Vulnerability-Lookup

CVE-2018-11691 (GCVE-0-2018-11691)

Vulnerability from cvelistv5 – Published: 2019-05-14 15:09 – Updated: 2024-08-05 08:17

Summary

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	http://www.emerson.com/documents/automation/delta…	x_refsource_MISC
	https://www.us-cert.gov/ics/advisories/icsa-19-190-01	x_refsource_MISC
	http://www.securityfocus.com/bid/109110	vdb-entryx_refsource_BID

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T08:17:08.428Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.emerson.com/documents/automation/deltav-smart-switches-en-179014.pdf"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.us-cert.gov/ics/advisories/icsa-19-190-01"
          },
          {
            "name": "109110",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/109110"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Emerson DeltaV Smart Switch Command Center application, available in versions 11.3.x and 12.3.1, was unable to change the DeltaV Smart Switches\u2019 management password upon commissioning. Emerson released patches for DeltaV workstations to address this issue, and the patches can be downloaded from Emerson\u2019s Guardian Support Portal. Please refer to the DeltaV Security Notification DSN19003 (KBA NK-1900-0808) for more information about this issue. DeltaV versions 13.3 and higher use the Network Device Command Center application to manage DeltaV Smart Switches, and this newer application is not impacted by this issue. After patching the Smart Switch Command Center, users are required to either commission the DeltaV Smart Switches or change password using the tool."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-07-11T07:06:03",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.emerson.com/documents/automation/deltav-smart-switches-en-179014.pdf"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.us-cert.gov/ics/advisories/icsa-19-190-01"
        },
        {
          "name": "109110",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/109110"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-11691",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Emerson DeltaV Smart Switch Command Center application, available in versions 11.3.x and 12.3.1, was unable to change the DeltaV Smart Switches\u2019 management password upon commissioning. Emerson released patches for DeltaV workstations to address this issue, and the patches can be downloaded from Emerson\u2019s Guardian Support Portal. Please refer to the DeltaV Security Notification DSN19003 (KBA NK-1900-0808) for more information about this issue. DeltaV versions 13.3 and higher use the Network Device Command Center application to manage DeltaV Smart Switches, and this newer application is not impacted by this issue. After patching the Smart Switch Command Center, users are required to either commission the DeltaV Smart Switches or change password using the tool."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.emerson.com/documents/automation/deltav-smart-switches-en-179014.pdf",
              "refsource": "MISC",
              "url": "http://www.emerson.com/documents/automation/deltav-smart-switches-en-179014.pdf"
            },
            {
              "name": "https://www.us-cert.gov/ics/advisories/icsa-19-190-01",
              "refsource": "MISC",
              "url": "https://www.us-cert.gov/ics/advisories/icsa-19-190-01"
            },
            {
              "name": "109110",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/109110"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-11691",
    "datePublished": "2019-05-14T15:09:34",
    "dateReserved": "2018-06-03T00:00:00",
    "dateUpdated": "2024-08-05T08:17:08.428Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:emerson:ve6046_firmware:09.0.12:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1CCF066D-BAE6-4E29-8079-27BA1798F32A\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:emerson:ve6046:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"03F17F44-79D5-4463-AD37-29013D540AA0\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Emerson DeltaV Smart Switch Command Center application, available in versions 11.3.x and 12.3.1, was unable to change the DeltaV Smart Switches\\u2019 management password upon commissioning. Emerson released patches for DeltaV workstations to address this issue, and the patches can be downloaded from Emerson\\u2019s Guardian Support Portal. Please refer to the DeltaV Security Notification DSN19003 (KBA NK-1900-0808) for more information about this issue. DeltaV versions 13.3 and higher use the Network Device Command Center application to manage DeltaV Smart Switches, and this newer application is not impacted by this issue. After patching the Smart Switch Command Center, users are required to either commission the DeltaV Smart Switches or change password using the tool.