CVE-2019-13523 - Vulnerability Details

Description

In Honeywell Performance IP Cameras and Performance NVRs, the integrated web server of the affected devices could allow remote attackers to obtain web configuration data in JSON format for IP cameras and NVRs (Network Video Recorders), which can be accessed without authentication over the network. Affected performance IP Cameras: HBD3PR2,H4D3PRV3,HED3PR3,H4D3PRV2,HBD3PR1,H4W8PR2,HBW8PR2,H2W2PC1M,H2W4PER3,H2W2PER3,HEW2PER3,HEW4PER3B,HBW2PER1,HEW4PER2,HEW4PER2B,HEW2PER2,H4W2PER2,HBW2PER2,H4W2PER3, and HPW2P1. Affected Performance Series NVRs: HEN08104,HEN08144,HEN081124,HEN16104,HEN16144,HEN16184,HEN16204,HEN162244,HEN16284,HEN16304,HEN16384,HEN32104,HEN321124,HEN32204,HEN32284,HEN322164,HEN32304, HEN32384,HEN323164,HEN64204,HEN64304,HEN643164,HEN643324,HEN643484,HEN04103,HEN04113,HEN04123,HEN08103,HEN08113,HEN08123,HEN08143,HEN16103,HEN16123,HEN16143,HEN16163,HEN04103L,HEN08103L,HEN16103L,HEN32103L.

Published: 2019-09-26

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Honeywell

Performance IP Cameras

affected

Version	Status	Constraints
`HBD3PR2`	affected	—
`H4D3PRV3`	affected	—
`HED3PR3`	affected	—
`H4D3PRV2`	affected	—
`HBD3PR1`	affected	—
`H4W8PR2`	affected	—
`HBW8PR2`	affected	—
`H2W2PC1M`	affected	—
`H2W4PER3`	affected	—
`H2W2PER3`	affected	—
`HEW2PER3`	affected	—
`HEW4PER3B`	affected	—
`HBW2PER1`	affected	—
`HEW4PER2`	affected	—
`HEW4PER2B`	affected	—
`HEW2PER2`	affected	—
`H4W2PER2`	affected	—
`HBW2PER2`	affected	—
`H4W2PER3`	affected	—
`HPW2P1`	affected	—

Honeywell

Performance NVRs

affected

Version	Status	Constraints
`HEN08104`	affected	—
`HEN08144`	affected	—
`HEN081124`	affected	—
`HEN16104`	affected	—
`HEN16144`	affected	—
`HEN16184`	affected	—
`HEN16204`	affected	—
`HEN162244`	affected	—
`HEN16284`	affected	—
`HEN16304`	affected	—
`HEN16384`	affected	—
`HEN32104`	affected	—
`HEN321124`	affected	—
`HEN32204`	affected	—
`HEN32284`	affected	—
`HEN322164`	affected	—
`HEN32304`	affected	—
`HEN32384`	affected	—
`HEN323164`	affected	—
`HEN64204`	affected	—
`HEN64304`	affected	—
`HEN643164`	affected	—
`HEN643324`	affected	—
`HEN643484`	affected	—
`HEN04103`	affected	—
`HEN04113`	affected	—
`HEN04123`	affected	—
`HEN08103`	affected	—
`HEN08113`	affected	—
`HEN08123`	affected	—
`HEN08143`	affected	—
`HEN16103`	affected	—
`HEN16123`	affected	—
`HEN16143`	affected	—
`HEN16163`	affected	—
`HEN04103L`	affected	—
`HEN08103L`	affected	—
`HEN16103L`	affected	—
`HEN32103L`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:honeywell:hbd3pr2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hbd3pr2:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:honeywell:h4d3prv3_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:h4d3prv3:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:honeywell:hed3pr3_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hed3pr3:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:honeywell:h4d3prv2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:h4d3prv2:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:honeywell:hbd3pr1_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hbd3pr1:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:honeywell:h4w8pr2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:h4w8pr2:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:honeywell:hbw8pr2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hbw8pr2:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:honeywell:h2w2pc1m_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:h2w2pc1m:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:o:honeywell:h2w4per3_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:h2w4per3:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:o:honeywell:h2w2per3_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:h2w2per3:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND

cpe:2.3:o:honeywell:hew2per3_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hew2per3:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND

cpe:2.3:o:honeywell:hew4per3b_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hew4per3b:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND

cpe:2.3:o:honeywell:hbw2per1_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hbw2per1:-:*:*:*:*:*:*:*

Configuration 14 [-]

AND

cpe:2.3:o:honeywell:hew4per2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hew4per2:-:*:*:*:*:*:*:*

Configuration 15 [-]

AND

cpe:2.3:o:honeywell:hew4per2b_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hew4per2b:-:*:*:*:*:*:*:*

Configuration 16 [-]

AND

cpe:2.3:o:honeywell:hew2per2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hew2per2:-:*:*:*:*:*:*:*

Configuration 17 [-]

AND

cpe:2.3:o:honeywell:h4w2per2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:h4w2per2:-:*:*:*:*:*:*:*

