CVE-2019-13933 — HIGH (8.6)

Q: How severe is CVE-2019-13933?

CVE-2019-13933 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-13933?

Check the references section above for vendor advisories and patch information. Affected products include: Siemens Scalance X-200Rna Firmware, Siemens Scalance X-200Rna, Siemens Scalance X204Rna Firmware, Siemens Scalance X204Rna, Siemens Scalance X-300 Firmware.

Vulnerability Description

A vulnerability has been identified in SCALANCE X204RNA (HSR), SCALANCE X204RNA (PRP), SCALANCE X204RNA EEC (HSR), SCALANCE X204RNA EEC (PRP), SCALANCE X204RNA EEC (PRP/HSR), SCALANCE X302-7 EEC (230V), SCALANCE X302-7 EEC (230V, coated), SCALANCE X302-7 EEC (24V), SCALANCE X302-7 EEC (24V, coated), SCALANCE X302-7 EEC (2x 230V), SCALANCE X302-7 EEC (2x 230V, coated), SCALANCE X302-7 EEC (2x 24V), SCALANCE X302-7 EEC (2x 24V, coated), SCALANCE X304-2FE, SCALANCE X306-1LD FE, SCALANCE X307-2 EEC (230V), SCALANCE X307-2 EEC (230V, coated), SCALANCE X307-2 EEC (24V), SCALANCE X307-2 EEC (24V, coated), SCALANCE X307-2 EEC (2x 230V), SCALANCE X307-2 EEC (2x 230V, coated), SCALANCE X307-2 EEC (2x 24V), SCALANCE X307-2 EEC (2x 24V, coated), SCALANCE X307-3, SCALANCE X307-3, SCALANCE X307-3LD, SCALANCE X307-3LD, SCALANCE X308-2, SCALANCE X308-2, SCALANCE X308-2LD, SCALANCE X308-2LD, SCALANCE X308-2LH, SCALANCE X308-2LH, SCALANCE X308-2LH+, SCALANCE X308-2LH+, SCALANCE X308-2M, SCALANCE X308-2M, SCALANCE X308-2M PoE, SCALANCE X308-2M PoE, SCALANCE X308-2M TS, SCALANCE X308-2M TS, SCALANCE X310, SCALANCE X310, SCALANCE X310FE, SCALANCE X310FE, SCALANCE X320-1 FE, SCALANCE X320-1-2LD FE, SCALANCE X408-2, SCALANCE XR324-12M (230V, ports on front), SCALANCE XR324-12M (230V, ports on front), SCALANCE XR324-12M (230V, ports on rear), SCALANCE XR324-12M (230V, ports on rear), SCALANCE XR324-12M (24V, ports on front), SCALANCE XR324-12M (24V, ports on front), SCALANCE XR324-12M (24V, ports on rear), SCALANCE XR324-12M (24V, ports on rear), SCALANCE XR324-12M TS (24V), SCALANCE XR324-12M TS (24V), SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front), SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front), SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear), SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear), SCALANCE XR324-4M EEC (24V, ports on front), SCALANCE XR324-4M EEC (24V, ports on front), SCALANCE XR324-4M EEC (24V, ports on rear), SCALANCE XR324-4M EEC (24V, ports on rear), SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front), SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front), SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear), SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear), SCALANCE XR324-4M EEC (2x 24V, ports on front), SCALANCE XR324-4M EEC (2x 24V, ports on front), SCALANCE XR324-4M EEC (2x 24V, ports on rear), SCALANCE XR324-4M EEC (2x 24V, ports on rear), SCALANCE XR324-4M PoE (230V, ports on front), SCALANCE XR324-4M PoE (230V, ports on rear), SCALANCE XR324-4M PoE (24V, ports on front), SCALANCE XR324-4M PoE (24V, ports on rear), SCALANCE XR324-4M PoE TS (24V, ports on front), SIPLUS NET SCALANCE X308-2. Affected devices contain a vulnerability that allows an unauthenticated attacker to violate access-control rules. The vulnerability can be triggered by sending GET request to specific uniform resource locator on the web configuration interface of the device. The security vulnerability could be exploited by an attacker with network access to the affected systems. An attacker could use the vulnerability to obtain sensitive information or change the device configuration. At the time of advisory publication no public exploitation of this security vulnerability was known.

CVSS Score

8.6

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

HIGH

Availability

LOW

Affected Products

Vendor	Product	Versions
Siemens	Scalance X-200Rna Firmware	All versions
Siemens	Scalance X-200Rna	-
Siemens	Scalance X204Rna Firmware	All versions
Siemens	Scalance X204Rna	-
Siemens	Scalance X-300 Firmware	< 4.1.3
Siemens	Scalance X-300	-
Siemens	Scalance Xr-300Wg Firmware	< 4.1.3
Siemens	Scalance Xr-300Wg	-
Siemens	Scalance Xr-300 Firmware	< 4.1.3
Siemens	Scalance Xr-300	-
Siemens	Scalance X408-2 Firmware	< 4.1.3
Siemens	Scalance X408-2	-
Siemens	Siplus Net Csm 1277 Firmware	< 4.1.3
Siemens	Siplus Net Csm 1277	-

Related Weaknesses (CWE)

CWE-306

References

https://cert-portal.siemens.com/productcert/pdf/ssa-443566.pdfVendor Advisory
https://www.us-cert.gov/ics/advisories/icsa-20-014-03Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-443566.pdfVendor Advisory
https://www.us-cert.gov/ics/advisories/icsa-20-014-03Third Party Advisory

FAQ

What is CVE-2019-13933?

CVE-2019-13933 is a vulnerability with a CVSS score of 8.6 (HIGH). A vulnerability has been identified in SCALANCE X204RNA (HSR), SCALANCE X204RNA (PRP), SCALANCE X204RNA EEC (HSR), SCALANCE X204RNA EEC (PRP), SCALANCE X204RNA EEC (PRP/HSR), SCALANCE X302-7 EEC (230V...

How severe is CVE-2019-13933?

CVE-2019-13933 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-13933?

Check the references section above for vendor advisories and patch information. Affected products include: Siemens Scalance X-200Rna Firmware, Siemens Scalance X-200Rna, Siemens Scalance X204Rna Firmware, Siemens Scalance X204Rna, Siemens Scalance X-300 Firmware.