CVE-2019-5168

An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 version 03.02.02(14). An attacker can send a specially crafted XML cache file At 0x1e8a8 the extracted domainname value from the xml file is used as an argument to /etc/config-tools/edit_dns_server domain-name=<contents of domainname node> using sprintf().This command is later executed via a call to system().

CVSS v3 7.8 HIGH
CVSS v2.0 7.2 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.2^/10

CVSS v2.0 : HIGH

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0962	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:wago:pfc200_firmware:03.02.02\(14\):*:*:*:*:*:*:*

cpe:2.3:h:wago:pfc200:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-03-11 22:27

Updated : 2023-12-10 13:13

NVD link : CVE-2019-5168

Mitre link : CVE-2019-5168

CVE.ORG link : CVE-2019-5168

JSON object : View

Products Affected

wago

pfc200
pfc200_firmware

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2019-5168", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.2, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2020-03-11T22:27:41.443", "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0962", "tags": ["Exploit", "Third Party Advisory"], "source": "talos-cna@cisco.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "An exploitable command injection vulnerability exists in the iocheckd service \u2018I/O-Check\u2019 function of the WAGO PFC 200 version 03.02.02(14). An attacker can send a specially crafted XML cache file At 0x1e8a8 the extracted domainname value from the xml file is used as an argument to /etc/config-tools/edit_dns_server domain-name=<contents of domainname node> using sprintf().This command is later executed via a call to system()."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de inyecci\u00f3n de comando explotable en la funci\u00f3n \"I/O-Check\" del servicio iocheckd de WAGO PFC 200 versi\u00f3n 03.02.02(14). Un atacante puede enviar un archivo cache XML especialmente dise\u00f1ado. En 0x1e8a8, el valor de nombre de dominio extra\u00eddo del archivo xml es usado como argumento para /etc/config-tools/edit_dns_server domain-name=(contents of domainname node) usando la funci\u00f3n sprintf(). El comando se ejecuta m\u00e1s tarde por medio de una llamada a la funci\u00f3n system()."}], "lastModified": "2020-03-16T14:16:07.277", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:wago:pfc200_firmware:03.02.02\\(14\\):*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6274B67D-C65B-4834-9DB5-6FB3D0ADD3A9"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:wago:pfc200:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "688A3248-7EAA-499D-A47C-A4D4900CDBD1"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "talos-cna@cisco.com"}