\"}, {\"lang\": \"es\", \"value\": \"La aplicaci\\u00f3n Emerson DeltaV Smart Switch Command Center, disponible en las versiones 11.3.xy 12.3.1, no pudo cambiar la contrase\\u00f1a de administraci\\u00f3n de DeltaV Smart Switches al momento de la puesta en servicio. Emerson lanz\\u00f3 parches para las estaciones de trabajo DeltaV para abordar este problema, y los parches se pueden descargar desde el Portal de Soporte Guardian de Emerson. Consulte la Notificaci\\u00f3n de seguridad DeltaV DSN19003 (KBA NK-1900-0808) para obtener m\\u00e1s informaci\\u00f3n sobre este problema. Las versiones 13.3 y posteriores de DeltaV usan la aplicaci\\u00f3n Centro de comando de dispositivos de red para administrar los conmutadores inteligentes DeltaV, y esta nueva aplicaci\\u00f3n no se ve afectada por este problema. Despu\\u00e9s de reparar el Smart Switch Command Center, los usuarios deben comisionar los DeltaV Smart Switches o cambiar la contrase\\u00f1a con la herramienta.\"}]",
      "id": "CVE-2018-11691",
      "lastModified": "2024-11-21T03:43:50.057",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:C/I:C/A:C\", \"baseScore\": 10.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"COMPLETE\", \"integrityImpact\": \"COMPLETE\", \"availabilityImpact\": \"COMPLETE\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 10.0, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2019-05-14T16:29:01.360",
      "references": "[{\"url\": \"http://www.emerson.com/documents/automation/deltav-smart-switches-en-179014.pdf\", \"source\": \"cve@mitre.org\", \"tags\": [\"Product\"]}, {\"url\": \"http://www.securityfocus.com/bid/109110\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://www.us-cert.gov/ics/advisories/icsa-19-190-01\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.emerson.com/documents/automation/deltav-smart-switches-en-179014.pdf\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}, {\"url\": \"http://www.securityfocus.com/bid/109110\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.us-cert.gov/ics/advisories/icsa-19-190-01\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-798\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2018-11691\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2019-05-14T16:29:01.360\",\"lastModified\":\"2024-11-21T03:43:50.057\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Emerson DeltaV Smart Switch Command Center application, available in versions 11.3.x and 12.3.1, was unable to change the DeltaV Smart Switches\u2019 management password upon commissioning. Emerson released patches for DeltaV workstations to address this issue, and the patches can be downloaded from Emerson\u2019s Guardian Support Portal. Please refer to the DeltaV Security Notification DSN19003 (KBA NK-1900-0808) for more information about this issue. DeltaV versions 13.3 and higher use the Network Device Command Center application to manage DeltaV Smart Switches, and this newer application is not impacted by this issue. After patching the Smart Switch Command Center, users are required to either commission the DeltaV Smart Switches or change password using the tool.\"},{\"lang\":\"es\",\"value\":\"La aplicaci\u00f3n Emerson DeltaV Smart Switch Command Center, disponible en las versiones 11.3.xy 12.3.1, no pudo cambiar la contrase\u00f1a de administraci\u00f3n de DeltaV Smart Switches al momento de la puesta en servicio. Emerson lanz\u00f3 parches para las estaciones de trabajo DeltaV para abordar este problema, y los parches se pueden descargar desde el Portal de Soporte Guardian de Emerson. Consulte la Notificaci\u00f3n de seguridad DeltaV DSN19003 (KBA NK-1900-0808) para obtener m\u00e1s informaci\u00f3n sobre este problema. Las versiones 13.3 y posteriores de DeltaV usan la aplicaci\u00f3n Centro de comando de dispositivos de red para administrar los conmutadores inteligentes DeltaV, y esta nueva aplicaci\u00f3n no se ve afectada por este problema. Despu\u00e9s de reparar el Smart Switch Command Center, los usuarios deben comisionar los DeltaV Smart Switches o cambiar la contrase\u00f1a con la herramienta.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:C/I:C/A:C\",\"baseScore\":10.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:emerson:ve6046_firmware:09.0.12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1CCF066D-BAE6-4E29-8079-27BA1798F32A\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:emerson:ve6046:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"03F17F44-79D5-4463-AD37-29013D540AA0\"}]}]}],\"references\":[{\"url\":\"http://www.emerson.com/documents/automation/deltav-smart-switches-en-179014.pdf\",\"source\":\"cve@mitre.org\",\"tags\":[\"Product\"]},{\"url\":\"http://www.securityfocus.com/bid/109110\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.us-cert.gov/ics/advisories/icsa-19-190-01\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.emerson.com/documents/automation/deltav-smart-switches-en-179014.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"http://www.securityfocus.com/bid/109110\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.us-cert.gov/ics/advisories/icsa-19-190-01\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

