CVE-2019-10995

ABB CP651 HMI products revision BSP UN30 v1.76 and prior implement hidden administrative accounts that are used during the provisioning phase of the HMI interface.

CVSS v3 8.8 HIGH
CVSS v2.0 5.8 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

5.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:A/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 6.5 / Impact : 6.4

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.securityfocus.com/bid/108928	Third Party Advisory VDB Entry
https://www.us-cert.gov/ics/advisories/icsa-19-178-02	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

AND

cpe:2.3:h:abb:cp651:-:*:*:*:*:*:*:*

cpe:2.3:o:abb:cp651_firmware:*:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:h:abb:cp651-web:-:*:*:*:*:*:*:*

cpe:2.3:o:abb:cp651-web_firmware:*:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:h:abb:cp661-web:-:*:*:*:*:*:*:*

cpe:2.3:o:abb:cp661-web_firmware:*:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:h:abb:cp661:-:*:*:*:*:*:*:*

cpe:2.3:o:abb:cp661_firmware:*:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:h:abb:cp665:-:*:*:*:*:*:*:*

cpe:2.3:o:abb:cp665_firmware:*:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:h:abb:cp665-web:-:*:*:*:*:*:*:*

cpe:2.3:o:abb:cp665-web_firmware:*:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:h:abb:cp676-web:-:*:*:*:*:*:*:*

cpe:2.3:o:abb:cp676-web_firmware:*:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:h:abb:cp676:-:*:*:*:*:*:*:*

cpe:2.3:o:abb:cp676_firmware:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-01-14 17:15

Updated : 2020-01-24 13:53

NVD link : CVE-2019-10995

Mitre link : CVE-2019-10995

CVE.ORG link : CVE-2019-10995

JSON object : View

Products Affected

abb

cp651-web
cp661
cp661-web
cp665
cp665_firmware
cp676-web
cp676
cp676_firmware
cp676-web_firmware
cp651-web_firmware
cp665-web_firmware
cp651
cp661-web_firmware
cp665-web
cp651_firmware
cp661_firmware

CWE

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2019-10995", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 6.5, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2020-01-14T17:15:12.427", "references": [{"url": "http://www.securityfocus.com/bid/108928", "tags": ["Third Party Advisory", "VDB Entry"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.us-cert.gov/ics/advisories/icsa-19-178-02", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-798"}]}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "ABB CP651 HMI products revision BSP UN30 v1.76 and prior implement hidden administrative accounts that are used during the provisioning phase of the HMI interface."}, {"lang": "es", "value": "La revisi\u00f3n de productos BSP UN30 versi\u00f3n v1.76 y anteriores de ABB CP651 HMI, implementa cuentas administrativas ocultas que son utilizadas durante la fase de aprovisionamiento de la interfaz HMI."}], "lastModified": "2020-01-24T13:53:04.020", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:abb:cp651:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "4BD27ACE-A1F6-450C-9853-00F0D87A182A"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:abb:cp651_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "80F3384A-E98E-47DE-ABEB-0B3E810CFA7E", "versionEndIncluding": "bsp_un30_1.76"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:abb:cp651-web:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "849EBA94-A50E-4CFF-8C79-EA7E7243EAC9"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:abb:cp651-web_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "811CFED9-6A58-4130-AA30-99A949B810FD", "versionEndIncluding": "bsp_un30_1.76"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:abb:cp661-web:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "BC8588CE-588A-4C83-BBFE-502E72D006F1"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:abb:cp661-web_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AD4EECA8-BFCF-4DA7-AD41-63BC4DEE220A", "versionEndIncluding": "bsp_un30_1.76"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:abb:cp661:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B0691F9D-F6FE-40C2-A538-318F405F47DD"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:abb:cp661_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "70980870-5106-4788-B389-584D4CBA8C07", "versionEndIncluding": "bsp_un30_1.76"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:abb:cp665:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "FF29C1B8-7CC4-4659-95BF-6B7B37AFC298"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:abb:cp665_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "94A1B857-6E4D-469F-A470-5F495A31405D", "versionEndIncluding": "bsp_un30_1.76"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:abb:cp665-web:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "8068A1EE-D2A5-43E9-A297-47E9916E040A"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:abb:cp665-web_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "340177AD-D72B-4359-AFCB-57A84B1583D5", "versionEndIncluding": "bsp_un30_1.76"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:abb:cp676-web:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "FF8D95A5-31B9-4366-BC56-489715ED7384"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:abb:cp676-web_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2E8270C5-EF9A-4B2F-8BC2-748AA4DBF1B0", "versionEndIncluding": "bsp_un30_1.76"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:abb:cp676:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "9C9F98FC-D563-4A3F-B189-BD2FED21039D"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:abb:cp676_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "79633C26-AC3B-45C4-A072-8FEA4E17F872", "versionEndIncluding": "bsp_un30_1.76"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}