_7siemens simatic pcs 7le8.0
siemens:simatic_pcs_7siemens simatic pcs 7eq*
siemens:simatic_winccsiemens simatic winccle7.2
siemens:simatic_winccsiemens simatic wincceq*

CPE	Name	Operator	Version
siemens:simatic_pcs_7	siemens simatic pcs 7	le	8.0
siemens:simatic_pcs_7	siemens simatic pcs 7	eq	*
siemens:simatic_wincc	siemens simatic wincc	le	7.2
siemens:simatic_wincc	siemens simatic wincc	eq	*

CNA Affected

[
  {
    "product": "SIMATIC PCS 7 V8.0 and earlier",
    "vendor": "Siemens AG",
    "versions": [
      {
        "status": "affected",
        "version": "All versions"
      }
    ]
  },
  {
    "product": "SIMATIC PCS 7 V8.1 and newer",
    "vendor": "Siemens AG",
    "versions": [
      {
        "status": "affected",
        "version": "All versions"
      }
    ]
  },
  {
    "product": "SIMATIC WinCC V7.2 and earlier",
    "vendor": "Siemens AG",
    "versions": [
      {
        "status": "affected",
        "version": "All versions"
      }
    ]
  },
  {
    "product": "SIMATIC WinCC V7.3 and newer",
    "vendor": "Siemens AG",
    "versions": [
      {
        "status": "affected",
        "version": "All versions"
      }
    ]
  }
]

References

www.securityfocus.com/bid/108398

cert-portal.siemens.com/productcert/pdf/ssa-705517.pdf

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

71.7%

JSON

Related for CVE-2019-10922

cvelist1 prion1 nvd1 ics2