Details of VAR-201906-0625

ID

VAR-201906-0625

CVE

CVE-2019-12549

TITLE

plural WAGO Vulnerabilities related to the use of hard-coded credentials on product devices

Trust: 0.8

sources: JVNDB: JVNDB-2019-005612

DESCRIPTION

WAGO 852-303 before FW06, 852-1305 before FW06, and 852-1505 before FW03 devices contain hardcoded private keys for the SSH daemon. The fingerprint of the SSH host key from the corresponding SSH daemon matches the embedded private key. WAGO 852-303 , 852-1305 , 852-1505 The device contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. WAGO Industrial Managed Switches 852-303, etc. are all industrial managed switches from German WAGO company. WAGO Industrial Managed Switches 852-303 versions prior to 1.2.2.S0, 852-1305 versions prior to 1.1.6.S0 and 852-1505 versions prior to 1.1.5.S0 have vulnerabilities in trust management issues that originated from the use of the program Hardcoded SSH key. Attackers can use this vulnerability to interrupt communication or affect managed switches. Successful attacks can allow a remote attacker to gain unauthorized access to the vulnerable device. 852-303 prior to version 1.2.2.S0 are vulnerable. 852-1305 prior to version 1.1.6.S0 are vulnerable. 852-1505 prior to version 1.1.5.S0 are vulnerable

Trust: 2.52

sources: NVD: CVE-2019-12549 // JVNDB: JVNDB-2019-005612 // CNVD: CNVD-2020-36950 // BID: 108759 // VULMON: CVE-2019-12549

IOT TAXONOMY

category:

['ICS', 'Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-36950

AFFECTED PRODUCTS

vendor:	wago	model:	852-1505	scope:	lt	version:	1.1.5.s0	Trust: 1.0
vendor:	wago	model:	852-1305	scope:	lt	version:	1.1.6.s0	Trust: 1.0
vendor:	wago	model:	852-303	scope:	lt	version:	1.2.2.s0	Trust: 1.0
vendor:	wago	model:	852-1305	scope:	-	version:	-	Trust: 0.8
vendor:	wago	model:	852-1505	scope:	-	version:	-	Trust: 0.8
vendor:	wago	model:	852-303	scope:	-	version:	-	Trust: 0.8
vendor:	wago	model:	industrial managed switches <1.2.2.s0	scope:	eq	version:	852-303	Trust: 0.6
vendor:	wago	model:	industrial managed switches <1.1.6.s0	scope:	eq	version:	852-1305	Trust: 0.6
vendor:	wago	model:	industrial managed switches <1.1.5.s0	scope:	eq	version:	852-1505	Trust: 0.6
vendor:	wago	model:	industrial managed switches 1.2.1.s0	scope:	eq	version:	852-303	Trust: 0.3
vendor:	wago	model:	industrial managed switches 1.1.4.s0	scope:	eq	version:	852-1505	Trust: 0.3
vendor:	wago	model:	industrial managed switches 1.1.5.s0	scope:	eq	version:	852-1305	Trust: 0.3
vendor:	wago	model:	industrial managed switches 1.2.2.s0	scope:	ne	version:	852-303	Trust: 0.3
vendor:	wago	model:	industrial managed switches 1.1.5.s0	scope:	ne	version:	852-1505	Trust: 0.3
vendor:	wago	model:	industrial managed switches 1.1.6.s0	scope:	ne	version:	852-1305	Trust: 0.3

sources: CNVD: CNVD-2020-36950 // BID: 108759 // JVNDB: JVNDB-2019-005612 // NVD: CVE-2019-12549

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-12549
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2019-12549
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2020-36950
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201906-591
value:	CRITICAL
Trust: 0.6
VULMON:	CVE-2019-12549
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-12549
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2020-36950
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2019-12549
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2020-36950 // VULMON: CVE-2019-12549 // JVNDB: JVNDB-2019-005612 // CNNVD: CNNVD-201906-591 // NVD: CVE-2019-12549

PROBLEMTYPE DATA

problemtype:

