CVE-2019-9013 — HIGH (8.8) — White Hats Nepal

Q: How severe is CVE-2019-9013?

CVE-2019-9013 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-9013?

Check the references section above for vendor advisories and patch information. Affected products include: Codesys Control For Beaglebone Sl, Codesys Control For Empc-A\/Imx6 Sl, Codesys Control For Iot2000 Sl, Codesys Control For Linux Sl, Codesys Control For Pfc100 Sl.

Vulnerability Description

An issue was discovered in 3S-Smart CODESYS V3 products. The application may utilize non-TLS based encryption, which results in user credentials being insufficiently protected during transport. All variants of the following CODESYS V3 products in all versions containing the CmpUserMgr component are affected regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control RTE V3, CODESYS Control RTE V3 (for Beckhoff CX), CODESYS Control Win V3 (also part of the CODESYS Development System setup), CODESYS V3 Simulation Runtime (part of the CODESYS Development System), CODESYS Control V3 Runtime System Toolkit, CODESYS HMI V3.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Codesys	Control For Beaglebone Sl	>= 3.0, < 3.5.16.0
Codesys	Control For Empc-A\/Imx6 Sl	>= 3.0, < 3.5.16.0
Codesys	Control For Iot2000 Sl	>= 3.0, < 3.5.16.0
Codesys	Control For Linux Sl	>= 3.0, < 3.5.16.0
Codesys	Control For Pfc100 Sl	>= 3.0, < 3.5.16.0
Codesys	Control For Pfc200 Sl	>= 3.0, < 3.5.16.0
Codesys	Control Rte Sl	>= 3.0, < 3.5.16.0
Codesys	Control Win Sl	>= 3.0, < 3.5.16.0
Codesys	Development System	>= 3.0, < 3.5.16.0
Codesys	Hmi Sl	>= 3.0, < 3.5.16.0
Codesys	Raspberry Pi	>= 3.0, < 3.5.16.0
Codesys	Runtime Toolkit	>= 3.0, < 3.5.16.0

Related Weaknesses (CWE)

CWE-327

References

https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=12943&token=d097958a6Vendor Advisory
https://www.us-cert.gov/ics/advisories/icsa-19-213-04Third Party AdvisoryUS Government Resource
https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=12943&token=d097958a6Vendor Advisory
https://www.us-cert.gov/ics/advisories/icsa-19-213-04Third Party AdvisoryUS Government Resource

FAQ

What is CVE-2019-9013?

CVE-2019-9013 is a vulnerability with a CVSS score of 8.8 (HIGH). An issue was discovered in 3S-Smart CODESYS V3 products. The application may utilize non-TLS based encryption, which results in user credentials being insufficiently protected during transport. All va...

How severe is CVE-2019-9013?

CVE-2019-9013 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-9013?

Check the references section above for vendor advisories and patch information. Affected products include: Codesys Control For Beaglebone Sl, Codesys Control For Empc-A\/Imx6 Sl, Codesys Control For Iot2000 Sl, Codesys Control For Linux Sl, Codesys Control For Pfc100 Sl.