PT-2019-5351 · Siemens · Sppa-T3000 Application Server

Published

2019-12-10

Updated

2022-03-04

CVE-2019-18284

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions SPPA-T3000 Application Server versions prior to Service Pack R8.2 SP2

Description The issue is related to the availability of the AdminService without authentication on the Application Server, allowing an attacker to access server administration services and obtain password hashes of server application users. An attacker can exploit this to change user passwords, but they need access to the Application Highway. There are no known public exploitations of this issue at the time of reporting.

Recommendations For versions prior to Service Pack R8.2 SP2, update to Service Pack R8.2 SP2 or later to resolve the issue. As a temporary workaround, consider restricting access to the AdminService interface until a patch is available.

Fix

Missing Authentication

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306CWE-287

Related Identifiers

BDU:2020-02447

CVE-2019-18284

Affected Products

Sppa-T3000 Application Server

PT-2019-5351 · Siemens · Sppa-T3000 Application Server

CVE-2019-18284

Weakness Enumeration

Related Identifiers

Affected Products

References · 6