Details of VAR-201903-0227

ID

VAR-201903-0227

CVE

CVE-2019-9744

TITLE

plural PHOENIX CONTACT FL NAT Session fixation vulnerability in products

Trust: 0.8

sources: JVNDB: JVNDB-2019-003108

DESCRIPTION

An issue was discovered on PHOENIX CONTACT FL NAT SMCS 8TX, FL NAT SMN 8TX, FL NAT SMN 8TX-M, and FL NAT SMN 8TX-M-DMG devices. There is unauthorized access to the WEB-UI by attackers arriving from the same source IP address as an authenticated user, because this IP address is used as a session identifier. plural PHOENIX CONTACT FL NAT The product contains a session fixation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Attackers can exploit this issue to bypass certain security restrictions and perform certain unauthorized actions. This may aid in further attacks. Authorization issue vulnerabilities exist in several PHOENIX CONTACT products. This vulnerability stems from the lack of authentication measures or insufficient authentication strength in network systems or products

Trust: 1.98

sources: NVD: CVE-2019-9744 // JVNDB: JVNDB-2019-003108 // BID: 108576 // VULHUB: VHN-161179

AFFECTED PRODUCTS

vendor:	phoenixcontact	model:	fl nat smn 8tx-m-dmg	scope:	eq	version:	-	Trust: 1.0
vendor:	phoenixcontact	model:	fl nat smcs 8tx	scope:	eq	version:	-	Trust: 1.0
vendor:	phoenixcontact	model:	fl nat smn 8tx	scope:	eq	version:	-	Trust: 1.0
vendor:	phoenixcontact	model:	fl nat smn 8tx-m	scope:	eq	version:	-	Trust: 1.0
vendor:	phoenix contact	model:	fl nat smcs 8tx	scope:	-	version:	-	Trust: 0.8
vendor:	phoenix contact	model:	fl nat smn 8tx	scope:	-	version:	-	Trust: 0.8
vendor:	phoenix contact	model:	fl nat smn 8tx-m	scope:	-	version:	-	Trust: 0.8
vendor:	phoenix contact	model:	fl nat smn 8tx-m-dmg	scope:	-	version:	-	Trust: 0.8
vendor:	phoenix	model:	contact fl nat smn 8tx-m-dmg	scope:	eq	version:	0	Trust: 0.3
vendor:	phoenix	model:	contact fl nat smn 8tx-m	scope:	eq	version:	0	Trust: 0.3
vendor:	phoenix	model:	contact fl nat smn 8tx	scope:	eq	version:	0	Trust: 0.3
vendor:	phoenix	model:	contact fl nat smcs 8tx	scope:	eq	version:	0	Trust: 0.3

sources: BID: 108576 // JVNDB: JVNDB-2019-003108 // NVD: CVE-2019-9744

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-9744
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-9744
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201903-1026
value:	HIGH
Trust: 0.6
VULHUB:	VHN-161179
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-9744
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-161179
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-9744
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-161179 // JVNDB: JVNDB-2019-003108 // CNNVD: CNNVD-201903-1026 // NVD: CVE-2019-9744

PROBLEMTYPE DATA

problemtype:

CWE-384

Trust: 1.9

sources: VULHUB: VHN-161179 // JVNDB: JVNDB-2019-003108 // NVD: CVE-2019-9744

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201903-1026

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201903-1026

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-003108

PATCH

title:

VDE-2019-006

url:

https://cert.vde.com/de-de/advisories/vde-2019-006

Trust: 0.8

sources: JVNDB: JVNDB-2019-003108

EXTERNAL IDS

db:	NVD	id:	CVE-2019-9744	Trust: 2.8
db:	ICS CERT	id:	ICSA-19-155-02	Trust: 2.8
db:	BID	id:	108576	Trust: 2.0
db:	CERT@VDE	id:	VDE-2019-006	Trust: 1.7
db:	JVNDB	id:	JVNDB-2019-003108	Trust: 0.8
db:	CNNVD	id:	CNNVD-201903-1026	Trust: 0.7
db:	VULHUB	id:	VHN-161179	Trust: 0.1

sources: VULHUB: VHN-161179 // BID: 108576 // JVNDB: JVNDB-2019-003108 // CNNVD: CNNVD-201903-1026 // NVD: CVE-2019-9744

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-19-155-02	Trust: 2.8
url:	http://www.securityfocus.com/bid/108576	Trust: 2.3
url:	https://cert.vde.com/de-de/advisories/vde-2019-006	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-9744	Trust: 1.4
url:	https://www.phoenixcontact.com/online/portal/pc	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-9744	Trust: 0.8

sources: VULHUB: VHN-161179 // BID: 108576 // JVNDB: JVNDB-2019-003108 // CNNVD: CNNVD-201903-1026 // NVD: CVE-2019-9744

CREDITS

CERT@VDE, reported this vulnerability to NCCIC., working with Maxim Rupp and Phoenix Contact

Trust: 0.6

sources: CNNVD: CNNVD-201903-1026

SOURCES

db:	VULHUB	id:	VHN-161179
db:	BID	id:	108576
db:	JVNDB	id:	JVNDB-2019-003108
db:	CNNVD	id:	CNNVD-201903-1026
db:	NVD	id:	CVE-2019-9744

LAST UPDATE DATE

2024-11-23T22:37:54.722000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-161179	date:	2019-06-05T00:00:00
db:	BID	id:	108576	date:	2019-06-05T00:00:00
db:	JVNDB	id:	JVNDB-2019-003108	date:	2019-06-07T00:00:00
db:	CNNVD	id:	CNNVD-201903-1026	date:	2019-06-10T00:00:00
db:	NVD	id:	CVE-2019-9744	date:	2024-11-21T04:52:13.277

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-161179	date:	2019-03-26T00:00:00
db:	BID	id:	108576	date:	2019-06-05T00:00:00
db:	JVNDB	id:	JVNDB-2019-003108	date:	2019-05-10T00:00:00
db:	CNNVD	id:	CNNVD-201903-1026	date:	2019-03-26T00:00:00
db:	NVD	id:	CVE-2019-9744	date:	2019-03-26T20:29:00.837