Improper Authorization in B&R Industrial Automation Automation Studio and Automation Runtime
| Risk | High |
| Patch available | NO |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-19108 |
| CWE-ID | CWE-285 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Automation Studio Other software / Other software solutions Automation Runtime Server applications / Frameworks for developing and running applications |
| Vendor | B&R Industrial Automation GmbH |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Improper Authorization
EUVDB-ID: #VU25500
Risk: High
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2019-19108
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows an attacker to bypass authorization checks.
The vulnerability exists due to a weakness in SNMP service. A remote attacker can modify the configuration of affected devices via the service.
The following versions of B&R products are affected:
- Automation Studio Versions 2.7, 3.0.71, 3.0.80, 3.0.81, 3.0.90, 4.0.x to 4.6.4, and 4.7.2
- Automation Runtime Versions 2.96, 3.00, 3.01, 3.06, 3.07, 3.08 to 3.10, 4.00 to 4.03, 4.04 to 4.03, 4.04 to 4.63, 4.72 and above.
Vendor recommends to update to the following versions.
- AS 4.6.5 (Planned release date: 2020-03-27) and higher
- AS 4.7.3 (Planned release date: 2020-04-10) and higher
- AS 4.8.2 (Planned release date: 2020-06-11) and higher
Automation Studio: All versions
Automation Runtime: All versions
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-20-051-01
http://www.br-automation.com/en/downloads/012020-automation-runtime-snmp-authentication-weakness/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