VAR-201905-0771

Vulnerability from variot - Updated: 2023-12-18 12:18

Emerson DeltaV Smart Switch Command Center application, available in versions 11.3.x and 12.3.1, was unable to change the DeltaV Smart Switches’ management password upon commissioning. Emerson released patches for DeltaV workstations to address this issue, and the patches can be downloaded from Emerson’s Guardian Support Portal. Please refer to the DeltaV Security Notification DSN19003 (KBA NK-1900-0808) for more information about this issue. DeltaV versions 13.3 and higher use the Network Device Command Center application to manage DeltaV Smart Switches, and this newer application is not impacted by this issue. After patching the Smart Switch Command Center, users are required to either commission the DeltaV Smart Switches or change password using the tool. Emerson VE6046 The device contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Emerson DeltaV Distributed Control System is prone to a security-bypass vulnerability. Attackers can exploit this issue to bypass the authentication mechanism and gain access to the vulnerable device. Emerson Electric VE6046 is an intelligent switch made by Emerson Electric (Emerson Electric) in the United States. A trust management issue vulnerability exists in Emerson Electric VE6046 version 09.0.12. This vulnerability stems from the lack of an effective trust management mechanism in network systems or products. Attackers can use default passwords or hard-coded passwords, hard-coded certificates, etc. to attack affected components