Configuration 18 [-]

AND

cpe:2.3:o:honeywell:hbw2per2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hbw2per2:-:*:*:*:*:*:*:*

Configuration 19 [-]

AND

cpe:2.3:o:honeywell:h4w2per3_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:h4w2per3:-:*:*:*:*:*:*:*

Configuration 20 [-]

AND

cpe:2.3:o:honeywell:hpw2p1_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hpw2p1:-:*:*:*:*:*:*:*

Configuration 21 [-]

AND

cpe:2.3:o:honeywell:hen08104_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen08104:-:*:*:*:*:*:*:*

Configuration 22 [-]

AND

cpe:2.3:o:honeywell:hen08144_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen08144:-:*:*:*:*:*:*:*

Configuration 23 [-]

AND

cpe:2.3:o:honeywell:hen081124_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen081124:-:*:*:*:*:*:*:*

Configuration 24 [-]

AND

cpe:2.3:o:honeywell:hen16104_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen16104:-:*:*:*:*:*:*:*

Configuration 25 [-]

AND

cpe:2.3:o:honeywell:hen16144_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen16144:-:*:*:*:*:*:*:*

Configuration 26 [-]

AND

cpe:2.3:o:honeywell:hen16184_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen16184:-:*:*:*:*:*:*:*

Configuration 27 [-]

AND

cpe:2.3:o:honeywell:hen16204_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen16204:-:*:*:*:*:*:*:*

Configuration 28 [-]

AND

cpe:2.3:o:honeywell:hen162244_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen162244:-:*:*:*:*:*:*:*

Configuration 29 [-]

AND

cpe:2.3:o:honeywell:hen16284_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen16284:-:*:*:*:*:*:*:*

Configuration 30 [-]

AND

cpe:2.3:o:honeywell:hen16304_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen16304:-:*:*:*:*:*:*:*

Configuration 31 [-]

AND

cpe:2.3:o:honeywell:hen16384_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen16384:-:*:*:*:*:*:*:*

Configuration 32 [-]

AND

cpe:2.3:o:honeywell:hen32104_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen32104:-:*:*:*:*:*:*:*

Configuration 33 [-]

AND

cpe:2.3:o:honeywell:hen321124_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen321124:-:*:*:*:*:*:*:*

Configuration 34 [-]

AND

cpe:2.3:o:honeywell:hen32204_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen32204:-:*:*:*:*:*:*:*

Configuration 35 [-]

AND

cpe:2.3:o:honeywell:hen32284_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen32284:-:*:*:*:*:*:*:*

Configuration 36 [-]

AND

cpe:2.3:o:honeywell:hen322164_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen322164:-:*:*:*:*:*:*:*

Configuration 37 [-]

AND

cpe:2.3:o:honeywell:hen32304_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen32304:-:*:*:*:*:*:*:*

Configuration 38 [-]

AND

cpe:2.3:o:honeywell:hen32384_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen32384:-:*:*:*:*:*:*:*

Configuration 39 [-]

AND

cpe:2.3:o:honeywell:hen323164_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen323164:-:*:*:*:*:*:*:*

Configuration 40 [-]

AND

cpe:2.3:o:honeywell:hen64204_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen64204:-:*:*:*:*:*:*:*

Configuration 41 [-]

AND

cpe:2.3:o:honeywell:hen64304_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen64304:-:*:*:*:*:*:*:*

Configuration 42 [-]

AND

cpe:2.3:o:honeywell:hen643164_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen643164:-:*:*:*:*:*:*:*

Configuration 43 [-]

AND

cpe:2.3:o:honeywell:hen643324_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen643324:-:*:*:*:*:*:*:*

Configuration 44 [-]

AND

cpe:2.3:o:honeywell:hen643484_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen643484:-:*:*:*:*:*:*:*

Configuration 45 [-]

AND

cpe:2.3:o:honeywell:hen04103_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen04103:-:*:*:*:*:*:*:*

Configuration 46 [-]

AND

cpe:2.3:o:honeywell:hen04113_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen04113:-:*:*:*:*:*:*:*

Configuration 47 [-]

AND

cpe:2.3:o:honeywell:hen04123_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen04123:-:*:*:*:*:*:*:*

Configuration 48 [-]

AND

cpe:2.3:o:honeywell:hen08103_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen08103:-:*:*:*:*:*:*:*

Configuration 49 [-]

AND

cpe:2.3:o:honeywell:hen08113_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen08113:-:*:*:*:*:*:*:*

Configuration 50 [-]

AND

cpe:2.3:o:honeywell:hen08123_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen08123:-:*:*:*:*:*:*:*

Configuration 51 [-]

AND

cpe:2.3:o:honeywell:hen08143_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen08143:-:*:*:*:*:*:*:*

Configuration 52 [-]

AND

cpe:2.3:o:honeywell:hen16103_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen16103:-:*:*:*:*:*:*:*

Configuration 53 [-]

AND

cpe:2.3:o:honeywell:hen16123_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen16123:-:*:*:*:*:*:*:*

Configuration 54 [-]

