Sign-up

ID

VAR-201910-1187


CVE

CVE-2019-13549


TITLE

Rittal Chiller SK 3232-Series Improper access control vulnerability

Trust: 0.8

sources: IVD: b9b1aba0-4836-4d8e-aa89-e14f250c31f3 // CNVD: CNVD-2019-38069

DESCRIPTION

Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 – B1.2.4. The authentication mechanism on affected systems does not provide a sufficient level of protection against unauthorized configuration changes. Primary operations, namely turning the cooling unit on and off and setting the temperature set point, can be modified without authentication. Carel pCOWeb Firmware is vulnerable to a lack of authentication for critical functions.Information may be tampered with. Rittal Chiller SK 3232-Series is a liquid cooling device from Rittal

Trust: 2.34

sources: NVD: CVE-2019-13549 // JVNDB: JVNDB-2019-011385 // CNVD: CNVD-2019-38069 // IVD: b9b1aba0-4836-4d8e-aa89-e14f250c31f3

IOT TAXONOMY

category:['ICS', 'Network device']sub_category: -

Trust: 0.6

category:['ICS']sub_category: -

Trust: 0.2

sources: IVD: b9b1aba0-4836-4d8e-aa89-e14f250c31f3 // CNVD: CNVD-2019-38069

AFFECTED PRODUCTS

vendor:carelmodel:pcowebscope:gteversion:a1.5.3

Trust: 1.0

vendor:carelmodel:pcowebscope:lteversion:b1.2.4

Trust: 1.0

vendor:carel industries s p amodel:pcoweb cardscope: - version: -

Trust: 0.8

vendor:rittalmodel:chiller sk 3232-seriesscope: - version: -

Trust: 0.6

vendor:carelmodel:pcowebscope:eqversion:b1.2.4

Trust: 0.6

vendor:carelmodel:pcowebscope:eqversion:a1.5.3

Trust: 0.6

vendor:carelmodel:pcowebscope:eqversion:a2.0.4

Trust: 0.6

vendor:rittalmodel:chiller sk 3232scope:eqversion: -

Trust: 0.6

vendor:pcowebmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: b9b1aba0-4836-4d8e-aa89-e14f250c31f3 // CNVD: CNVD-2019-38069 // JVNDB: JVNDB-2019-011385 // CNNVD: CNNVD-201910-1481 // NVD: CVE-2019-13549

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-13549
value: HIGH

Trust: 1.0

NVD: CVE-2019-13549
value: HIGH

Trust: 0.8

CNVD: CNVD-2019-38069
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201910-1481
value: HIGH

Trust: 0.6

IVD: b9b1aba0-4836-4d8e-aa89-e14f250c31f3
value: HIGH

Trust: 0.2

nvd@nist.gov: CVE-2019-13549
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-38069
severity: HIGH
baseScore: 9.4
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 9.2
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: b9b1aba0-4836-4d8e-aa89-e14f250c31f3
severity: HIGH
baseScore: 9.4
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 9.2
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2019-13549
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2019-13549
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: b9b1aba0-4836-4d8e-aa89-e14f250c31f3 // CNVD: CNVD-2019-38069 // JVNDB: JVNDB-2019-011385 // CNNVD: CNNVD-201910-1481 // NVD: CVE-2019-13549

PROBLEMTYPE DATA

problemtype:CWE-306

Trust: 1.8

sources: JVNDB: JVNDB-2019-011385 // NVD: CVE-2019-13549

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201910-1481

TYPE

Access control error

Trust: 0.8

sources: IVD: b9b1aba0-4836-4d8e-aa89-e14f250c31f3 // CNNVD: CNNVD-201910-1481

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-011385

PATCH
title:pCOWeb cardurl:https://www.carel.com/bms-building-management-system-na/-/journal_content/56_INSTANCE_i4q5KIMLInKK/10191/55239
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2019-011385

EXTERNAL IDS
db:NVDid:CVE-2019-13549
Trust: 3.2
db:ICS CERTid:ICSA-19-297-01
Trust: 3.0
db:CNVDid:CNVD-2019-38069
Trust: 0.8
db:CNNVDid:CNNVD-201910-1481
Trust: 0.8
db:JVNDBid:JVNDB-2019-011385
Trust: 0.8
db:IVDid:B9B1ABA0-4836-4D8E-AA89-E14F250C31F3
Trust: 0.2
sources:
            
            
            IVD: b9b1aba0-4836-4d8e-aa89-e14f250c31f3 // 
            
            
            
            CNVD: CNVD-2019-38069 // 
            
            
            
            JVNDB: JVNDB-2019-011385 // 
            
            
            
            CNNVD: CNNVD-201910-1481 // 
            
            
            
            NVD: CVE-2019-13549

REFERENCES
url:https://www.us-cert.gov/ics/advisories/icsa-19-297-01
Trust: 3.0
url:http://seclists.org/fulldisclosure/2019/oct/46
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2019-13549
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-13549
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2019-38069 // 
            
            
            
            JVNDB: JVNDB-2019-011385 // 
            
            
            
            CNNVD: CNNVD-201910-1481 // 
            
            
            
            NVD: CVE-2019-13549

SOURCES
db:IVDid:b9b1aba0-4836-4d8e-aa89-e14f250c31f3
db:CNVDid:CNVD-2019-38069
db:JVNDBid:JVNDB-2019-011385
db:CNNVDid:CNNVD-201910-1481
db:NVDid:CVE-2019-13549

LAST UPDATE DATE
2024-11-23T23:08:14.092000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-38069date:2019-10-30T00:00:00
db:JVNDBid:JVNDB-2019-011385date:2019-11-06T00:00:00
db:CNNVDid:CNNVD-201910-1481date:2020-02-12T00:00:00
db:NVDid:CVE-2019-13549date:2024-11-21T04:25:07.587

SOURCES RELEASE DATE
db:IVDid:b9b1aba0-4836-4d8e-aa89-e14f250c31f3date:2019-10-30T00:00:00
db:CNVDid:CNVD-2019-38069date:2019-10-30T00:00:00
db:JVNDBid:JVNDB-2019-011385date:2019-11-06T00:00:00
db:CNNVDid:CNNVD-201910-1481date:2019-10-24T00:00:00
db:NVDid:CVE-2019-13549date:2019-10-25T18:15:10.880