Improper Authorization in Automation Studio and Automation Runtime - CVE-2019-19108
Published: February 21, 2020
Vulnerability identifier: #VU25500
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2019-19108
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: B&R Industrial Automation GmbH
Affected software:
Automation Studio
Automation Runtime
Automation Studio
Automation Runtime
Detailed vulnerability description
The vulnerability allows an attacker to bypass authorization checks.
The vulnerability exists due to a weakness in SNMP service. A remote attacker can modify the configuration of affected devices via the service.
The following versions of B&R products are affected:
- Automation Studio Versions 2.7, 3.0.71, 3.0.80, 3.0.81, 3.0.90, 4.0.x to 4.6.4, and 4.7.2
- Automation Runtime Versions 2.96, 3.00, 3.01, 3.06, 3.07, 3.08 to 3.10, 4.00 to 4.03, 4.04 to 4.03, 4.04 to 4.63, 4.72 and above.
How to mitigate CVE-2019-19108
Vendor recommends to update to the following versions.
- AS 4.6.5 (Planned release date: 2020-03-27) and higher
- AS 4.7.3 (Planned release date: 2020-04-10) and higher
- AS 4.8.2 (Planned release date: 2020-06-11) and higher