Lucene search

SiemensCVE-2018-13804

HistoryDec 13, 2018 - 4:29 p.m.

CVE-2018-13804

2018-12-1316:29:00

CWE-287

siemens

web.nvd.nist.gov

vulnerability

simatic it lms

simatic it production suite

bypass

authentication

network access

confidentiality

integrity

availability

nvd

cve-2018-13804

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

High

EPSS

0.003

Percentile

65.4%

JSON

A vulnerability has been identified in SIMATIC IT LMS (All versions), SIMATIC IT Production Suite (Versions V7.1 < V7.1 Upd3), SIMATIC IT UA Discrete Manufacturing (Versions < V1.2), SIMATIC IT UA Discrete Manufacturing (Versions V1.2), SIMATIC IT UA Discrete Manufacturing (Versions V1.3), SIMATIC IT UA Discrete Manufacturing (Versions V2.3), SIMATIC IT UA Discrete Manufacturing (Versions V2.4). An attacker with network access to the installation could bypass the application-level authentication. In order to exploit the vulnerability, an attacker must obtain network access to an affected installation and must obtain a valid username to the system. Successful exploitation requires no user privileges and no user interaction. The vulnerability could allow an attacker to compromise confidentiality, integrity and availability of the system. At the time of advisory publication no public exploitation of this vulnerability was known.

Affected configurations

Nvd

Node

siemenssimatic_it_line_monitoring_system

siemenssimatic_it_production_suiteMatchv7.1

siemenssimatic_it_ua_discrete_manufacturingRange≤v1.2

siemenssimatic_it_ua_discrete_manufacturingMatchv1.3

siemenssimatic_it_ua_discrete_manufacturingMatchv2.3

siemenssimatic_it_ua_discrete_manufacturingMatchv2.4

VendorProductVersionCPE
siemenssimatic_it_line_monitoring_system*cpe:2.3:a:siemens:simatic_it_line_monitoring_system:*:*:*:*:*:*:*:*
siemenssimatic_it_production_suitev7.1cpe:2.3:a:siemens:simatic_it_production_suite:v7.1:*:*:*:*:*:*:*
siemenssimatic_it_ua_discrete_manufacturing*cpe:2.3:a:siemens:simatic_it_ua_discrete_manufacturing:*:*:*:*:*:*:*:*
siemenssimatic_it_ua_discrete_manufacturingv1.3cpe:2.3:a:siemens:simatic_it_ua_discrete_manufacturing:v1.3:*:*:*:*:*:*:*
siemenssimatic_it_ua_discrete_manufacturingv2.3cpe:2.3:a:siemens:simatic_it_ua_discrete_manufacturing:v2.3:*:*:*:*:*:*:*
siemenssimatic_it_ua_discrete_manufacturingv2.4cpe:2.3:a:siemens:simatic_it_ua_discrete_manufacturing:v2.4:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
siemens	simatic_it_line_monitoring_system	*	cpe:2.3:a:siemens:simatic_it_line_monitoring_system::::::::
siemens	simatic_it_production_suite	v7.1	cpe:2.3:a:siemens:simatic_it_production_suite:v7.1:::::::*
siemens	simatic_it_ua_discrete_manufacturing	*	cpe:2.3:a:siemens:simatic_it_ua_discrete_manufacturing::::::::
siemens	simatic_it_ua_discrete_manufacturing	v1.3	cpe:2.3:a:siemens:simatic_it_ua_discrete_manufacturing:v1.3:::::::*
siemens	simatic_it_ua_discrete_manufacturing	v2.3	cpe:2.3:a:siemens:simatic_it_ua_discrete_manufacturing:v2.3:::::::*
siemens	simatic_it_ua_discrete_manufacturing	v2.4	cpe:2.3:a:siemens:simatic_it_ua_discrete_manufacturing:v2.4:::::::*

CNA Affected

[
  {
    "product": "SIMATIC IT LMS, SIMATIC IT Production Suite, SIMATIC IT UA Discrete Manufacturing, SIMATIC IT UA Discrete Manufacturing, SIMATIC IT UA Discrete Manufacturing, SIMATIC IT UA Discrete Manufacturing, SIMATIC IT UA Discrete Manufacturing",
    "vendor": "Siemens AG",
    "versions": [
      {
        "status": "affected",
        "version": "SIMATIC IT LMS : All versions"
      },
      {
        "status": "affected",
        "version": "SIMATIC IT Production Suite : Versions V7.1 < V7.1 Upd3"
      },
      {
        "status": "affected",
        "version": "SIMATIC IT UA Discrete Manufacturing : Versions < V1.2"
      },
      {
        "status": "affected",
        "version": "SIMATIC IT UA Discrete Manufacturing : Versions V1.2"
      },
      {
        "status": "affected",
        "version": "SIMATIC IT UA Discrete Manufacturing : Versions V1.3"
      },
      {
        "status": "affected",
        "version": "SIMATIC IT UA Discrete Manufacturing : Versions V2.3"
      },
      {
        "status": "affected",
        "version": "SIMATIC IT UA Discrete Manufacturing : Versions V2.4"
      }
    ]
  }
]

References

www.securityfocus.com/bid/105924

cert-portal.siemens.com/productcert/pdf/ssa-886615.pdf

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

High

EPSS

0.003

Percentile

65.4%

JSON

Related for CVE-2018-13804