Main Vulnerability Database Vulnerabilities #VU26604

#VU26604 Permissions, Privileges, and Access Controls in Automation Studio - CVE-2019-19100

Published: April 6, 2020

Vulnerability identifier: #VU26604

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-19100

CWE-ID: CWE-264

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Automation Studio

Software vendor:
B&R Industrial Automation GmbH

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper permission checks in the upgrade service. A local user can delete arbitrary files via an exposed interface.

This vulnerability affects the following versions:

Automation Studio, Versions 4.0.x

Automation Studio, Versions 4.1.x

Automation Studio, Versions 4.2.x

Automation Studio, versions prior to 4.3.11SP

Automation Studio, versions prior to 4.4.9SP

Automation Studio, versions prior to 4.5.4SP

Automation Studio, versions prior to 4.6.3SP

Automation Studio, versions prior to 4.7.2

Automation Studio, versions prior to 4.8.1

Install updates from vendor's website.