Details of VAR-202002-0493

ID

VAR-202002-0493

CVE

CVE-2019-18998

TITLE

ABB Asset Suite Access Control Error Vulnerability

Trust: 1.4

sources: IVD: 1076aff9-d046-423b-9962-e26fd72b94cc // CNVD: CNVD-2020-10131 // CNNVD: CNNVD-202002-866

DESCRIPTION

Insufficient access control in the web interface of ABB Asset Suite versions 9.0 to 9.3, 9.4 prior to 9.4.2.6, 9.5 prior to 9.5.3.2 and 9.6.0 enables full access to directly referenced objects. An attacker with knowledge of a resource's URL can access the resource directly. ABB Asset Suite Exists in a user-controlled key authentication evasion vulnerability.Information may be obtained and tampered with. ABB Asset Suite is a set of enterprise asset management solutions mainly used in the power generation industry by Swiss ABB company. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could use this vulnerability to obtain sensitive information on the website. The following products and versions are affected: ABB Asset Suite from version 9.0 to version 9.3, version 9.4 before 9.4.2.6, version 9.5 before 9.5.3.2, version 9.6.0

Trust: 2.43

sources: NVD: CVE-2019-18998 // JVNDB: JVNDB-2019-014607 // CNVD: CNVD-2020-10131 // IVD: 1076aff9-d046-423b-9962-e26fd72b94cc // VULHUB: VHN-151400

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 1076aff9-d046-423b-9962-e26fd72b94cc // CNVD: CNVD-2020-10131

AFFECTED PRODUCTS

vendor:	abb	model:	asset suite	scope:	eq	version:	9.6.0	Trust: 1.4
vendor:	hitachienergy	model:	asset suite	scope:	gte	version:	9.0.0	Trust: 1.0
vendor:	hitachienergy	model:	asset suite	scope:	gte	version:	9.5.0	Trust: 1.0
vendor:	hitachienergy	model:	asset suite	scope:	lte	version:	9.3.0	Trust: 1.0
vendor:	hitachienergy	model:	asset suite	scope:	lt	version:	9.5.3.2	Trust: 1.0
vendor:	hitachienergy	model:	asset suite	scope:	gte	version:	9.4	Trust: 1.0
vendor:	hitachienergy	model:	asset suite	scope:	lt	version:	9.4.2.6	Trust: 1.0
vendor:	hitachienergy	model:	asset suite	scope:	eq	version:	9.6.0	Trust: 1.0
vendor:	abb	model:	asset suite	scope:	eq	version:	9.0 から 9.3	Trust: 0.8
vendor:	abb	model:	asset suite	scope:	eq	version:	9.4 以上 9.4.2.6	Trust: 0.8
vendor:	abb	model:	asset suite	scope:	eq	version:	9.5 以上 9.5.3.2	Trust: 0.8
vendor:	abb	model:	asset suite	scope:	gte	version:	9.0,<=9.3	Trust: 0.6
vendor:	abb	model:	asset suite	scope:	eq	version:	9.4,<9.4.2.6	Trust: 0.6
vendor:	abb	model:	asset suite	scope:	eq	version:	9.5,<9.5.3.2	Trust: 0.6
vendor:	asset suite	model:	-	scope:	eq	version:	*	Trust: 0.4
vendor:	asset suite	model:	-	scope:	eq	version:	9.6.0	Trust: 0.2

sources: IVD: 1076aff9-d046-423b-9962-e26fd72b94cc // CNVD: CNVD-2020-10131 // JVNDB: JVNDB-2019-014607 // NVD: CVE-2019-18998

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-18998
value:	HIGH
Trust: 1.0
cybersecurity@ch.abb.com:	CVE-2019-18998
value:	HIGH
Trust: 1.0
NVD:	JVNDB-2019-014607
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-10131
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202002-866
value:	HIGH
Trust: 0.6
IVD:	1076aff9-d046-423b-9962-e26fd72b94cc
value:	HIGH
Trust: 0.2
VULHUB:	VHN-151400
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-18998
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2019-014607
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-10131
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:S/C:C/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	7.8
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	1076aff9-d046-423b-9962-e26fd72b94cc
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:S/C:C/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	7.8
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-151400
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-18998
baseSeverity:	HIGH
baseScore:	7.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	4.2
version:	3.1
Trust: 2.0
NVD:	JVNDB-2019-014607
baseSeverity:	HIGH
baseScore:	7.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: 1076aff9-d046-423b-9962-e26fd72b94cc // CNVD: CNVD-2020-10131 // VULHUB: VHN-151400 // JVNDB: JVNDB-2019-014607 // CNNVD: CNNVD-202002-866 // NVD: CVE-2019-18998 // NVD: CVE-2019-18998

