CVE-2019-10930

Published: Jul 11, 2019Modified: Nov 21, 2024

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

A vulnerability has been identified in All other SIPROTEC 5 device types with CPU variants CP300 and CP100 and the respective Ethernet communication modules (All versions ), DIGSI 5 engineering software (All versions < V7.90), SIPROTEC 5 device types 6MD85, 6MD86, 6MD89, 7UM85, 7SA87, 7SD87, 7SL87, 7VK87, 7SA82, 7SA86, 7SD82, 7SD86, 7SL82, 7SL86, 7SJ86, 7SK82, 7SK85, 7SJ82, 7SJ85, 7UT82, 7UT85, 7UT86, 7UT87 and 7VE85 with CPU variants CP300 and CP100 and the respective Ethernet communication modules (All versions < V7.90), SIPROTEC 5 device types 7SS85 and 7KE85 (All versions < V8.01), SIPROTEC 5 device types with CPU variants CP200 and the respective Ethernet communication modules (All versions). A remote attacker could use specially crafted packets sent to port 443/TCP to upload, download or delete files in certain parts of the file system.

Affected (2)

Products: Siemens: Digsi 5 Engineering Software, Siprotec 5 Digsi Device Driver

Siemens

2 products

Digsi 5 Engineering Software

Siprotec 5 Digsi Device Driver

Configuration A

2 vulnerable · 24 platform

Vulnerable Software	Affected Versions
Siemens Digsi 5 Engineering Software	Version 7.90
Siemens Siprotec 5 Digsi Device Driver	Version 7.90

Running on/with	Platform Versions
Siemens 6md85	All versions
Siemens 6md86	All versions
Siemens 6md89	All versions
Siemens 7sa82	All versions
Siemens 7sa86	All versions
Siemens 7sa87	All versions
Siemens 7sd82	All versions
Siemens 7sd86	All versions
Siemens 7sd87	All versions
Siemens 7sj82	All versions
Siemens 7sj85	All versions
Siemens 7sj86	All versions
Siemens 7sk82	All versions
Siemens 7sk85	All versions
Siemens 7sl82	All versions
Siemens 7sl86	All versions
Siemens 7sl87	All versions
Siemens 7um85	All versions
Siemens 7ut82	All versions
Siemens 7ut85	All versions
Siemens 7ut86	All versions
Siemens 7ut87	All versions
Siemens 7ve85	All versions
Siemens 7vk87	All versions

Related CWEs

CWE-434

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CWE-552

Files or Directories Accessible to External Parties

The product makes files or directories accessible to unauthorized actors, even though they should not be.

References (2)

https://cert-portal.siemens.com/productcert/pdf/ssa-899560.pdf

Source: productcert@siemens.com

Vendor Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-899560.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.