CVE-2019-9744 - OpenCVE

An issue was discovered on PHOENIX CONTACT FL NAT SMCS 8TX, FL NAT SMN 8TX, FL NAT SMN 8TX-M, and FL NAT SMN 8TX-M-DMG devices. There is unauthorized access to the WEB-UI by attackers arriving from the same source IP address as an authenticated user, because this IP address is used as a session identifier.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Phoenixcontact	Fl Nat Smcs 8tx Firmware Fl Nat Smn 8tx-m Fl Nat Smn 8tx-m-dmg Fl Nat Smn 8tx Fl Nat Smcs 8tx Fl Nat Smn 8tx-m Firmware Fl Nat Smn 8tx Firmware Fl Nat Smn 8tx-m-dmg Firmware

Configuration 1 [-]

AND

cpe:2.3:o:phoenixcontact:fl_nat_smn_8tx-m-dmg_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:phoenixcontact:fl_nat_smn_8tx-m-dmg:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:phoenixcontact:fl_nat_smn_8tx-m_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:phoenixcontact:fl_nat_smn_8tx-m:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:phoenixcontact:fl_nat_smn_8tx_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:phoenixcontact:fl_nat_smn_8tx:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:phoenixcontact:fl_nat_smcs_8tx_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:phoenixcontact:fl_nat_smcs_8tx:-:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/108576
https://cert.vde.com/de-de/advisories/vde-2019-006	Mitigation Vendor Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-19-155-02

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-03-26T19:50:47

Updated: 2019-06-21T15:57:40

Reserved: 2019-03-13T00:00:00

Link: CVE-2019-9744

JSON object: View

NVD Information

Status : Modified

Published: 2019-03-26T20:29:00.837

Modified: 2019-06-05T10:29:00.250

Link: CVE-2019-9744

JSON object: View

Redhat Information

No data.

CWE

CWE-384

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2019-03-25T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered on PHOENIX CONTACT FL NAT SMCS 8TX, FL NAT SMN 8TX, FL NAT SMN 8TX-M, and FL NAT SMN 8TX-M-DMG devices. There is unauthorized access to the WEB-UI by attackers arriving from the same source IP address as an authenticated user, because this IP address is used as a session identifier."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-06-21T15:57:40", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://cert.vde.com/de-de/advisories/vde-2019-006"}, {"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-155-02"}, {"name": "108576", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/108576"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-9744", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered on PHOENIX CONTACT FL NAT SMCS 8TX, FL NAT SMN 8TX, FL NAT SMN 8TX-M, and FL NAT SMN 8TX-M-DMG devices. There is unauthorized access to the WEB-UI by attackers arriving from the same source IP address as an authenticated user, because this IP address is used as a session identifier."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://cert.vde.com/de-de/advisories/vde-2019-006", "refsource": "MISC", "url": "https://cert.vde.com/de-de/advisories/vde-2019-006"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-155-02", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-155-02"}, {"name": "108576", "refsource": "BID", "url": "http://www.securityfocus.com/bid/108576"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-9744", "datePublished": "2019-03-26T19:50:47", "dateReserved": "2019-03-13T00:00:00", "dateUpdated": "2019-06-21T15:57:40", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:phoenixcontact:fl_nat_smn_8tx-m-dmg_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "F1244ED7-F66E-4309-B2B1-3FEDEE5C149C", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:phoenixcontact:fl_nat_smn_8tx-m-dmg:-:*:*:*:*:*:*:*", "matchCriteriaId": "F1CE60BA-1B37-4709-9E52-1033E1C896FF", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:phoenixcontact:fl_nat_smn_8tx-m_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "6285F5F0-9FB9-4D5D-A35C-A7F4CF37F0D7", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:phoenixcontact:fl_nat_smn_8tx-m:-:*:*:*:*:*:*:*", "matchCriteriaId": "E8E560F4-EB19-4A41-A3CC-F88F7BA3BD65", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:phoenixcontact:fl_nat_smn_8tx_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "C845729B-22DB-4BC6-B651-67802D41AE26", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:phoenixcontact:fl_nat_smn_8tx:-:*:*:*:*:*:*:*", "matchCriteriaId": "427C31A9-C301-4B24-808D-B46E054557D6", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:phoenixcontact:fl_nat_smcs_8tx_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "0F0436E1-552B-4976-9EED-9CBE4C7A8B08", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:phoenixcontact:fl_nat_smcs_8tx:-:*:*:*:*:*:*:*", "matchCriteriaId": "8F9A1CED-66E7-4C7A-9E09-ABD66501C640", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "An issue was discovered on PHOENIX CONTACT FL NAT SMCS 8TX, FL NAT SMN 8TX, FL NAT SMN 8TX-M, and FL NAT SMN 8TX-M-DMG devices. There is unauthorized access to the WEB-UI by attackers arriving from the same source IP address as an authenticated user, because this IP address is used as a session identifier."}, {"lang": "es", "value": "Se ha descubierto un problema en dispositivos PHOENIX CONTACT FL NAT SMCS 8TX, FL NAT SMN 8TX, FL NAT SMN 8TX-M y FL NAT SMN 8TX-M-DMG. Hay un acceso no autorizado al WEB-UI por parte de los atacantes que llegan desde la misma direcci\u00f3n IP de origen que un usuario autenticado, ya que esta direcci\u00f3n se emplea como identificador de sesi\u00f3n."}], "id": "CVE-2019-9744", "lastModified": "2019-06-05T10:29:00.250", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-03-26T20:29:00.837", "references": [{"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/108576"}, {"source": "cve@mitre.org", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://cert.vde.com/de-de/advisories/vde-2019-006"}, {"source": "cve@mitre.org", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-155-02"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}], "source": "nvd@nist.gov", "type": "Primary"}]}