CVE-2019-13549 - OpenCVE

Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 – B1.2.4. The authentication mechanism on affected systems does not provide a sufficient level of protection against unauthorized configuration changes. Primary operations, namely turning the cooling unit on and off and setting the temperature set point, can be modified without authentication.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Carel	Pcoweb Firmware
Rittal	Chiller Sk 3232

Configuration 1 [-]

AND

cpe:2.3:o:carel:pcoweb_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:rittal:chiller_sk_3232:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://seclists.org/fulldisclosure/2019/Oct/46
https://www.us-cert.gov/ics/advisories/icsa-19-297-01

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2019-10-25T17:43:09

Updated: 2024-08-04T23:57:39.519Z

Reserved: 2019-07-11T00:00:00

Link: CVE-2019-13549

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-10-25T18:15:10.880

Modified: 2020-02-10T21:50:16.310

Link: CVE-2019-13549

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Rittal Chiller SK 3232-Series", "vendor": "n/a", "versions": [{"status": "affected", "version": "Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 \u2013 B1.2.4"}]}], "descriptions": [{"lang": "en", "value": "Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 \u2013 B1.2.4. The authentication mechanism on affected systems does not provide a sufficient level of protection against unauthorized configuration changes. Primary operations, namely turning the cooling unit on and off and setting the temperature set point, can be modified without authentication."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-11-01T02:06:25", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-297-01"}, {"name": "20191031 [RT-SA-2019-014] Unauthenticated Access to Modbus Interface in Carel pCOWeb HVAC", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2019/Oct/46"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2019-13549", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Rittal Chiller SK 3232-Series", "version": {"version_data": [{"version_value": "Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 \u2013 B1.2.4"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 \u2013 B1.2.4. The authentication mechanism on affected systems does not provide a sufficient level of protection against unauthorized configuration changes. Primary operations, namely turning the cooling unit on and off and setting the temperature set point, can be modified without authentication."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306"}]}]}, "references": {"reference_data": [{"name": "https://www.us-cert.gov/ics/advisories/icsa-19-297-01", "refsource": "MISC", "url": "https://www.us-cert.gov/ics/advisories/icsa-19-297-01"}, {"name": "20191031 [RT-SA-2019-014] Unauthenticated Access to Modbus Interface in Carel pCOWeb HVAC", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2019/Oct/46"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T23:57:39.519Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-297-01"}, {"name": "20191031 [RT-SA-2019-014] Unauthenticated Access to Modbus Interface in Carel pCOWeb HVAC", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2019/Oct/46"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2019-13549", "datePublished": "2019-10-25T17:43:09", "dateReserved": "2019-07-11T00:00:00", "dateUpdated": "2024-08-04T23:57:39.519Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:carel:pcoweb_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B7B4C31-67E0-488A-9297-B8E8E158DC3E", "versionEndIncluding": "b1.2.4", "versionStartIncluding": "a1.5.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:rittal:chiller_sk_3232:-:*:*:*:*:*:*:*", "matchCriteriaId": "3FAC3FD5-429B-48BF-B519-47CAD3E718C0", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 \u2013 B1.2.4. The authentication mechanism on affected systems does not provide a sufficient level of protection against unauthorized configuration changes. Primary operations, namely turning the cooling unit on and off and setting the temperature set point, can be modified without authentication."}, {"lang": "es", "value": "El Interfaz web Rittal Chiller SK 3232-Series seg\u00fan el firmware Carel pCOWeb A1.5.3 - B1.2.4. El mecanismo de autenticaci\u00f3n en los sistemas afectados no proporciona un nivel suficiente de protecci\u00f3n contra cambios de configuraci\u00f3n no autorizados. Las operaciones primarias, a saber, encender y apagar la unidad de enfriamiento y establecer el punto de ajuste de temperatura, se pueden modificar sin autenticaci\u00f3n."}], "id": "CVE-2019-13549", "lastModified": "2020-02-10T21:50:16.310", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-10-25T18:15:10.880", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "http://seclists.org/fulldisclosure/2019/Oct/46"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-297-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-306"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}