CVE-2019-13940 Information

Description

A vulnerability has been identified in SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All versions V4.1) SIMATIC S7-300 PN/DP CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions V3.X.17) SIMATIC S7-400 PN/DP V6 and below CPU family (incl. SIPLUS variants) (All versions) SIMATIC S7-400 PN/DP V7 CPU family (incl. SIPLUS variants) (All versions) SIMATIC WinAC RTX (F) 2010 (All versions). Affected devices contain a vulnerability that could cause a Denial-of-Service condition of the web server by sending specially crafted HTTP requests to ports 80/tcp and 443/tcp. The security vulnerability could be exploited by an attacker with network access to an affected device. Successful exploitation requires no system privileges and no user interaction. An attacker could use the vulnerability to compromise the availability of the device’s web server. Beyond the web service no other functions or interfaces are affected by the Denial-of-Service condition.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Reference

https://cert-portal.siemens.com/productcert/pdf/ssa-431678.pdf https://www.us-cert.gov/ics/advisories/icsa-20-042-05

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

HIGH

Base Severity

7.5