Details of VAR-202001-1852

ID

VAR-202001-1852

CVE

CVE-2019-6854

TITLE

ClearSCADA Vulnerabilities in authentication

Trust: 0.8

sources: JVNDB: JVNDB-2019-014121

DESCRIPTION

A CWE-287: Improper Authentication vulnerability exists in a folder within EcoStruxure Geo SCADA Expert (ClearSCADA) -with initial releases before 1 January 2019- which could cause a low privilege user to delete or modify database, setting or certificate files. Those users must have access to the file system of that operating system to exploit this vulnerability. Affected versions in current support includes ClearSCADA 2017 R3, ClearSCADA 2017 R2, and ClearSCADA 2017. ClearSCADA Contains an authentication vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Schneider Electric EcoStruxure Geo SCADA Expert (EcoStruxure Geo SCADA Expert) is a set of data acquisition and monitoring software (SCADA) from Schneider Electric (France). The folders in Schneider Electric EcoStruxure Geo SCADA Expert (ClearSCADA) are vulnerable to permission permissions and access control issues. The vulnerability stems from the lack of effective permissions and access control measures for network systems or products. No detailed vulnerability details are provided at this time. Attackers can exploit this vulnerability to delete or modify database, configuration and certificate files

Trust: 2.25

sources: NVD: CVE-2019-6854 // JVNDB: JVNDB-2019-014121 // CNVD: CNVD-2020-03775 // VULHUB: VHN-158289

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-03775

AFFECTED PRODUCTS

vendor:	schneider electric	model:	clearscada	scope:	eq	version:	2017	Trust: 1.8
vendor:	schneider electric	model:	clearscada	scope:	eq	version:	2017 r2	Trust: 0.8
vendor:	schneider electric	model:	clearscada	scope:	eq	version:	2017 r3	Trust: 0.8
vendor:	schneider	model:	electric clearscada r3	scope:	eq	version:	2017	Trust: 0.6
vendor:	schneider	model:	electric clearscada r2	scope:	eq	version:	2017	Trust: 0.6
vendor:	schneider	model:	electric clearscada	scope:	eq	version:	2017	Trust: 0.6

sources: CNVD: CNVD-2020-03775 // JVNDB: JVNDB-2019-014121 // NVD: CVE-2019-6854

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-6854
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-6854
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-03775
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202001-138
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201912-828
value:	HIGH
Trust: 0.6
VULHUB:	VHN-158289
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-6854
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2020-03775
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-158289
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-6854
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2019-6854
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-03775 // VULHUB: VHN-158289 // JVNDB: JVNDB-2019-014121 // CNNVD: CNNVD-202001-138 // CNNVD: CNNVD-201912-828 // NVD: CVE-2019-6854

PROBLEMTYPE DATA

problemtype:	CWE-287	Trust: 1.9
problemtype:	NVD-CWE-Other	Trust: 1.0

sources: VULHUB: VHN-158289 // JVNDB: JVNDB-2019-014121 // NVD: CVE-2019-6854

THREAT TYPE

local

Trust: 1.2

sources: CNNVD: CNNVD-202001-138 // CNNVD: CNNVD-201912-828

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202001-138

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-014121

PATCH

title:	SEVD-2019-344-05	url:	https://www.se.com/ww/en/download/document/SEVD-2019-344-05/	Trust: 0.8
title:	Patch for Schneider Electric EcoStruxure Geo SCADA Expert Privilege Permission and Access Control Issue Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/199157	Trust: 0.6
title:	Schneider Electric EcoStruxure Geo SCADA Expert Remediation measures for authorization problem vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=108293	Trust: 0.6
title:	Schneider Electric EcoStruxure Geo SCADA Expert Fixes for permissions and access control issues vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=105539	Trust: 0.6

sources: CNVD: CNVD-2020-03775 // JVNDB: JVNDB-2019-014121 // CNNVD: CNNVD-202001-138 // CNNVD: CNNVD-201912-828

EXTERNAL IDS

db:	NVD	id:	CVE-2019-6854	Trust: 3.7
db:	SCHNEIDER	id:	SEVD-2019-344-05	Trust: 2.3
db:	JVNDB	id:	JVNDB-2019-014121	Trust: 0.8
db:	CNNVD	id:	CNNVD-202001-138	Trust: 0.7
db:	CNNVD	id:	CNNVD-201912-828	Trust: 0.7
db:	CNVD	id:	CNVD-2020-03775	Trust: 0.6
db:	VULHUB	id:	VHN-158289	Trust: 0.1

sources: CNVD: CNVD-2020-03775 // VULHUB: VHN-158289 // JVNDB: JVNDB-2019-014121 // CNNVD: CNNVD-202001-138 // CNNVD: CNNVD-201912-828 // NVD: CVE-2019-6854

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2019-6854	Trust: 2.6
url:	https://www.se.com/ww/en/download/document/sevd-2019-344-05/	Trust: 2.3
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6854	Trust: 0.8
url:	https://www.se.com/ww/en/download/document/sevd-2019-344-05	Trust: 0.6

sources: CNVD: CNVD-2020-03775 // VULHUB: VHN-158289 // JVNDB: JVNDB-2019-014121 // CNNVD: CNNVD-202001-138 // CNNVD: CNNVD-201912-828 // NVD: CVE-2019-6854

CREDITS

William Knowles(Lancaster University)

Trust: 0.6

sources: CNNVD: CNNVD-202001-138

SOURCES

db:	CNVD	id:	CNVD-2020-03775
db:	VULHUB	id:	VHN-158289
db:	JVNDB	id:	JVNDB-2019-014121
db:	CNNVD	id:	CNNVD-202001-138
db:	CNNVD	id:	CNNVD-201912-828
db:	NVD	id:	CVE-2019-6854

LAST UPDATE DATE

2024-11-23T22:55:17.926000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-03775	date:	2020-02-05T00:00:00
db:	VULHUB	id:	VHN-158289	date:	2021-11-03T00:00:00
db:	JVNDB	id:	JVNDB-2019-014121	date:	2020-02-03T00:00:00
db:	CNNVD	id:	CNNVD-202001-138	date:	2022-11-15T00:00:00
db:	CNNVD	id:	CNNVD-201912-828	date:	2021-11-05T00:00:00
db:	NVD	id:	CVE-2019-6854	date:	2024-11-21T04:47:17.170

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-03775	date:	2020-02-05T00:00:00
db:	VULHUB	id:	VHN-158289	date:	2020-01-06T00:00:00
db:	JVNDB	id:	JVNDB-2019-014121	date:	2020-02-03T00:00:00
db:	CNNVD	id:	CNNVD-202001-138	date:	2020-01-06T00:00:00
db:	CNNVD	id:	CNNVD-201912-828	date:	2019-12-10T00:00:00
db:	NVD	id:	CVE-2019-6854	date:	2020-01-06T23:15:11.033