CWE-798

Trust: 1.8

sources: JVNDB: JVNDB-2019-005612 // NVD: CVE-2019-12549

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201906-591

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201906-591

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-005612

PATCH

title:	Top Page	url:	https://www.wago.com/us/	Trust: 0.8
title:	Patch for WAGO Industrial Managed Switches 852-303, 852-1305, and 852-1505 Trust Management Issue Vulnerability (CNVD-2020-36950)	url:	https://www.cnvd.org.cn/patchInfo/show/225031	Trust: 0.6
title:	WAGO Industrial Managed Switches 852-303 , 852-1305 and 852-1505 Repair measures for trust management problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93810	Trust: 0.6

sources: CNVD: CNVD-2020-36950 // JVNDB: JVNDB-2019-005612 // CNNVD: CNNVD-201906-591

EXTERNAL IDS

db:	ICS CERT	id:	ICSA-19-164-02	Trust: 3.4
db:	NVD	id:	CVE-2019-12549	Trust: 3.4
db:	CERT@VDE	id:	VDE-2019-013	Trust: 1.7
db:	BID	id:	108759	Trust: 1.0
db:	JVNDB	id:	JVNDB-2019-005612	Trust: 0.8
db:	CNVD	id:	CNVD-2020-36950	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.2117	Trust: 0.6
db:	CNNVD	id:	CNNVD-201906-591	Trust: 0.6
db:	VULMON	id:	CVE-2019-12549	Trust: 0.1

sources: CNVD: CNVD-2020-36950 // VULMON: CVE-2019-12549 // BID: 108759 // JVNDB: JVNDB-2019-005612 // CNNVD: CNNVD-201906-591 // NVD: CVE-2019-12549

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-19-164-02	Trust: 3.5
url:	https://cert.vde.com/en-us/advisories/vde-2019-013	Trust: 1.7
url:	https://www.wago.com/us/	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-12549	Trust: 1.4
url:	http://www.wago.com/	Trust: 0.9
url:	https://www.wago.com/global/download/public/sa-sys-2019-002.pdf/sa-sys-2019-002.pdf	Trust: 0.9
url:	https://www.wago.com/global/download/public/sa-sys-2019-003.pdf/sa-sys-2019-003.pdf	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-12549	Trust: 0.8
url:	https://www.securityfocus.com/bid/108759	Trust: 0.7
url:	https://www.auscert.org.au/bulletins/esb-2019.2117/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/798.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2020-36950 // VULMON: CVE-2019-12549 // BID: 108759 // JVNDB: JVNDB-2019-005612 // CNNVD: CNNVD-201906-591 // NVD: CVE-2019-12549

CREDITS

T. Weber of SEC Consult Vulnerability Lab reported these vulnerabilities to CERT@VDE.,Weber of SEC Consult Vulnerability Lab reported these vulnerabilities to CERT,T. Weber of SEC Consult Vulnerability Lab.

Trust: 0.6

sources: CNNVD: CNNVD-201906-591

SOURCES

db:	CNVD	id:	CNVD-2020-36950
db:	VULMON	id:	CVE-2019-12549
db:	BID	id:	108759
db:	JVNDB	id:	JVNDB-2019-005612
db:	CNNVD	id:	CNNVD-201906-591
db:	NVD	id:	CVE-2019-12549

LAST UPDATE DATE

2024-11-23T20:40:43.410000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-36950	date:	2020-07-09T00:00:00
db:	VULMON	id:	CVE-2019-12549	date:	2019-06-19T00:00:00
db:	BID	id:	108759	date:	2019-06-13T00:00:00
db:	JVNDB	id:	JVNDB-2019-005612	date:	2019-06-24T00:00:00
db:	CNNVD	id:	CNNVD-201906-591	date:	2019-06-20T00:00:00
db:	NVD	id:	CVE-2019-12549	date:	2024-11-21T04:23:04.737

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-36950	date:	2020-07-09T00:00:00
db:	VULMON	id:	CVE-2019-12549	date:	2019-06-17T00:00:00
db:	BID	id:	108759	date:	2019-06-13T00:00:00
db:	JVNDB	id:	JVNDB-2019-005612	date:	2019-06-24T00:00:00
db:	CNNVD	id:	CNNVD-201906-591	date:	2019-06-13T00:00:00
db:	NVD	id:	CVE-2019-12549	date:	2019-06-17T17:15:11.070