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201905-0771",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "ve6046",
        "scope": "eq",
        "trust": 1.8,
        "vendor": "emerson",
        "version": "09.0.12"
      },
      {
        "model": "deltav distributed control system",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "emerson",
        "version": "12.3"
      },
      {
        "model": "deltav distributed control system",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "emerson",
        "version": "11.3"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "109110"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015441"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-11691"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:emerson:ve6046_firmware:09.0.12:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:emerson:ve6046:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-11691"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Benjamin Crosasso of Sanofi",
    "sources": [
      {
        "db": "BID",
        "id": "109110"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201905-587"
      }
    ],
    "trust": 0.9
  },
  "cve": "CVE-2018-11691",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "HIGH",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Complete",
            "baseScore": 10.0,
            "confidentialityImpact": "Complete",
            "exploitabilityScore": null,
            "id": "CVE-2018-11691",
            "impactScore": null,
            "integrityImpact": "Complete",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "High",
            "trust": 0.9,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "VHN-121576",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:N/C:C/I:C/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 9.8,
            "baseSeverity": "Critical",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2018-11691",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2018-11691",
            "trust": 1.8,
            "value": "CRITICAL"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201905-587",
            "trust": 0.6,
            "value": "CRITICAL"
          },
          {
            "author": "VULHUB",
            "id": "VHN-121576",
            "trust": 0.1,
            "value": "HIGH"
          },
          {
            "author": "VULMON",
            "id": "CVE-2018-11691",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-121576"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-11691"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015441"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-11691"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201905-587"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Emerson DeltaV Smart Switch Command Center application, available in versions 11.3.x and 12.3.1, was unable to change the DeltaV Smart Switches\u2019 management password upon commissioning. Emerson released patches for DeltaV workstations to address this issue, and the patches can be downloaded from Emerson\u2019s Guardian Support Portal. Please refer to the DeltaV Security Notification DSN19003 (KBA NK-1900-0808) for more information about this issue. DeltaV versions 13.3 and higher use the Network Device Command Center application to manage DeltaV Smart Switches, and this newer application is not impacted by this issue. After patching the Smart Switch Command Center, users are required to either commission the DeltaV Smart Switches or change password using the tool. Emerson VE6046 The device contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Emerson DeltaV Distributed Control System is prone to a security-bypass vulnerability. \nAttackers can exploit this issue to bypass the authentication mechanism and gain access to the vulnerable device. Emerson Electric VE6046 is an intelligent switch made by Emerson Electric (Emerson Electric) in the United States. A trust management issue vulnerability exists in Emerson Electric VE6046 version 09.0.12. This vulnerability stems from the lack of an effective trust management mechanism in network systems or products. Attackers can use default passwords or hard-coded passwords, hard-coded certificates, etc. to attack affected components",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-11691"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015441"
      },
      {
        "db": "BID",
        "id": "109110"
      },
      {
        "db": "VULHUB",
        "id": "VHN-121576"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-11691"
      }
    ],
    "trust": 2.07
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2018-11691",
        "trust": 2.9
      },
      {
        "db": "ICS CERT",
        "id": "ICSA-19-190-01",
        "trust": 2.9
      },
      {
        "db": "BID",
        "id": "109110",
        "trust": 2.1
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015441",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201905-587",
        "trust": 0.7
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2019.2521",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-121576",
        "trust": 0.1
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-11691",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-121576"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-11691"
      },
      {
        "db": "BID",
        "id": "109110"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015441"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-11691"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201905-587"
      }
    ]
  },
  "id": "VAR-201905-0771",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-121576"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2023-12-18T12:18:02.530000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "DeltaV Smart Switches",
        "trust": 0.8,
        "url": "http://www.emerson.com/documents/automation/deltav-smart-switches-en-179014.pdf"
      },
      {
        "title": "Automation Solutions",
        "trust": 0.8,
        "url": "http://www.emerson.com/en-us/automation-solutions"
      },
      {
        "title": "DeltaV Smart Switches",
        "trust": 0.8,
        "url": "http://www.emerson.com/en-us/catalog/deltav-deltav-smart-switches"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015441"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-798",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-121576"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015441"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-11691"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.9,
        "url": "https://www.us-cert.gov/ics/advisories/icsa-19-190-01"
      },
      {
        "trust": 2.5,
        "url": "http://www.securityfocus.com/bid/109110"
      },
      {
        "trust": 1.8,
        "url": "http://www.emerson.com/documents/automation/deltav-smart-switches-en-179014.pdf"
      },
      {
        "trust": 1.4,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-11691"
      },
      {
        "trust": 0.9,
        "url": "http://emerson.com"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-11691"
      },
      {
        "trust": 0.6,
        "url": "http://www.emerson.com/en-us/catalog/deltav-deltav-smart-switches"
      },
      {
        "trust": 0.6,
        "url": "http://www.emerson.com/en-us/automation-solutions"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2019.2521/"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/798.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-121576"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-11691"
      },
      {
        "db": "BID",
        "id": "109110"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015441"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-11691"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201905-587"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-121576"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-11691"
      },
      {
        "db": "BID",
        "id": "109110"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015441"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-11691"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201905-587"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-05-14T00:00:00",
        "db": "VULHUB",
        "id": "VHN-121576"
      },
      {
        "date": "2019-05-14T00:00:00",
        "db": "VULMON",
        "id": "CVE-2018-11691"
      },
      {
        "date": "2019-07-09T00:00:00",
        "db": "BID",
        "id": "109110"
      },
      {
        "date": "2019-06-04T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-015441"
      },
      {
        "date": "2019-05-14T16:29:01.360000",
        "db": "NVD",
        "id": "CVE-2018-11691"
      },
      {
        "date": "2019-05-14T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201905-587"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-02-10T00:00:00",
        "db": "VULHUB",
        "id": "VHN-121576"
      },
      {
        "date": "2020-02-10T00:00:00",
        "db": "VULMON",
        "id": "CVE-2018-11691"
      },
      {
        "date": "2019-07-09T00:00:00",
        "db": "BID",
        "id": "109110"
      },
      {
        "date": "2019-07-10T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-015441"
      },
      {
        "date": "2020-02-10T21:43:04.720000",
        "db": "NVD",
        "id": "CVE-2018-11691"
      },
      {
        "date": "2020-02-12T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201905-587"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201905-587"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Emerson VE6046 Vulnerabilities related to the use of hard-coded credentials on devices",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015441"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "trust management problem",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201905-587"
      }
    ],
    "trust": 0.6
  }
}

