CVE-2019-16674

Q: What is the severity of CVE-2019-16674?

CVE-2019-16674 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to predict authentication cookies used by Weidmueller industrial switches, potentially leading to admin password compromise. Attackers can capture network traffic to obtain predictable authentication information and gain administrative access. Organizations using affected Weidmueller IE-SW-VL05M, IE-SW-VL08MT, and IE-SW-PL10M devices are at risk.

9.8 CRITICAL

Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to predict authentication cookies used by Weidmueller industrial switches, potentially leading to admin password compromise. Attackers can capture network traffic to obtain predictable authentication information and gain administrative access. Organizations using affected Weidmueller IE-SW-VL05M, IE-SW-VL08MT, and IE-SW-PL10M devices are at risk.

💻 Affected Systems

Products:

Weidmueller IE-SW-VL05M
Weidmueller IE-SW-VL08MT
Weidmueller IE-SW-PL10M

Versions: IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, IE-SW-PL10M 3.3.16 Build 16102416

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices with default configurations are vulnerable. The vulnerability exists in the authentication cookie mechanism.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full administrative compromise of industrial network switches, allowing attackers to reconfigure network infrastructure, disrupt operations, or pivot to other critical systems.

🟠

Likely Case

Unauthorized administrative access to network switches, enabling network reconnaissance, configuration changes, and potential disruption of industrial operations.

🟢

If Mitigated

Limited impact with proper network segmentation, monitoring, and access controls preventing cookie capture and exploitation.

🌐 Internet-Facing: HIGH if devices are exposed to internet, as attackers can remotely capture predictable authentication cookies.

🏢 Internal Only: MEDIUM as attackers would need internal network access, but predictable cookies make exploitation straightforward once network traffic is captured.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires network traffic capture to obtain predictable authentication cookies, but once captured, exploitation is straightforward. No authentication bypass needed if cookies are captured.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Contact Weidmueller for updated firmware versions

Vendor Advisory: https://cert.vde.com/en-us/advisories/vde-2019-018

Restart Required: Yes

Instructions:

1. Contact Weidmueller support for updated firmware. 2. Backup current configuration. 3. Apply firmware update following vendor instructions. 4. Restart device. 5. Verify functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected switches in dedicated VLANs with strict access controls to prevent unauthorized network traffic capture.

Encrypted Management Traffic

all

Use HTTPS/SSH for management interfaces instead of HTTP to prevent cookie capture in plaintext.

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected devices from untrusted networks
Deploy network monitoring and IDS/IPS to detect authentication cookie capture attempts

🔍 How to Verify

Check if Vulnerable:

Check device firmware version against affected versions. Monitor network traffic for predictable authentication cookies in HTTP requests.

Check Version:

Check via web interface or CLI: show version or similar vendor-specific command

Verify Fix Applied:

Verify updated firmware version is installed. Test that authentication cookies are no longer predictable and are properly randomized.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts followed by successful login with predictable patterns
Administrative access from unexpected IP addresses

Network Indicators:

HTTP traffic containing predictable authentication cookies
Network sniffing attempts targeting switch management interfaces

SIEM Query:

source="network_switch" AND (http.cookie CONTAINS "predictable_pattern" OR auth_failure > 3)

📊 Metadata

CVE ID: CVE-2019-16674

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-330

Published: December 6, 2019

Last Updated: November 21, 2024

🔗 References

https://cert.vde.com/en-us/advisories Third Party Advisory
https://cert.vde.com/en-us/advisories/vde-2019-018 Third Party Advisory
https://mdcop.weidmueller.com/mediadelivery/asset/900_102694 Vendor Advisory
https://www.us-cert.gov/ics/advisories/icsa-19-339-02 Third Party Advisory
https://cert.vde.com/en-us/advisories Third Party Advisory
https://cert.vde.com/en-us/advisories/vde-2019-018 Third Party Advisory
https://mdcop.weidmueller.com/mediadelivery/asset/900_102694 Vendor Advisory
https://www.us-cert.gov/ics/advisories/icsa-19-339-02 Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Ie Sw Pl08m 6tx 2sc Firmware by Weidmueller

Ie Sw Pl08m 6tx 2scs Firmware by Weidmueller

Ie Sw Pl08m 6tx 2st Firmware by Weidmueller

Ie Sw Pl08m 8tx Firmware by Weidmueller

Ie Sw Pl08mt 6tx 2sc Firmware by Weidmueller

Ie Sw Pl08mt 6tx 2scs Firmware by Weidmueller

Ie Sw Pl08mt 6tx 2st Firmware by Weidmueller

Ie Sw Pl08mt 8tx Firmware by Weidmueller

Ie Sw Pl09m 5gc 4gt Firmware by Weidmueller

Ie Sw Pl09mt 5gc 4gt Firmware by Weidmueller

Ie Sw Pl10m 1gt 2gs 7tx Firmware by Weidmueller

Ie Sw Pl10m 3gt 7tx Firmware by Weidmueller

Ie Sw Pl10mt 1gt 2gs 7tx Firmware by Weidmueller

Ie Sw Pl10mt 3gt 7tx Firmware by Weidmueller

Ie Sw Pl16m 14tx 2sc Firmware by Weidmueller

Ie Sw Pl16m 14tx 2st Firmware by Weidmueller

Ie Sw Pl16m 16tx Firmware by Weidmueller

Ie Sw Pl16mt 14tx 2sc Firmware by Weidmueller

Ie Sw Pl16mt 14tx 2st Firmware by Weidmueller

Ie Sw Pl16mt 16tx Firmware by Weidmueller

Ie Sw Pl18m 2gc 16tx Firmware by Weidmueller

Ie Sw Pl18m 2gc14tx2sc Firmware by Weidmueller

Ie Sw Pl18m 2gc14tx2scs Firmware by Weidmueller

Ie Sw Pl18m 2gc14tx2st Firmware by Weidmueller

Ie Sw Pl18mt 2gc 16tx Firmware by Weidmueller

Ie Sw Pl18mt 2gc14tx2sc Firmware by Weidmueller

Ie Sw Pl18mt 2gc14tx2scs Firmware by Weidmueller

Ie Sw Pl18mt 2gc14tx2st Firmware by Weidmueller

Ie Sw Vl05m 3tx 2sc Firmware by Weidmueller

Ie Sw Vl05m 3tx 2st Firmware by Weidmueller

Ie Sw Vl05m 5tx Firmware by Weidmueller

Ie Sw Vl05mt 3tx 2sc Firmware by Weidmueller

Ie Sw Vl05mt 3tx 2st Firmware by Weidmueller

Ie Sw Vl05mt 5tx Firmware by Weidmueller

Ie Sw Vl08mt 5tx 1sc 2scs Firmware by Weidmueller

Ie Sw Vl08mt 5tx 3sc Firmware by Weidmueller

Ie Sw Vl08mt 6tx 2sc Firmware by Weidmueller

Ie Sw Vl08mt 6tx 2scs Firmware by Weidmueller

Ie Sw Vl08mt 6tx 2st Firmware by Weidmueller

Ie Sw Vl08mt 8tx Firmware by Weidmueller