Sign-up

ID

VAR-201906-1095


CVE

CVE-2019-10689


TITLE

UCS Software and Better Together over Ethernet Connector Authentication vulnerabilities in applications

Trust: 0.8

sources: JVNDB: JVNDB-2019-005765

DESCRIPTION

VVX products using UCS software version 5.9.2 and earlier with Better Together over Ethernet Connector (BToE) application version 3.9.1 and earlier provides insufficient authentication between the BToE application and the BToE component, resulting in leakage of sensitive information. Polycom UCS software is prone to an information-disclosure vulnerability. An attacker can exploit this issue to obtain sensitive information that may aid in further attacks. Polycom UCS software versions prior to 5.9.2 are vulnerable

Trust: 1.89

sources: NVD: CVE-2019-10689 // JVNDB: JVNDB-2019-005765 // BID: 108799

AFFECTED PRODUCTS

vendor:polycommodel:unified communications softwarescope:lteversion:5.9.2

Trust: 1.8

vendor:polycommodel:better together over ethernet connectorscope:lteversion:3.9.1

Trust: 1.0

vendor:polycommodel:btoe connectorscope:lteversion:3.9.1

Trust: 0.8

vendor:polycommodel: - scope:eqversion:vvx6010

Trust: 0.3

vendor:polycommodel: - scope:eqversion:vvx6000

Trust: 0.3

vendor:polycommodel: - scope:eqversion:vvx5010

Trust: 0.3

vendor:polycommodel: - scope:eqversion:vvx5000

Trust: 0.3

vendor:polycommodel: - scope:eqversion:vvx4500

Trust: 0.3

vendor:polycommodel: - scope:eqversion:vvx4110

Trust: 0.3

vendor:polycommodel: - scope:eqversion:vvx4100

Trust: 0.3

vendor:polycommodel: - scope:eqversion:vvx4010

Trust: 0.3

vendor:polycommodel: - scope:eqversion:vvx4000

Trust: 0.3

vendor:polycommodel: - scope:eqversion:vvx3500

Trust: 0.3

vendor:polycommodel: - scope:eqversion:vvx3110

Trust: 0.3

vendor:polycommodel: - scope:eqversion:vvx3100

Trust: 0.3

vendor:polycommodel: - scope:eqversion:vvx3010

Trust: 0.3

vendor:polycommodel: - scope:eqversion:vvx3000

Trust: 0.3

vendor:polycommodel: - scope:eqversion:vvx2500

Trust: 0.3

vendor:polycommodel: - scope:eqversion:vvx2010

Trust: 0.3

vendor:polycommodel: - scope:eqversion:vvx1500

Trust: 0.3

vendor:polycommodel:uc softwarescope:eqversion:5.9.2

Trust: 0.3

vendor:polycommodel:uc softwarescope:eqversion:5.8.4

Trust: 0.3

vendor:polycommodel:uc softwarescope:eqversion:5.7.4

Trust: 0.3

vendor:polycommodel:uc softwarescope:eqversion:5.6.5

Trust: 0.3

vendor:polycommodel:uc softwarescope:eqversion:5.5.4

Trust: 0.3

vendor:polycommodel:uc softwarescope:eqversion:5.4.7

Trust: 0.3

vendor:polycommodel:uc softwarescope:neversion:6.0

Trust: 0.3

vendor:polycommodel:uc softwarescope:neversion:5.9.3

Trust: 0.3

sources: BID: 108799 // JVNDB: JVNDB-2019-005765 // NVD: CVE-2019-10689

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-10689
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-10689
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201906-687
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2019-10689
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2019-10689
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: JVNDB: JVNDB-2019-005765 // CNNVD: CNNVD-201906-687 // NVD: CVE-2019-10689

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.8

sources: JVNDB: JVNDB-2019-005765 // NVD: CVE-2019-10689

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201906-687

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201906-687

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-005765

PATCH
title:SECURITY ADVISORY - Insufficient authentication resulting in information leakage on VVX products - Advisory Version 1.1url:https://support.polycom.com/content/dam/polycom-support/global/documentation/insufficient-authentication-leakage-vvx-products.pdf
Trust: 0.8
title:Polycom UC Software Repair measures for information disclosure vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93879
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-005765 // 
            
            
            
            CNNVD: CNNVD-201906-687

EXTERNAL IDS
db:NVDid:CVE-2019-10689
Trust: 2.7
db:BIDid:108799
Trust: 1.9
db:JVNDBid:JVNDB-2019-005765
Trust: 0.8
db:CNNVDid:CNNVD-201906-687
Trust: 0.6
sources:
            
            
            BID: 108799 // 
            
            
            
            JVNDB: JVNDB-2019-005765 // 
            
            
            
            CNNVD: CNNVD-201906-687 // 
            
            
            
            NVD: CVE-2019-10689

REFERENCES
url:https://support.polycom.com/content/dam/polycom-support/global/documentation/insufficient-authentication-leakage-vvx-products.pdf
Trust: 1.9
url:http://www.securityfocus.com/bid/108799
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2019-10689
Trust: 1.4
url:https://www.polycom.com/.html?ss=false
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-10689
Trust: 0.8
sources:
            
            
            BID: 108799 // 
            
            
            
            JVNDB: JVNDB-2019-005765 // 
            
            
            
            CNNVD: CNNVD-201906-687 // 
            
            
            
            NVD: CVE-2019-10689

CREDITS
Timon Hackenjos from FZI Research Center for Information Technology.
Trust: 0.9
sources:
            
            
            BID: 108799 // 
            
            
            
            CNNVD: CNNVD-201906-687

SOURCES
db:BIDid:108799
db:JVNDBid:JVNDB-2019-005765
db:CNNVDid:CNNVD-201906-687
db:NVDid:CVE-2019-10689

LAST UPDATE DATE
2024-11-23T22:41:28.824000+00:00

SOURCES UPDATE DATE
db:BIDid:108799date:2019-06-17T00:00:00
db:JVNDBid:JVNDB-2019-005765date:2019-06-28T00:00:00
db:CNNVDid:CNNVD-201906-687date:2019-07-05T00:00:00
db:NVDid:CVE-2019-10689date:2024-11-21T04:19:45.497

SOURCES RELEASE DATE
db:BIDid:108799date:2019-06-17T00:00:00
db:JVNDBid:JVNDB-2019-005765date:2019-06-28T00:00:00
db:CNNVDid:CNNVD-201906-687date:2019-06-17T00:00:00
db:NVDid:CVE-2019-10689date:2019-06-24T22:15:08.960