ICSA-19-190-01

Vulnerability from csaf_cisa - Published: 2019-07-09 00:00 - Updated: 2019-07-09 00:00

Summary

Emerson DeltaV Distributed Control System

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

Successful exploitation of this vulnerability could allow an attacker to gain administrative access to DeltaV Smart Switches.

Critical infrastructure sectors

Chemical, Critical Manufacturing, Energy

Countries/areas deployed

Worldwide

Company headquarters location

United States

Recommended Practices

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Recommended Practices

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

Exploitability

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Benjamin Crosasso"
        ],
        "organization": "Sanofi",
        "summary": "reporting this vulnerability to Emerson"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of this vulnerability could allow an attacker to gain administrative access to DeltaV Smart Switches.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Chemical, Critical Manufacturing, Energy",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "United States",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nNCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-19-190-01 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2019/icsa-19-190-01.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-19-190-01 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-19-190-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://ics-cert.us-cert.gov/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "Emerson DeltaV Distributed Control System",
    "tracking": {
      "current_release_date": "2019-07-09T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-19-190-01",
      "initial_release_date": "2019-07-09T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2019-07-09T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSA-19-190-01 Emerson DeltaV Distributed Control System"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "12.3.x",
                "product": {
                  "name": "DeltaV DCS: 12.3.x",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "DeltaV DCS"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "11.3.x",
                "product": {
                  "name": "DeltaV DCS: 11.3.x",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "DeltaV DCS"
          }
        ],
        "category": "vendor",
        "name": "Emerson"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-11691",
      "cwe": {
        "id": "CWE-798",
        "name": "Use of Hard-coded Credentials"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The Smart Switch Command Center does not change the DeltaV Smart Switch management account password upon commissioning as expected, leaving the default password in effect indefinitely.CVE-2018-11691 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11691"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Emerson recommends users patch affected products. Details are available within article DSN19003 (KBA# NK-1900-0808). Software patches and DSN19003 are available to users with access to the Emerson Guardian Support Portal ",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ],
          "url": "https://guardian.emersonprocess.com/"
        },
        {
          "category": "mitigation",
          "details": "To limit exposure to these and other vulnerabilities, Emerson recommends that DeltaV systems and related components be deployed and configured as described in the DeltaV security manual, which can be found in Emerson\u0027s Guardian Support Portal.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ]
    }
  ]
}

