Details of VAR-202003-0681

ID

VAR-202003-0681

CVE

CVE-2019-5159

TITLE

WAGO e!COCKPIT Input validation vulnerabilities in automation software

Trust: 0.8

sources: JVNDB: JVNDB-2019-014924

DESCRIPTION

An exploitable improper input validation vulnerability exists in the firmware update functionality of WAGO e!COCKPIT automation software v1.6.0.7. A specially crafted firmware update file can allow an attacker to write arbitrary files to arbitrary locations on WAGO controllers as a part of executing a firmware update, potentially resulting in code execution. An attacker can create a malicious firmware update package file using any zip utility. The user must initiate a firmware update through e!COCKPIT and choose the malicious wup file using the file browser to trigger the vulnerability. WAGO e!COCKPIT Automation software contains an input verification vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. WAGO e!COCKPIT is a set of integrated development environment software of German WAGO company. The software is mainly used for hardware configuration, programming and simulation

Trust: 2.52

sources: NVD: CVE-2019-5159 // JVNDB: JVNDB-2019-014924 // CNVD: CNVD-2020-17493 // IVD: e5a064c3-9814-4cc8-9126-052d12254488 // IVD: 9d1001e0-8ba0-4516-a748-c7974f5f3c44

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.4

sources: IVD: e5a064c3-9814-4cc8-9126-052d12254488 // IVD: 9d1001e0-8ba0-4516-a748-c7974f5f3c44 // CNVD: CNVD-2020-17493

AFFECTED PRODUCTS

vendor:	wago	model:	e!cockpit	scope:	eq	version:	1.6.0.7	Trust: 1.4
vendor:	wago	model:	e\!cockpit	scope:	eq	version:	1.6.0.7	Trust: 1.0
vendor:	e cockpit	model:	-	scope:	eq	version:	1.6.0.7	Trust: 0.4

sources: IVD: e5a064c3-9814-4cc8-9126-052d12254488 // IVD: 9d1001e0-8ba0-4516-a748-c7974f5f3c44 // CNVD: CNVD-2020-17493 // JVNDB: JVNDB-2019-014924 // NVD: CVE-2019-5159

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-5159
value:	HIGH
Trust: 1.0
NVD:	JVNDB-2019-014924
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-17493
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202003-374
value:	HIGH
Trust: 0.6
IVD:	e5a064c3-9814-4cc8-9126-052d12254488
value:	HIGH
Trust: 0.2
IVD:	9d1001e0-8ba0-4516-a748-c7974f5f3c44
value:	HIGH
Trust: 0.2

nvd@nist.gov:	CVE-2019-5159
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2019-014924
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-17493
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e5a064c3-9814-4cc8-9126-052d12254488
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
IVD:	9d1001e0-8ba0-4516-a748-c7974f5f3c44
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2019-5159
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	JVNDB-2019-014924
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: e5a064c3-9814-4cc8-9126-052d12254488 // IVD: 9d1001e0-8ba0-4516-a748-c7974f5f3c44 // CNVD: CNVD-2020-17493 // JVNDB: JVNDB-2019-014924 // CNNVD: CNNVD-202003-374 // NVD: CVE-2019-5159

PROBLEMTYPE DATA

problemtype:	CWE-668	Trust: 1.0
problemtype:	CWE-20	Trust: 0.8

sources: JVNDB: JVNDB-2019-014924 // NVD: CVE-2019-5159

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202003-374

TYPE

Input validation error

Trust: 1.0

sources: IVD: e5a064c3-9814-4cc8-9126-052d12254488 // IVD: 9d1001e0-8ba0-4516-a748-c7974f5f3c44 // CNNVD: CNNVD-202003-374

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-014924

PATCH

title:

Top Page

url:

https://www.wago.com/us/

Trust: 0.8

sources: JVNDB: JVNDB-2019-014924

EXTERNAL IDS

db:	NVD	id:	CVE-2019-5159	Trust: 3.4
db:	TALOS	id:	TALOS-2019-0952	Trust: 3.0
db:	CNVD	id:	CNVD-2020-17493	Trust: 1.0
db:	CNNVD	id:	CNNVD-202003-374	Trust: 1.0
db:	JVNDB	id:	JVNDB-2019-014924	Trust: 0.8
db:	IVD	id:	E5A064C3-9814-4CC8-9126-052D12254488	Trust: 0.2
db:	IVD	id:	9D1001E0-8BA0-4516-A748-C7974F5F3C44	Trust: 0.2

REFERENCES

url:	https://talosintelligence.com/vulnerability_reports/talos-2019-0952	Trust: 3.0
url:	https://nvd.nist.gov/vuln/detail/cve-2019-5159	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-5159	Trust: 0.8

sources: CNVD: CNVD-2020-17493 // JVNDB: JVNDB-2019-014924 // CNNVD: CNNVD-202003-374 // NVD: CVE-2019-5159

SOURCES

db:	IVD	id:	e5a064c3-9814-4cc8-9126-052d12254488
db:	IVD	id:	9d1001e0-8ba0-4516-a748-c7974f5f3c44
db:	CNVD	id:	CNVD-2020-17493
db:	JVNDB	id:	JVNDB-2019-014924
db:	CNNVD	id:	CNNVD-202003-374
db:	NVD	id:	CVE-2019-5159

LAST UPDATE DATE

2024-11-23T22:51:28.638000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-17493	date:	2020-03-18T00:00:00
db:	JVNDB	id:	JVNDB-2019-014924	date:	2020-03-30T00:00:00
db:	CNNVD	id:	CNNVD-202003-374	date:	2020-03-18T00:00:00
db:	NVD	id:	CVE-2019-5159	date:	2024-11-21T04:44:27.793

SOURCES RELEASE DATE

db:	IVD	id:	e5a064c3-9814-4cc8-9126-052d12254488	date:	2020-03-09T00:00:00
db:	IVD	id:	9d1001e0-8ba0-4516-a748-c7974f5f3c44	date:	2020-03-09T00:00:00
db:	CNVD	id:	CNVD-2020-17493	date:	2020-03-18T00:00:00
db:	JVNDB	id:	JVNDB-2019-014924	date:	2020-03-30T00:00:00
db:	CNNVD	id:	CNNVD-202003-374	date:	2020-03-09T00:00:00
db:	NVD	id:	CVE-2019-5159	date:	2020-03-11T22:27:41.020