CVE-2019-19101

Description

A missing secure communication definition and an incomplete TLS validation in the upgrade service in B&R Automation Studio versions 4.0.x, 4.1.x, 4.2.x, < 4.3.11SP, < 4.4.9SP, < 4.5.5SP, < 4.6.4 and < 4.7.2 enable unauthenticated users to perform MITM attacks via the B&R upgrade server.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected products

B&R / Automation Studio4.0.x – 4.0.x
B&R / Automation Studio4.1.x – 4.1.x
B&R / Automation Studio4.2.x – 4.2.x
B&R / Automation Studio< 4.3.11SP – < 4.3.11SP
B&R / Automation Studio< 4.4.9SP – < 4.4.9SP
B&R / Automation Studio< 4.5.5SP – < 4.5.5SP
B&R / Automation Studio< 4.6.3SP – < 4.6.3SP
B&R / Automation Studio< 4.7.2 – < 4.7.2

References

MISChttps://www.br-automation.com/en/downloads/032020-multiple-vulnerabilities-in-automation-studio/