PROBLEMTYPE DATA

problemtype:	CWE-639	Trust: 1.9
problemtype:	CWE-284	Trust: 1.0

sources: VULHUB: VHN-151400 // JVNDB: JVNDB-2019-014607 // NVD: CVE-2019-18998

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-866

TYPE

Access control error

Trust: 0.8

sources: IVD: 1076aff9-d046-423b-9962-e26fd72b94cc // CNNVD: CNNVD-202002-866

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-014607

PATCH

title:	Asset Suite Direct Object Reference Vulnerability	url:	https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962&LanguageCode=en&DocumentPartId=&Action=Launch	Trust: 0.8
title:	Patch for ABB Asset Suite Access Control Error Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/201555	Trust: 0.6
title:	ABB Asset Suite Fixes for access control error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=110228	Trust: 0.6

sources: CNVD: CNVD-2020-10131 // JVNDB: JVNDB-2019-014607 // CNNVD: CNNVD-202002-866

EXTERNAL IDS

db:	NVD	id:	CVE-2019-18998	Trust: 3.3
db:	ICS CERT	id:	ICSA-20-072-02	Trust: 2.5
db:	CNNVD	id:	CNNVD-202002-866	Trust: 0.9
db:	CNVD	id:	CNVD-2020-10131	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-014607	Trust: 0.8
db:	AUSCERT	id:	ESB-2020.0930	Trust: 0.6
db:	NSFOCUS	id:	47150	Trust: 0.6
db:	IVD	id:	1076AFF9-D046-423B-9962-E26FD72B94CC	Trust: 0.2
db:	VULHUB	id:	VHN-151400	Trust: 0.1

sources: IVD: 1076aff9-d046-423b-9962-e26fd72b94cc // CNVD: CNVD-2020-10131 // VULHUB: VHN-151400 // JVNDB: JVNDB-2019-014607 // CNNVD: CNNVD-202002-866 // NVD: CVE-2019-18998

REFERENCES

url:	https://www.us-cert.gov/ics/advisories/icsa-20-072-02	Trust: 2.5
url:	https://search.abb.com/library/download.aspx?documentid=9akk107492a9962&languagecode=en&documentpartid=&action=launch	Trust: 2.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-18998	Trust: 2.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-18998	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/47150	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.0930/	Trust: 0.6
url:	https://search.abb.com/library/download.aspx?documentid=9akk107492a9962&languagecode=en&documentpartid=&action=launch	Trust: 0.1

sources: CNVD: CNVD-2020-10131 // VULHUB: VHN-151400 // JVNDB: JVNDB-2019-014607 // CNNVD: CNNVD-202002-866 // NVD: CVE-2019-18998

SOURCES

db:	IVD	id:	1076aff9-d046-423b-9962-e26fd72b94cc
db:	CNVD	id:	CNVD-2020-10131
db:	VULHUB	id:	VHN-151400
db:	JVNDB	id:	JVNDB-2019-014607
db:	CNNVD	id:	CNNVD-202002-866
db:	NVD	id:	CVE-2019-18998

LAST UPDATE DATE

2024-11-23T23:04:29.152000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-10131	date:	2020-02-18T00:00:00
db:	VULHUB	id:	VHN-151400	date:	2020-03-12T00:00:00
db:	JVNDB	id:	JVNDB-2019-014607	date:	2020-03-31T00:00:00
db:	CNNVD	id:	CNNVD-202002-866	date:	2020-07-14T00:00:00
db:	NVD	id:	CVE-2019-18998	date:	2024-11-21T04:33:57.980

SOURCES RELEASE DATE

db:	IVD	id:	1076aff9-d046-423b-9962-e26fd72b94cc	date:	2020-02-17T00:00:00
db:	CNVD	id:	CNVD-2020-10131	date:	2020-02-18T00:00:00
db:	VULHUB	id:	VHN-151400	date:	2020-02-17T00:00:00
db:	JVNDB	id:	JVNDB-2019-014607	date:	2020-03-04T00:00:00
db:	CNNVD	id:	CNNVD-202002-866	date:	2020-02-17T00:00:00
db:	NVD	id:	CVE-2019-18998	date:	2020-02-17T19:15:12.150