AND

cpe:2.3:o:honeywell:hen16143_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen16143:-:*:*:*:*:*:*:*

Configuration 55 [-]

AND

cpe:2.3:o:honeywell:hen16163_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen16163:-:*:*:*:*:*:*:*

Configuration 56 [-]

AND

cpe:2.3:o:honeywell:hen04103l_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen04103l:-:*:*:*:*:*:*:*

Configuration 57 [-]

AND

cpe:2.3:o:honeywell:hen08103l_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen08103l:-:*:*:*:*:*:*:*

Configuration 58 [-]

AND

cpe:2.3:o:honeywell:hen16103l_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen16103l:-:*:*:*:*:*:*:*

Configuration 59 [-]

AND

cpe:2.3:o:honeywell:hen32103l_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:hen32103l:-:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2019-4978	In Honeywell Performance IP Cameras and Performance NVRs, the integrated web server of the affected devices could allow remote attackers to obtain web configuration data in JSON format for IP cameras and NVRs (Network Video Recorders), which can be accessed without authentication over the network. Affected performance IP Cameras: HBD3PR2,H4D3PRV3,HED3PR3,H4D3PRV2,HBD3PR1,H4W8PR2,HBW8PR2,H2W2PC1M,H2W4PER3,H2W2PER3,HEW2PER3,HEW4PER3B,HBW2PER1,HEW4PER2,HEW4PER2B,HEW2PER2,H4W2PER2,HBW2PER2,H4W2PER3, and HPW2P1. Affected Performance Series NVRs: HEN08104,HEN08144,HEN081124,HEN16104,HEN16144,HEN16184,HEN16204,HEN162244,HEN16284,HEN16304,HEN16384,HEN32104,HEN321124,HEN32204,HEN32284,HEN322164,HEN32304, HEN32384,HEN323164,HEN64204,HEN64304,HEN643164,HEN643324,HEN643484,HEN04103,HEN04113,HEN04123,HEN08103,HEN08113,HEN08123,HEN08143,HEN16103,HEN16123,HEN16143,HEN16163,HEN04103L,HEN08103L,HEN16103L,HEN32103L.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.0021.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.us-cert.gov/ics/advisories/icsa-19-260-03

History

No history.

Subscriptions

Honeywell H2w2pc1m H2w2pc1m Firmware H2w2per3 H2w2per3 Firmware H2w4per3 H2w4per3 Firmware H4d3prv2 H4d3prv2 Firmware H4d3prv3 H4d3prv3 Firmware H4w2per2 H4w2per2 Firmware H4w2per3 H4w2per3 Firmware H4w8pr2 H4w8pr2 Firmware Hbd3pr1 Hbd3pr1 Firmware Hbd3pr2 Hbd3pr2 Firmware Hbw2per1 Hbw2per1 Firmware Hbw2per2 Hbw2per2 Firmware Hbw8pr2 Hbw8pr2 Firmware Hed3pr3 Hed3pr3 Firmware Hen04103 Hen04103 Firmware Hen04103l Hen04103l Firmware Hen04113 Hen04113 Firmware Hen04123 Hen04123 Firmware Hen08103 Hen08103 Firmware Hen08103l Hen08103l Firmware Hen08104 Hen08104 Firmware Hen081124 Hen081124 Firmware Hen08113 Hen08113 Firmware Hen08123 Hen08123 Firmware Hen08143 Hen08143 Firmware Hen08144 Hen08144 Firmware Hen16103 Hen16103 Firmware Hen16103l Hen16103l Firmware Hen16104 Hen16104 Firmware Hen16123 Hen16123 Firmware Hen16143 Hen16143 Firmware Hen16144 Hen16144 Firmware Hen16163 Hen16163 Firmware Hen16184 Hen16184 Firmware Hen16204 Hen16204 Firmware Hen162244 Hen162244 Firmware Hen16284 Hen16284 Firmware Hen16304 Hen16304 Firmware Hen16384 Hen16384 Firmware Hen32103l Hen32103l Firmware Hen32104 Hen32104 Firmware Hen321124 Hen321124 Firmware Hen32204 Hen32204 Firmware Hen322164 Hen322164 Firmware Hen32284 Hen32284 Firmware Hen32304 Hen32304 Firmware Hen323164 Hen323164 Firmware Hen32384 Hen32384 Firmware Hen64204 Hen64204 Firmware Hen64304 Hen64304 Firmware Hen643164 Hen643164 Firmware Hen643324 Hen643324 Firmware Hen643484 Hen643484 Firmware Hew2per2 Hew2per2 Firmware Hew2per3 Hew2per3 Firmware Hew4per2 Hew4per2 Firmware Hew4per2b Hew4per2b Firmware Hew4per3b Hew4per3b Firmware Hpw2p1 Hpw2p1 Firmware

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2019-09-26T14:22:59.000Z

Updated: 2024-08-04T23:57:39.391Z

Reserved: 2019-07-11T00:00:00.000Z

Link: CVE-2019-13523

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-09-26T16:15:11.067

Modified: 2024-11-21T04:25:04.220

Link: CVE-2019-13523

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object