Sign-up

ID

VAR-201906-0585


CVE

CVE-2019-12777


TITLE

plural ENTTEC Product permission vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2019-005346

DESCRIPTION

An issue was discovered on the ENTTEC Datagate MK2, Storm 24, Pixelator, and E-Streamer MK2 with firmware 70044_update_05032019-482. They replace secure and protected directory permissions (set as default by the underlying operating system) with highly insecure read, write, and execute directory permissions for all users. By default, /usr/local and all of its subdirectories should have permissions set to only allow non-privileged users to read and execute from the tree structure, and to deny users from creating or editing files in this location. The ENTTEC firmware startup script permits all users to read, write, and execute (rwxrwxrwx) from the /usr, /usr/local, /usr/local/dmxis, and /usr/local/bin/ directories. plural ENTTEC The product contains a permission vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ENTTEC Datagate MK2 and so on are all products of Australian ENTTEC company. ENTTEC Datagate MK2 is a lighting controller. ENTTEC Storm 24 is an Ethernet to DMX512 converter. ENTTEC Pixelator is a pixel controller. Authorization issue vulnerabilities exist in several ENTTEC products. This vulnerability stems from the lack of authentication measures or insufficient authentication strength in network systems or products

Trust: 1.71

sources: NVD: CVE-2019-12777 // JVNDB: JVNDB-2019-005346 // VULHUB: VHN-144557

AFFECTED PRODUCTS

vendor:enttecmodel:storm 24scope:eqversion:70044

Trust: 1.0

vendor:enttecmodel:pixelatorscope:eqversion:70044

Trust: 1.0

vendor:enttecmodel:e-streamer mk2scope:eqversion:70044

Trust: 1.0

vendor:enttecmodel:datagate mk2scope:eqversion:70044

Trust: 1.0

vendor:enttecmodel:datagate mk2scope:eqversion:70044_update_05032019-482

Trust: 0.8

vendor:enttecmodel:e-streamer mk2scope:eqversion:70044_update_05032019-482

Trust: 0.8

vendor:enttecmodel:pixelatorscope:eqversion:70044_update_05032019-482

Trust: 0.8

vendor:enttecmodel:storm 24scope:eqversion:70044_update_05032019-482

Trust: 0.8

sources: JVNDB: JVNDB-2019-005346 // NVD: CVE-2019-12777

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-12777
value: HIGH

Trust: 1.0

NVD: CVE-2019-12777
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201906-303
value: HIGH

Trust: 0.6

VULHUB: VHN-144557
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-12777
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-144557
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-12777
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-144557 // JVNDB: JVNDB-2019-005346 // CNNVD: CNNVD-201906-303 // NVD: CVE-2019-12777

PROBLEMTYPE DATA

problemtype:CWE-732

Trust: 1.1

problemtype:CWE-275

Trust: 0.9

sources: VULHUB: VHN-144557 // JVNDB: JVNDB-2019-005346 // NVD: CVE-2019-12777

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201906-303

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201906-303

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-005346

PATCH
title:Datagate MK2url:https://www.enttec.com/product/controls/dmx-ethernet-lighting-control/advanced-lighting-data-control/
Trust: 0.8
title:Pixelatorurl:https://www.enttec.com.au/product/controls/addressable-led-pixel-control/ethernet-to-pixel-converter/
Trust: 0.8
title:Storm 24url:https://www.enttec.com.au/product/network-and-distribution/dmx512-conversion/ethernet-to-dmx-converter/
Trust: 0.8
title:E-Streamer Mk2url:https://www.enttec.com.au/product/playback/lighting-show-recorder/advanced-show-recorder/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2019-005346

EXTERNAL IDS
db:NVDid:CVE-2019-12777
Trust: 2.5
db:JVNDBid:JVNDB-2019-005346
Trust: 0.8
db:CNNVDid:CNNVD-201906-303
Trust: 0.7
db:ICS CERTid:ICSA-20-177-01
Trust: 0.6
db:AUSCERTid:ESB-2020.2211
Trust: 0.6
db:VULHUBid:VHN-144557
Trust: 0.1
sources:
            
            
            VULHUB: VHN-144557 // 
            
            
            
            JVNDB: JVNDB-2019-005346 // 
            
            
            
            CNNVD: CNNVD-201906-303 // 
            
            
            
            NVD: CVE-2019-12777

REFERENCES
url:https://www.mogozobo.com/?p=3476
Trust: 2.5
url:https://nvd.nist.gov/vuln/detail/cve-2019-12777
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-12777
Trust: 0.8
url:https://us-cert.cisa.gov/ics/advisories/icsa-20-177-01
Trust: 0.6
url:https://www.us-cert.gov/ics/advisories/icsa-20-177-01
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.2211/
Trust: 0.6
sources:
            
            
            VULHUB: VHN-144557 // 
            
            
            
            JVNDB: JVNDB-2019-005346 // 
            
            
            
            CNNVD: CNNVD-201906-303 // 
            
            
            
            NVD: CVE-2019-12777

SOURCES
db:VULHUBid:VHN-144557
db:JVNDBid:JVNDB-2019-005346
db:CNNVDid:CNNVD-201906-303
db:NVDid:CVE-2019-12777

LAST UPDATE DATE
2024-11-23T22:06:10.945000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-144557date:2020-08-24T00:00:00
db:JVNDBid:JVNDB-2019-005346date:2019-06-19T00:00:00
db:CNNVDid:CNNVD-201906-303date:2020-09-16T00:00:00
db:NVDid:CVE-2019-12777date:2024-11-21T04:23:33.440

SOURCES RELEASE DATE
db:VULHUBid:VHN-144557date:2019-06-07T00:00:00
db:JVNDBid:JVNDB-2019-005346date:2019-06-19T00:00:00
db:CNNVDid:CNNVD-201906-303date:2019-06-07T00:00:00
db:NVDid:CVE-2019-12777date:2019-06-07T16:29:00.703