VDE-2019-012
Vulnerability from csaf_certvde - Published: 2019-06-04 13:21 - Updated: 2025-05-14 13:00Summary
TECSON/GOK: Improper Authentication and Access Control on multiple devices
Notes
Summary: A security researcher discovered that the affected application doesn't properly restrict access to an endpoint that is responsible for saving settings, to a user with limited access rights. Based on the lack of adequately implemented access-control rules, by accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to change the application settings without authenticating at all, which violates originally laid ACL rules.
Impact: This issue allows changing the configuration and get full access to the web-based configuration interface of the device wich includes all settings like passwords, alerting parameters and output states. That can adversely affect the planned operation of the equipment or can aid in further attacks on the industrial control process.
Mitigation: In secure environments disable port forwarding and remote access to the device otherwise disable network access completely.
A security researcher discovered that the affected application doesn't properly restrict access to an endpoint that is responsible for saving settings, to a user with limited access rights. Based on the lack of adequately implemented access-control rules, by accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to change the application settings without authenticating at all, which violates originally laid ACL rules.
9.8 (Critical)
Mitigation
In secure environments disable port forwarding and remote access to the device otherwise disable network access completely.
References
Acknowledgments
CERT@VDE
certvde.com
Maxim Rupp
rupp.it/
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
},
{
"organization": "Maxim Rupp",
"summary": "reporting",
"urls": [
"https://rupp.it/"
]
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "A security researcher discovered that the affected application doesn\u0027t properly restrict access to an endpoint that is responsible for saving settings, to a user with limited access rights. Based on the lack of adequately implemented access-control rules, by accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to change the application settings without authenticating at all, which violates originally laid ACL rules.",
"title": "Summary"
},
{
"category": "description",
"text": "This issue allows changing the configuration and get full access to the web-based configuration interface of the device wich includes all settings like passwords, alerting parameters and output states. That can adversely affect the planned operation of the equipment or can aid in further attacks on the industrial control process.",
"title": "Impact"
},
{
"category": "description",
"text": "In secure environments disable port forwarding and remote access to the device otherwise disable network access completely.",
"title": "Mitigation"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "csaf@certvde.com",
"name": "CERT@VDE",
"namespace": "https://certvde.com"
},
"references": [
{
"category": "external",
"summary": "CERT@VDE Security Advisories for TECSON/GOK",
"url": "https://certvde.com/en/advisories/vendor/tecsongok"
},
{
"category": "self",
"summary": "VDE-2019-012: TECSON/GOK: Improper Authentication and Access Control on multiple devices - HTML",
"url": "https://certvde.com/en/advisories/VDE-2019-012"
},
{
"category": "self",
"summary": "VDE-2019-012: TECSON/GOK: Improper Authentication and Access Control on multiple devices - CSAF",
"url": "https://certvde.csaf-tp.certvde.com/.well-known/csaf/white/2019/vde-2019-012.json"
}
],
"title": "TECSON/GOK: Improper Authentication and Access Control on multiple devices",
"tracking": {
"aliases": [
"VDE-2019-012"
],
"current_release_date": "2025-05-14T13:00:14.000Z",
"generator": {
"date": "2024-07-17T18:08:01.483Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.8"
}
},
"id": "VDE-2019-012",
"initial_release_date": "2019-06-04T13:21:00.000Z",
"revision_history": [
{
"date": "2019-06-04T13:21:00.000Z",
"number": "1",
"summary": "Initial revision."
},
{
"date": "2024-11-06T11:27:01.000Z",
"number": "2",
"summary": "Fix: correct certvde domain, added alias, added self-reference"
},
{
"date": "2025-04-10T13:00:00.000Z",
"number": "3",
"summary": "Fixed version info using vers:/all"
},
{
"date": "2025-05-14T13:00:14.000Z",
"number": "4",
"summary": "Fix: added distribution"
}
],
"status": "final",
"version": "4"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "e-litro net",
"product": {
"name": "e-litro net",
"product_id": "CSAFPID-11001"
}
},
{
"category": "product_name",
"name": "LX-Net",
"product": {
"name": "LX-Net",
"product_id": "CSAFPID-11002"
}
},
{
"category": "product_name",
"name": "LX-Q-Net",
"product": {
"name": "LX-Q-Net",
"product_id": "CSAFPID-11003"
}
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Firmware all versions",
"product_id": "CSAFPID-21001"
}
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "TECSON"
},
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "SmartBox 4 LAN",
"product": {
"name": "SmartBox 4 LAN",
"product_id": "CSAFPID-11004"
}
},
{
"category": "product_name",
"name": "SmartBox 4 LAN PRO",
"product": {
"name": "SmartBox 4 LAN PRO",
"product_id": "CSAFPID-11005"
}
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Firmware all version",
"product_id": "CSAFPID-21002"
}
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "GOK"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
],
"summary": "Affected products."
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware all versions installed on e-litro net",
"product_id": "CSAFPID-31001"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware all versions installed on LX-Net",
"product_id": "CSAFPID-31002"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware all versions installed on LX-Q-Net",
"product_id": "CSAFPID-31003"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware all versions installed on SmartBox 4 LAN",
"product_id": "CSAFPID-31004"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware all version installed on SmartBox 4 LAN PRO",
"product_id": "CSAFPID-31005"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11005"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-12254",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "A security researcher discovered that the affected application doesn\u0027t properly restrict access to an endpoint that is responsible for saving settings, to a user with limited access rights. Based on the lack of adequately implemented access-control rules, by accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to change the application settings without authenticating at all, which violates originally laid ACL rules.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "In secure environments disable port forwarding and remote access to the device otherwise disable network access completely.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
}
],
"title": "CVE-2019-12254"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…