cvelistv5 - cve-2018-19021

CVE-2018-19021 (GCVE-0-2018-19021)

Vulnerability from cvelistv5 – Published: 2019-01-25 20:00 – Updated: 2024-09-17 03:52

Summary

Severity ?

No CVSS data available.

CWE

CWE-307 - Authentication Bypass CWE-307

Assigner

icscert

References

URL

	Vendor	Product	Version
	Emerson	Emerson DeltaV	Affected: DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior.

FKIE_CVE-2018-19021

Vulnerability from fkie_nvd - Published: 2019-01-25 20:29 - Updated: 2024-11-21 03:57

Severity ?

6.5 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
ics-cert@hq.dhs.gov	http://www.securityfocus.com/bid/106522	Third Party Advisory, VDB Entry
ics-cert@hq.dhs.gov	https://ics-cert.us-cert.gov/advisories/ICSA-19-010-01	Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/106522	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://ics-cert.us-cert.gov/advisories/ICSA-19-010-01	Third Party Advisory, US Government Resource

Impacted products

Vendor	Product	Version
emerson	deltav	*
emerson	deltav	11.3.1
emerson	deltav	11.3.2
emerson	deltav	12.3.1
emerson	deltav	13.3.1
emerson	deltav	14.3

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:emerson:deltav:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "00E8CCB6-9595-40D1-AC55-DD9CF1DCAB98",
              "versionEndIncluding": "r6",
              "versionStartIncluding": "r5.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:emerson:deltav:11.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "943B3480-56C4-4131-BE8F-62FE035D4619",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:emerson:deltav:11.3.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "48E61C07-A184-42A2-910A-50A8B81E120F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:emerson:deltav:12.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "18C1FF31-4D2F-4678-8F7E-826F3E313EF7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:emerson:deltav:13.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "01456184-6B25-4029-82D4-F5BF16180D7D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:emerson:deltav:14.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "34EE3357-D4EE-4994-9466-DB82F1A858A9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A specially crafted script could bypass the authentication of a maintenance port of Emerson DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior, which may allow an attacker to cause a denial of service."
    },
    {
      "lang": "es",
      "value": "Un script especialmente manipulado podr\u00eda omitir la autenticaci\u00f3n de un puerto de mantenimiento de Emerson DeltaV DCS, en versiones 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 y anteriores, lo que podr\u00eda permitir a un atacante provocar una denegaci\u00f3n de servicio (DoS)."
    }
  ],
  "id": "CVE-2018-19021",
  "lastModified": "2024-11-21T03:57:10.977",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "ADJACENT_NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 3.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 6.5,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-01-25T20:29:00.283",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/106522"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-010-01"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/106522"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-010-01"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-307"
        }
      ],
      "source": "ics-cert@hq.dhs.gov",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-307"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2018-19021

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2018-19021

Aliases

CVE-2018-19021

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-19021",
    "description": "A specially crafted script could bypass the authentication of a maintenance port of Emerson DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior, which may allow an attacker to cause a denial of service.",
    "id": "GSD-2018-19021"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-19021"
      ],
      "details": "A specially crafted script could bypass the authentication of a maintenance port of Emerson DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior, which may allow an attacker to cause a denial of service.",
      "id": "GSD-2018-19021",
      "modified": "2023-12-13T01:22:39.192073Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "ics-cert@hq.dhs.gov",
        "DATE_PUBLIC": "2019-01-10T00:00:00",
        "ID": "CVE-2018-19021",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Emerson DeltaV",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior."
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Emerson"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A specially crafted script could bypass the authentication of a maintenance port of Emerson DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior, which may allow an attacker to cause a denial of service."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Authentication Bypass CWE-307"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "106522",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/106522"
          },
          {
            "name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-010-01",
            "refsource": "MISC",
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-010-01"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:emerson:deltav:12.3.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:emerson:deltav:11.3.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:emerson:deltav:13.3.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:emerson:deltav:11.3.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:emerson:deltav:14.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:emerson:deltav:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "r6",
                "versionStartIncluding": "r5.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2018-19021"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A specially crafted script could bypass the authentication of a maintenance port of Emerson DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior, which may allow an attacker to cause a denial of service."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-307"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-010-01",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "US Government Resource"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-010-01"
            },
            {
              "name": "106522",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/106522"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "ADJACENT_NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 3.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 6.5,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-07-12T15:17Z",
      "publishedDate": "2019-01-25T20:29Z"
    }
  }
}

