Sign-up

ID

VAR-201906-0583


CVE

CVE-2019-12775


TITLE

plural ENTTEC Access control vulnerabilities in products

Trust: 0.8

sources: JVNDB: JVNDB-2019-005344

DESCRIPTION

An issue was discovered on the ENTTEC Datagate MK2, Storm 24, Pixelator, and E-Streamer MK2 with firmware 70044_update_05032019-482. They allow high-privileged root access by www-data via sudo without requiring appropriate access control. (Furthermore, the user account that controls the web application service is granted full access to run any system commands with elevated privilege, without the need for password authentication. Should vulnerabilities be identified and exploited within the web application, it may be possible for a threat actor to create or run high-privileged binaries or executables that are available within the operating system of the device.). plural ENTTEC The product contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ENTTEC Datagate MK2 and so on are all products of Australian ENTTEC company. ENTTEC Datagate MK2 is a lighting controller. ENTTEC Storm 24 is an Ethernet to DMX512 converter. ENTTEC Pixelator is a pixel controller. An access control error vulnerability exists in several ENTTEC products. This vulnerability stems from network systems or products not properly restricting access to resources from unauthorized roles

Trust: 1.71

sources: NVD: CVE-2019-12775 // JVNDB: JVNDB-2019-005344 // VULHUB: VHN-144555

AFFECTED PRODUCTS

vendor:enttecmodel:storm 24scope:eqversion:70044

Trust: 1.0

vendor:enttecmodel:pixelatorscope:eqversion:70044

Trust: 1.0

vendor:enttecmodel:e-streamer mk2scope:eqversion:70044

Trust: 1.0

vendor:enttecmodel:datagate mk2scope:eqversion:70044

Trust: 1.0

vendor:enttecmodel:datagate mk2scope:eqversion:70044_update_05032019-482

Trust: 0.8

vendor:enttecmodel:e-streamer mk2scope:eqversion:70044_update_05032019-482

Trust: 0.8

vendor:enttecmodel:pixelatorscope:eqversion:70044_update_05032019-482

Trust: 0.8

vendor:enttecmodel:storm 24scope:eqversion:70044_update_05032019-482

Trust: 0.8

sources: JVNDB: JVNDB-2019-005344 // NVD: CVE-2019-12775

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-12775
value: HIGH

Trust: 1.0

NVD: CVE-2019-12775
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201906-305
value: HIGH

Trust: 0.6

VULHUB: VHN-144555
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-12775
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-144555
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-12775
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-144555 // JVNDB: JVNDB-2019-005344 // CNNVD: CNNVD-201906-305 // NVD: CVE-2019-12775

PROBLEMTYPE DATA

problemtype:CWE-269

Trust: 1.1

problemtype:CWE-284

Trust: 0.9

sources: VULHUB: VHN-144555 // JVNDB: JVNDB-2019-005344 // NVD: CVE-2019-12775

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201906-305

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201906-305

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-005344

PATCH
title:Datagate MK2url:https://www.enttec.com/product/controls/dmx-ethernet-lighting-control/advanced-lighting-data-control/
Trust: 0.8
title:Pixelatorurl:https://www.enttec.com.au/product/controls/addressable-led-pixel-control/ethernet-to-pixel-converter/
Trust: 0.8
title:Storm 24url:https://www.enttec.com.au/product/network-and-distribution/dmx512-conversion/ethernet-to-dmx-converter/
Trust: 0.8
title:E-Streamer Mk2url:https://www.enttec.com.au/product/playback/lighting-show-recorder/advanced-show-recorder/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2019-005344

EXTERNAL IDS
db:NVDid:CVE-2019-12775
Trust: 2.5
db:JVNDBid:JVNDB-2019-005344
Trust: 0.8
db:CNNVDid:CNNVD-201906-305
Trust: 0.7
db:ICS CERTid:ICSA-20-177-01
Trust: 0.6
db:AUSCERTid:ESB-2020.2211
Trust: 0.6
db:VULHUBid:VHN-144555
Trust: 0.1
sources:
            
            
            VULHUB: VHN-144555 // 
            
            
            
            JVNDB: JVNDB-2019-005344 // 
            
            
            
            CNNVD: CNNVD-201906-305 // 
            
            
            
            NVD: CVE-2019-12775

REFERENCES
url:https://www.mogozobo.com/?p=3476
Trust: 2.5
url:https://nvd.nist.gov/vuln/detail/cve-2019-12775
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-12775
Trust: 0.8
url:https://us-cert.cisa.gov/ics/advisories/icsa-20-177-01
Trust: 0.6
url:https://www.us-cert.gov/ics/advisories/icsa-20-177-01
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.2211/
Trust: 0.6
sources:
            
            
            VULHUB: VHN-144555 // 
            
            
            
            JVNDB: JVNDB-2019-005344 // 
            
            
            
            CNNVD: CNNVD-201906-305 // 
            
            
            
            NVD: CVE-2019-12775

SOURCES
db:VULHUBid:VHN-144555
db:JVNDBid:JVNDB-2019-005344
db:CNNVDid:CNNVD-201906-305
db:NVDid:CVE-2019-12775

LAST UPDATE DATE
2024-11-23T22:06:10.912000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-144555date:2020-08-24T00:00:00
db:JVNDBid:JVNDB-2019-005344date:2019-06-19T00:00:00
db:CNNVDid:CNNVD-201906-305date:2020-09-16T00:00:00
db:NVDid:CVE-2019-12775date:2024-11-21T04:23:33.130

SOURCES RELEASE DATE
db:VULHUBid:VHN-144555date:2019-06-07T00:00:00
db:JVNDBid:JVNDB-2019-005344date:2019-06-19T00:00:00
db:CNNVDid:CNNVD-201906-305date:2019-06-07T00:00:00
db:NVDid:CVE-2019-12775date:2019-06-07T16:29:00.643