CVE-2019-10966 - OpenCVE

In GE Aestiva and Aespire versions 7100 and 7900, a vulnerability exists where serial devices are connected via an added unsecured terminal server to a TCP/IP network configuration, which could allow an attacker to remotely modify device configuration and silence alarms.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ge	Aespire 7100 Aespire 7100 Firmware Aespire 7900 Aespire 7900 Firmware Aestiva 7100 Aestiva 7100 Firmware Aestiva 7900 Aestiva 7900 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:ge:aestiva_7100_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ge:aestiva_7100:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:ge:aestiva_7900_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ge:aestiva_7900:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:ge:aespire_7100_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ge:aespire_7100:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:ge:aespire_7900_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ge:aespire_7900:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/109102
https://www.us-cert.gov/ics/advisories/icsma-19-190-01

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2019-07-10T17:52:23

Updated: 2024-08-04T22:40:15.555Z

Reserved: 2019-04-08T00:00:00

Link: CVE-2019-10966

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-07-10T18:15:10.817

Modified: 2020-10-02T14:32:34.497

Link: CVE-2019-10966

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Aestiva and Aespire", "vendor": "GE", "versions": [{"status": "affected", "version": "versions 7100"}, {"status": "affected", "version": "versions 7900"}]}], "descriptions": [{"lang": "en", "value": "In GE Aestiva and Aespire versions 7100 and 7900, a vulnerability exists where serial devices are connected via an added unsecured terminal server to a TCP/IP network configuration, which could allow an attacker to remotely modify device configuration and silence alarms."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "IMPROPER AUTHENTICATION CWE-287", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-07-10T17:52:39", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"name": "109102", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/109102"}, {"tags": ["x_refsource_MISC"], "url": "https://www.us-cert.gov/ics/advisories/icsma-19-190-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2019-10966", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Aestiva and Aespire", "version": {"version_data": [{"version_value": "versions 7100"}, {"version_value": "versions 7900"}]}}]}, "vendor_name": "GE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In GE Aestiva and Aespire versions 7100 and 7900, a vulnerability exists where serial devices are connected via an added unsecured terminal server to a TCP/IP network configuration, which could allow an attacker to remotely modify device configuration and silence alarms."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "IMPROPER AUTHENTICATION CWE-287"}]}]}, "references": {"reference_data": [{"name": "109102", "refsource": "BID", "url": "http://www.securityfocus.com/bid/109102"}, {"name": "https://www.us-cert.gov/ics/advisories/icsma-19-190-01", "refsource": "MISC", "url": "https://www.us-cert.gov/ics/advisories/icsma-19-190-01"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:40:15.555Z"}, "title": "CVE Program Container", "references": [{"name": "109102", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/109102"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.us-cert.gov/ics/advisories/icsma-19-190-01"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2019-10966", "datePublished": "2019-07-10T17:52:23", "dateReserved": "2019-04-08T00:00:00", "dateUpdated": "2024-08-04T22:40:15.555Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ge:aestiva_7100_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "F3B952A1-941D-4001-B73C-7F0111BF1956", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ge:aestiva_7100:-:*:*:*:*:*:*:*", "matchCriteriaId": "F447B046-1ACE-4ACC-9316-E9FECFCA1EBB", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ge:aestiva_7900_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "0961C975-4C72-48B4-A0D7-6CB9E8B32789", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ge:aestiva_7900:-:*:*:*:*:*:*:*", "matchCriteriaId": "167A5605-7871-4A21-8818-B0419D791F8E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ge:aespire_7100_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "079FA27D-5F79-4549-A2D7-2F47B5B03B42", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ge:aespire_7100:-:*:*:*:*:*:*:*", "matchCriteriaId": "9F0B78FB-1693-4C3B-9AC2-B330909F6A29", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ge:aespire_7900_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "58BD99AD-CD5A-43E1-B6FD-CA2FD6577DB5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ge:aespire_7900:-:*:*:*:*:*:*:*", "matchCriteriaId": "6F133CC4-BCB0-4B82-BE4B-1B27F1E6DD3D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In GE Aestiva and Aespire versions 7100 and 7900, a vulnerability exists where serial devices are connected via an added unsecured terminal server to a TCP/IP network configuration, which could allow an attacker to remotely modify device configuration and silence alarms."}, {"lang": "es", "value": "En Aestiva y Aespire de GE versiones 7100 y 7900, se presenta una vulnerabilidad donde los dispositivos seriales son conectados por medio de un servidor terminal no seguro agregado a una configuraci\u00f3n de red TCP/IP, lo que podr\u00eda permitir a un atacante modificar remotamente la configuraci\u00f3n del dispositivo y silenciar las alarmas."}], "id": "CVE-2019-10966", "lastModified": "2020-10-02T14:32:34.497", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-10T18:15:10.817", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/109102"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://www.us-cert.gov/ics/advisories/icsma-19-190-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-287"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}