GSD-2018-11691

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2018-11691

Aliases

CVE-2018-11691

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-11691",
    "description": "Emerson DeltaV Smart Switch Command Center application, available in versions 11.3.x and 12.3.1, was unable to change the DeltaV Smart Switches\u2019 management password upon commissioning. Emerson released patches for DeltaV workstations to address this issue, and the patches can be downloaded from Emerson\u2019s Guardian Support Portal. Please refer to the DeltaV Security Notification DSN19003 (KBA NK-1900-0808) for more information about this issue. DeltaV versions 13.3 and higher use the Network Device Command Center application to manage DeltaV Smart Switches, and this newer application is not impacted by this issue. After patching the Smart Switch Command Center, users are required to either commission the DeltaV Smart Switches or change password using the tool.",
    "id": "GSD-2018-11691"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-11691"
      ],
      "details": "Emerson DeltaV Smart Switch Command Center application, available in versions 11.3.x and 12.3.1, was unable to change the DeltaV Smart Switches\u2019 management password upon commissioning. Emerson released patches for DeltaV workstations to address this issue, and the patches can be downloaded from Emerson\u2019s Guardian Support Portal. Please refer to the DeltaV Security Notification DSN19003 (KBA NK-1900-0808) for more information about this issue. DeltaV versions 13.3 and higher use the Network Device Command Center application to manage DeltaV Smart Switches, and this newer application is not impacted by this issue. After patching the Smart Switch Command Center, users are required to either commission the DeltaV Smart Switches or change password using the tool.",
      "id": "GSD-2018-11691",
      "modified": "2023-12-13T01:22:42.166636Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2018-11691",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Emerson DeltaV Smart Switch Command Center application, available in versions 11.3.x and 12.3.1, was unable to change the DeltaV Smart Switches\u2019 management password upon commissioning. Emerson released patches for DeltaV workstations to address this issue, and the patches can be downloaded from Emerson\u2019s Guardian Support Portal. Please refer to the DeltaV Security Notification DSN19003 (KBA NK-1900-0808) for more information about this issue. DeltaV versions 13.3 and higher use the Network Device Command Center application to manage DeltaV Smart Switches, and this newer application is not impacted by this issue. After patching the Smart Switch Command Center, users are required to either commission the DeltaV Smart Switches or change password using the tool."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://www.emerson.com/documents/automation/deltav-smart-switches-en-179014.pdf",
            "refsource": "MISC",
            "url": "http://www.emerson.com/documents/automation/deltav-smart-switches-en-179014.pdf"
          },
          {
            "name": "https://www.us-cert.gov/ics/advisories/icsa-19-190-01",
            "refsource": "MISC",
            "url": "https://www.us-cert.gov/ics/advisories/icsa-19-190-01"
          },
          {
            "name": "109110",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/109110"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:emerson:ve6046_firmware:09.0.12:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:emerson:ve6046:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-11691"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Emerson DeltaV Smart Switch Command Center application, available in versions 11.3.x and 12.3.1, was unable to change the DeltaV Smart Switches\u2019 management password upon commissioning. Emerson released patches for DeltaV workstations to address this issue, and the patches can be downloaded from Emerson\u2019s Guardian Support Portal. Please refer to the DeltaV Security Notification DSN19003 (KBA NK-1900-0808) for more information about this issue. DeltaV versions 13.3 and higher use the Network Device Command Center application to manage DeltaV Smart Switches, and this newer application is not impacted by this issue. After patching the Smart Switch Command Center, users are required to either commission the DeltaV Smart Switches or change password using the tool."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-798"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.emerson.com/documents/automation/deltav-smart-switches-en-179014.pdf",
              "refsource": "MISC",
              "tags": [
                "Product"
              ],
              "url": "http://www.emerson.com/documents/automation/deltav-smart-switches-en-179014.pdf"
            },
            {
              "name": "https://www.us-cert.gov/ics/advisories/icsa-19-190-01",
              "refsource": "MISC",
              "tags": [],
              "url": "https://www.us-cert.gov/ics/advisories/icsa-19-190-01"
            },
            {
              "name": "109110",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/109110"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2020-02-10T21:43Z",
      "publishedDate": "2019-05-14T16:29Z"
    }
  }
}

GHSA-JXCC-245J-87V3

Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2022-05-24 16:45

Details

Emerson VE6046 09.0.12 devices have hardcoded admin credentials allowing remote connection to the Emerson Smart Switch administrative interface via HTTP or SNMPv3.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2018-11691"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-14T16:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Emerson VE6046 09.0.12 devices have hardcoded admin credentials allowing remote connection to the Emerson Smart Switch administrative interface via HTTP or SNMPv3.",
  "id": "GHSA-jxcc-245j-87v3",
  "modified": "2022-05-24T16:45:35Z",
  "published": "2022-05-24T16:45:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11691"
    },
    {
      "type": "WEB",
      "url": "https://www.us-cert.gov/ics/advisories/icsa-19-190-01"
    },
    {
      "type": "WEB",
      "url": "http://www.emerson.com/documents/automation/deltav-smart-switches-en-179014.pdf"
    },
    {
      "type": "WEB",
      "url": "http://www.emerson.com/en-us/automation-solutions"
    },
    {
      "type": "WEB",
      "url": "http://www.emerson.com/en-us/catalog/deltav-deltav-smart-switches"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/109110"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

FKIE_CVE-2018-11691

Vulnerability from fkie_nvd - Published: 2019-05-14 16:29 - Updated: 2024-11-21 03:43

Severity ?

