CVE-2019-13533

In Omron PLC CJ series, all versions, and Omron PLC CS series, all versions, an attacker could monitor traffic between the PLC and the controller and replay requests that could result in the opening and closing of industrial valves.

CVSS v3 8.1 HIGH
CVSS v2.0 6.8 MEDIUM

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.3

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact HIGH

Scope CHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://www.us-cert.gov/ics/advisories/icsa-19-346-02	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:omron:plc_cj_firmware::::::::
	cpe:2.3:o:omron:plc_cs_firmware::::::::

History

No history.

Information

Published : 2019-12-16 20:15

Updated : 2024-02-28 17:28

NVD link : CVE-2019-13533

Mitre link : CVE-2019-13533

CVE.ORG link : CVE-2019-13533

JSON object : View

Products Affected

omron

plc_cs_firmware
plc_cj_firmware

CWE

CWE-294

Authentication Bypass by Capture-replay

{"id": "CVE-2019-13533", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 5.3, "exploitabilityScore": 2.2}]}, "published": "2019-12-16T20:15:14.743", "references": [{"url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-02", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-294"}]}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-294"}]}], "descriptions": [{"lang": "en", "value": "In Omron PLC CJ series, all versions, and Omron PLC CS series, all versions, an attacker could monitor traffic between the PLC and the controller and replay requests that could result in the opening and closing of industrial valves."}, {"lang": "es", "value": "En el Omron PLC CJ series, todas las versiones, y el Omron PLC CS series, todas las versiones, un atacante podr\u00eda monitorear el tr\u00e1fico entre el PLC y el controlador y reproducir las peticiones que podr\u00edan resultar en la apertura y cierre de v\u00e1lvulas industriales."}], "lastModified": "2020-01-02T19:53:22.337", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:omron:plc_cj_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7AF2C347-B4A7-4505-98A4-AFDCB1FCD386"}, {"criteria": "cpe:2.3:o:omron:plc_cs_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DF9CD76C-F6E9-4E01-A039-4049B706DD92"}], "operator": "OR"}]}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}