CVE-2019-10935 — HIGH (7.2)

Q: How severe is CVE-2019-10935?

CVE-2019-10935 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-10935?

Check the references section above for vendor advisories and patch information. Affected products include: Siemens Simatic Pcs 7, Siemens Simatic Wincc, Siemens Simatic Wincc Runtime.

Vulnerability Description

A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier (All versions), SIMATIC PCS 7 V8.1 (All versions < V8.1 with WinCC V7.3 Upd 19), SIMATIC PCS 7 V8.2 (All versions < V8.2 SP1 with WinCC V7.4 SP1 Upd 11), SIMATIC PCS 7 V9.0 (All versions < V9.0 SP2 with WinCC V7.4 SP1 Upd11), SIMATIC WinCC Professional (TIA Portal V13) (All versions), SIMATIC WinCC Professional (TIA Portal V14) (All versions < V14 SP1 Upd 9), SIMATIC WinCC Professional (TIA Portal V15) (All versions < V15.1 Upd 3), SIMATIC WinCC Runtime Professional V13 (All versions), SIMATIC WinCC Runtime Professional V14 (All versions < V14.1 Upd 8), SIMATIC WinCC Runtime Professional V15 (All versions < V15.1 Upd 3), SIMATIC WinCC V7.2 and earlier (All versions), SIMATIC WinCC V7.3 (All versions < V7.3 Upd 19), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Upd 11), SIMATIC WinCC V7.5 (All versions < V7.5 Upd 3). The SIMATIC WinCC DataMonitor web application of the affected products allows to upload arbitrary ASPX code. The security vulnerability could be exploited by an authenticated attacker with network access to the WinCC DataMonitor application. No user interaction is required to exploit this vulnerability. The vulnerability impacts confidentiality, integrity, and availability of the affected device. At the stage of publishing this security advisory no public exploitation is known.

CVSS Score

7.2

HIGH

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Siemens	Simatic Pcs 7	8.0
Siemens	Simatic Wincc	<= 7.2
Siemens	Simatic Wincc Runtime	13

Related Weaknesses (CWE)

CWE-434

References

https://cert-portal.siemens.com/productcert/pdf/ssa-121293.pdfPatchVendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-121293.pdfPatchVendor Advisory

FAQ

What is CVE-2019-10935?

CVE-2019-10935 is a vulnerability with a CVSS score of 7.2 (HIGH). A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier (All versions), SIMATIC PCS 7 V8.1 (All versions < V8.1 with WinCC V7.3 Upd 19), SIMATIC PCS 7 V8.2 (All versions < V8.2 SP1 with ...

How severe is CVE-2019-10935?

CVE-2019-10935 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-10935?

Check the references section above for vendor advisories and patch information. Affected products include: Siemens Simatic Pcs 7, Siemens Simatic Wincc, Siemens Simatic Wincc Runtime.