Details of VAR-201909-1552

ID

VAR-201909-1552

TITLE

NApro has authentication bypass vulnerability

Trust: 0.6

sources: CNVD: CNVD-2019-32859

DESCRIPTION

NAPro is a PLC programming software developed by Nandao Technology Jiangsu Co., Ltd. NApro has an authentication bypass vulnerability. An attacker can use this vulnerability to control the PLC through the modified host software to perform arbitrary operations

Trust: 0.72

sources: CNVD: CNVD-2019-32859 // IVD: be16c128-c27f-4638-a966-f27d9085ec37

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: be16c128-c27f-4638-a966-f27d9085ec37 // CNVD: CNVD-2019-32859

AFFECTED PRODUCTS

vendor:	nandao	model:	technology jiangsu co. ltd.napro	scope:	-	version:	-	Trust: 0.6
vendor:	nanda auto jiangsu	model:	napro	scope:	eq	version:	*	Trust: 0.2

sources: IVD: be16c128-c27f-4638-a966-f27d9085ec37 // CNVD: CNVD-2019-32859

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD:	CNVD-2019-32859
value:	MEDIUM
Trust: 0.6
IVD:	be16c128-c27f-4638-a966-f27d9085ec37
value:	MEDIUM
Trust: 0.2

CNVD:	CNVD-2019-32859
severity:	MEDIUM
baseScore:	6.6
vectorString:	AV:L/AC:L/AU:N/C:C/I:N/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	9.2
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	be16c128-c27f-4638-a966-f27d9085ec37
severity:	MEDIUM
baseScore:	6.6
vectorString:	AV:L/AC:L/AU:N/C:C/I:N/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	9.2
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

sources: IVD: be16c128-c27f-4638-a966-f27d9085ec37 // CNVD: CNVD-2019-32859

TYPE

Access verification error

Trust: 0.2

sources: IVD: be16c128-c27f-4638-a966-f27d9085ec37

PATCH

title:

Authentication logic flaw in NApro full range of PLC devices

url:

https://www.cnvd.org.cn/patchinfo/show/179071

Trust: 0.6

sources: CNVD: CNVD-2019-32859

EXTERNAL IDS

db:	CNVD	id:	CNVD-2019-32859	Trust: 0.8
db:	IVD	id:	BE16C128-C27F-4638-A966-F27D9085EC37	Trust: 0.2

sources: IVD: be16c128-c27f-4638-a966-f27d9085ec37 // CNVD: CNVD-2019-32859

SOURCES

db:	IVD	id:	be16c128-c27f-4638-a966-f27d9085ec37
db:	CNVD	id:	CNVD-2019-32859

LAST UPDATE DATE

2022-05-17T01:47:50.431000+00:00

SOURCES UPDATE DATE

db:

CNVD

id:

CNVD-2019-32859

date:

2019-09-25T00:00:00

SOURCES RELEASE DATE

db:	IVD	id:	be16c128-c27f-4638-a966-f27d9085ec37	date:	2019-09-24T00:00:00
db:	CNVD	id:	CNVD-2019-32859	date:	2019-10-19T00:00:00