Vulnerability CVE-2019-13523

Vulnerability CVE-2019-13523

Published: 2019-09-26

Description:

In Honeywell Performance IP Cameras and Performance NVRs, the integrated web server of the affected devices could allow remote attackers to obtain web configuration data in JSON format for IP cameras and NVRs (Network Video Recorders), which can be accessed without authentication over the network. Affected performance IP Cameras: HBD3PR2,H4D3PRV3,HED3PR3,H4D3PRV2,HBD3PR1,H4W8PR2,HBW8PR2,H2W2PC1M,H2W4PER3,H2W2PER3,HEW2PER3,HEW4PER3B,HBW2PER1,HEW4PER2,HEW4PER2B,HEW2PER2,H4W2PER2,HBW2PER2,H4W2PER3, and HPW2P1. Affected Performance Series NVRs: HEN08104,HEN08144,HEN081124,HEN16104,HEN16144,HEN16184,HEN16204,HEN162244,HEN16284,HEN16304,HEN16384,HEN32104,HEN321124,HEN32204,HEN32284,HEN322164,HEN32304, HEN32384,HEN323164,HEN64204,HEN64304,HEN643164,HEN643324,HEN643484,HEN04103,HEN04113,HEN04123,HEN08103,HEN08113,HEN08123,HEN08143,HEN16103,HEN16123,HEN16143,HEN16163,HEN04103L,HEN08103L,HEN16103L,HEN32103L.

Type:

CWE-200

(Information Exposure)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score	Impact Subscore	Exploitability Subscore
5/10	2.9/10	10/10

Exploit range	Attack complexity	Authentication
Remote	Low	No required
Confidentiality impact	Integrity impact	Availability impact
Partial	None	None

Affected software
Honeywell -> Hen16144 firmware
Honeywell -> Hen32384 firmware
Honeywell -> Hen04103l firmware
Honeywell -> Hen16163 firmware
Honeywell -> Hen64204 firmware
Honeywell -> H2w2pc1m firmware
Honeywell -> Hen04113 firmware
Honeywell -> Hen16184 firmware
Honeywell -> Hen64304 firmware
Honeywell -> H2w2per3 firmware
Honeywell -> Hen04123 firmware
Honeywell -> Hen16204 firmware
Honeywell -> Hen643164 firmware
Honeywell -> H2w4per3 firmware
Honeywell -> Hen08103 firmware
Honeywell -> Hen162244 firmware
Honeywell -> Hen643324 firmware
Honeywell -> H4d3prv2 firmware
Honeywell -> Hen08103l firmware
Honeywell -> Hen16284 firmware
Honeywell -> Hen643484 firmware
Honeywell -> H4d3prv3 firmware
Honeywell -> Hen08104 firmware
Honeywell -> Hen16304 firmware
Honeywell -> Hew2per2 firmware
Honeywell -> H4w2per2 firmware
Honeywell -> Hen081124 firmware
Honeywell -> Hen16384 firmware
Honeywell -> Hew2per3 firmware
Honeywell -> H4w2per3 firmware
Honeywell -> Hen08113 firmware
Honeywell -> Hen32103l firmware
Honeywell -> Hew4per2 firmware
Honeywell -> H4w8pr2 firmware
Honeywell -> Hen08123 firmware
Honeywell -> Hen32104 firmware
Honeywell -> Hew4per2b firmware
Honeywell -> Hbd3pr1 firmware
Honeywell -> Hen08143 firmware
Honeywell -> Hen321124 firmware
Honeywell -> Hew4per3b firmware
Honeywell -> Hbd3pr2 firmware
Honeywell -> Hen08144 firmware
Honeywell -> Hen32204 firmware
Honeywell -> Hpw2p1 firmware
Honeywell -> Hbw2per1 firmware
Honeywell -> Hen16103 firmware
Honeywell -> Hen322164 firmware
Honeywell -> Hbw2per2 firmware
Honeywell -> Hen16103l firmware
Honeywell -> Hen32284 firmware
Honeywell -> Hbw8pr2 firmware
Honeywell -> Hen16104 firmware
Honeywell -> Hen32304 firmware
Honeywell -> Hed3pr3 firmware
Honeywell -> Hen16123 firmware
Honeywell -> Hen323164 firmware
Honeywell -> Hen04103 firmware
Honeywell -> Hen16143 firmware

References:

https://www.us-cert.gov/ics/advisories/icsa-19-260-03

Vulnerability CVE-2019-13523

CWE-200

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

5/10

2.9/10

10/10

Remote

Low

No required

Partial

None

None

Affected software

References: