CVE-2019-13553 - OpenCVE

Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 – B1.2.4. The authentication mechanism on affected systems is configured using hard-coded credentials. These credentials could allow attackers to influence the primary operations of the affected systems, namely turning the cooling unit on and off and setting the temperature set point.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Carel	Pcoweb Firmware
Rittal	Chiller Sk 3232

Configuration 1 [-]

AND

cpe:2.3:o:carel:pcoweb_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:rittal:chiller_sk_3232:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://seclists.org/fulldisclosure/2019/Oct/45
https://www.us-cert.gov/ics/advisories/icsa-19-297-01

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2019-10-25T17:46:47

Updated: 2024-08-04T23:57:39.466Z

Reserved: 2019-07-11T00:00:00

Link: CVE-2019-13553

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-10-25T18:15:10.943

Modified: 2020-02-10T21:50:16.450

Link: CVE-2019-13553

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Rittal Chiller SK 3232-Series", "vendor": "n/a", "versions": [{"status": "affected", "version": "Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 \u2013 B1.2.4"}]}], "descriptions": [{"lang": "en", "value": "Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 \u2013 B1.2.4. The authentication mechanism on affected systems is configured using hard-coded credentials. These credentials could allow attackers to influence the primary operations of the affected systems, namely turning the cooling unit on and off and setting the temperature set point."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "USE OF HARD-CODED CREDENTIALS CWE-798", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-11-01T02:06:24", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-297-01"}, {"name": "20191031 [RT-SA-2019-013] Unsafe Storage of Credentials in Carel pCOWeb HVAC", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2019/Oct/45"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2019-13553", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Rittal Chiller SK 3232-Series", "version": {"version_data": [{"version_value": "Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 \u2013 B1.2.4"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 \u2013 B1.2.4. The authentication mechanism on affected systems is configured using hard-coded credentials. These credentials could allow attackers to influence the primary operations of the affected systems, namely turning the cooling unit on and off and setting the temperature set point."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "USE OF HARD-CODED CREDENTIALS CWE-798"}]}]}, "references": {"reference_data": [{"name": "https://www.us-cert.gov/ics/advisories/icsa-19-297-01", "refsource": "MISC", "url": "https://www.us-cert.gov/ics/advisories/icsa-19-297-01"}, {"name": "20191031 [RT-SA-2019-013] Unsafe Storage of Credentials in Carel pCOWeb HVAC", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2019/Oct/45"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T23:57:39.466Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-297-01"}, {"name": "20191031 [RT-SA-2019-013] Unsafe Storage of Credentials in Carel pCOWeb HVAC", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2019/Oct/45"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2019-13553", "datePublished": "2019-10-25T17:46:47", "dateReserved": "2019-07-11T00:00:00", "dateUpdated": "2024-08-04T23:57:39.466Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:carel:pcoweb_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B7B4C31-67E0-488A-9297-B8E8E158DC3E", "versionEndIncluding": "b1.2.4", "versionStartIncluding": "a1.5.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:rittal:chiller_sk_3232:-:*:*:*:*:*:*:*", "matchCriteriaId": "3FAC3FD5-429B-48BF-B519-47CAD3E718C0", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 \u2013 B1.2.4. The authentication mechanism on affected systems is configured using hard-coded credentials. These credentials could allow attackers to influence the primary operations of the affected systems, namely turning the cooling unit on and off and setting the temperature set point."}, {"lang": "es", "value": "Interfaz web Rittal Chiller SK 3232-Series seg\u00fan el firmware Carel pCOWeb A1.5.3 - B1.2.4. El mecanismo de autenticaci\u00f3n en los sistemas afectados se configura mediante credenciales codificadas. Estas credenciales podr\u00edan permitir a los atacantes influir en las operaciones primarias de los sistemas afectados, es decir, encender y apagar la unidad de enfriamiento y establecer el punto de ajuste de temperatura."}], "id": "CVE-2019-13553", "lastModified": "2020-02-10T21:50:16.450", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-10-25T18:15:10.943", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "http://seclists.org/fulldisclosure/2019/Oct/45"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-297-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-798"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}