9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cve@mitre.org	http://www.emerson.com/documents/automation/deltav-smart-switches-en-179014.pdf	Product
cve@mitre.org	http://www.securityfocus.com/bid/109110
cve@mitre.org	https://www.us-cert.gov/ics/advisories/icsa-19-190-01
af854a3a-2127-422b-91ae-364da2661108	http://www.emerson.com/documents/automation/deltav-smart-switches-en-179014.pdf	Product
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/109110
af854a3a-2127-422b-91ae-364da2661108	https://www.us-cert.gov/ics/advisories/icsa-19-190-01

Impacted products

	Vendor	Product	Version
	emerson	ve6046_firmware	09.0.12
	emerson	ve6046	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:emerson:ve6046_firmware:09.0.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "1CCF066D-BAE6-4E29-8079-27BA1798F32A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:emerson:ve6046:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "03F17F44-79D5-4463-AD37-29013D540AA0",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Emerson DeltaV Smart Switch Command Center application, available in versions 11.3.x and 12.3.1, was unable to change the DeltaV Smart Switches\u2019 management password upon commissioning. Emerson released patches for DeltaV workstations to address this issue, and the patches can be downloaded from Emerson\u2019s Guardian Support Portal. Please refer to the DeltaV Security Notification DSN19003 (KBA NK-1900-0808) for more information about this issue. DeltaV versions 13.3 and higher use the Network Device Command Center application to manage DeltaV Smart Switches, and this newer application is not impacted by this issue. After patching the Smart Switch Command Center, users are required to either commission the DeltaV Smart Switches or change password using the tool."
    },
    {
      "lang": "es",
      "value": "La aplicaci\u00f3n Emerson DeltaV Smart Switch Command Center, disponible en las versiones 11.3.xy 12.3.1, no pudo cambiar la contrase\u00f1a de administraci\u00f3n de DeltaV Smart Switches al momento de la puesta en servicio. Emerson lanz\u00f3 parches para las estaciones de trabajo DeltaV para abordar este problema, y los parches se pueden descargar desde el Portal de Soporte Guardian de Emerson. Consulte la Notificaci\u00f3n de seguridad DeltaV DSN19003 (KBA NK-1900-0808) para obtener m\u00e1s informaci\u00f3n sobre este problema. Las versiones 13.3 y posteriores de DeltaV usan la aplicaci\u00f3n Centro de comando de dispositivos de red para administrar los conmutadores inteligentes DeltaV, y esta nueva aplicaci\u00f3n no se ve afectada por este problema. Despu\u00e9s de reparar el Smart Switch Command Center, los usuarios deben comisionar los DeltaV Smart Switches o cambiar la contrase\u00f1a con la herramienta."
    }
  ],
  "id": "CVE-2018-11691",
  "lastModified": "2024-11-21T03:43:50.057",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 10.0,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-05-14T16:29:01.360",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "http://www.emerson.com/documents/automation/deltav-smart-switches-en-179014.pdf"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/bid/109110"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.us-cert.gov/ics/advisories/icsa-19-190-01"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "http://www.emerson.com/documents/automation/deltav-smart-switches-en-179014.pdf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/109110"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.us-cert.gov/ics/advisories/icsa-19-190-01"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-798"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2018-11691 (GCVE-0-2018-11691)

VAR-201905-0771

ICSA-19-190-01

GSD-2018-11691

GHSA-JXCC-245J-87V3

FKIE_CVE-2018-11691

Tags

Sightings

Nomenclature