CNVD-2019-01681

Vulnerability from cnvd - Published: 2019-01-16

Title

Emerson DeltaV Distributed Control System身份验证绕过漏洞

Description

Emerson DeltaV Distributed Control System是美国艾默生电气（Emerson Electric）公司的一套自动化分布式控制系统。该系统包括网络安全管理、报警管理、批量控制和变更管理等功能。 Emerson DeltaV Distributed Control System中存在身份验证绕过漏洞，远程攻击者可利用该漏洞绕过身份验证机制并造成拒绝服务。

Severity

中

Patch Name

Emerson DeltaV Distributed Control System身份验证绕过漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.emerson.com/

Reference

http://www.securityfocus.com/bid/106522

Impacted products

Name
['Emerson Electric DeltaV Distributed Control System 11.3.1', 'Emerson Electric DeltaV Distributed Control System 11.3.2', 'Emerson Electric DeltaV Distributed Control System 12.3.1', 'Emerson Electric DeltaV Distributed Control System 13.3.1', 'Emerson Electric DeltaV Distributed Control System 14.3', 'Emerson Electric DeltaV Distributed Control System R5.1', 'Emerson Electric DeltaV Distributed Control System <=R6']

Name

['Emerson Electric DeltaV Distributed Control System 11.3.1', 'Emerson Electric DeltaV Distributed Control System 11.3.2', 'Emerson Electric DeltaV Distributed Control System 12.3.1', 'Emerson Electric DeltaV Distributed Control System 13.3.1', 'Emerson Electric DeltaV Distributed Control System 14.3', 'Emerson Electric DeltaV Distributed Control System R5.1', 'Emerson Electric DeltaV Distributed Control System <=R6']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "106522"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-19021"
    }
  },
  "description": "Emerson DeltaV Distributed Control System\u662f\u7f8e\u56fd\u827e\u9ed8\u751f\u7535\u6c14\uff08Emerson Electric\uff09\u516c\u53f8\u7684\u4e00\u5957\u81ea\u52a8\u5316\u5206\u5e03\u5f0f\u63a7\u5236\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u5305\u62ec\u7f51\u7edc\u5b89\u5168\u7ba1\u7406\u3001\u62a5\u8b66\u7ba1\u7406\u3001\u6279\u91cf\u63a7\u5236\u548c\u53d8\u66f4\u7ba1\u7406\u7b49\u529f\u80fd\u3002\n\nEmerson DeltaV Distributed Control System\u4e2d\u5b58\u5728\u8eab\u4efd\u9a8c\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u673a\u5236\u5e76\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002",
  "discovererName": "Alexander Nochvay",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.emerson.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-01681",
  "openTime": "2019-01-16",
  "patchDescription": "Emerson DeltaV Distributed Control System\u662f\u7f8e\u56fd\u827e\u9ed8\u751f\u7535\u6c14\uff08Emerson Electric\uff09\u516c\u53f8\u7684\u4e00\u5957\u81ea\u52a8\u5316\u5206\u5e03\u5f0f\u63a7\u5236\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u5305\u62ec\u7f51\u7edc\u5b89\u5168\u7ba1\u7406\u3001\u62a5\u8b66\u7ba1\u7406\u3001\u6279\u91cf\u63a7\u5236\u548c\u53d8\u66f4\u7ba1\u7406\u7b49\u529f\u80fd\u3002\r\n\r\nEmerson DeltaV Distributed Control System\u4e2d\u5b58\u5728\u8eab\u4efd\u9a8c\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u673a\u5236\u5e76\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Emerson DeltaV Distributed Control System\u8eab\u4efd\u9a8c\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Emerson Electric DeltaV Distributed Control System 11.3.1",
      "Emerson Electric DeltaV Distributed Control System 11.3.2",
      "Emerson Electric DeltaV Distributed Control System 12.3.1",
      "Emerson Electric DeltaV Distributed Control System 13.3.1",
      "Emerson Electric DeltaV Distributed Control System 14.3",
      "Emerson Electric DeltaV Distributed Control System R5.1",
      "Emerson Electric DeltaV Distributed Control System \u003c=R6"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/106522",
  "serverity": "\u4e2d",
  "submitTime": "2019-01-15",
  "title": "Emerson DeltaV Distributed Control System\u8eab\u4efd\u9a8c\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e"
}

VAR-201901-0856

Vulnerability from variot - Updated: 2023-12-18 13:23

A specially crafted script could bypass the authentication of a maintenance port of Emerson DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior, which may allow an attacker to cause a denial of service. Emerson DeltaV DCS Contains vulnerabilities related to authorization, permissions, and access control.Service operation interruption (DoS) There is a possibility of being put into a state. The Emerson DeltaV Distributed Control System is an automated distributed control system from Emerson Electric. The system includes network security management, alarm management, batch control and change management. Emerson DeltaV is prone to an authentication-bypass vulnerability. DeltaV Distributed Control System 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior are vulnerable

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201901-0856",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "deltav",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "emerson",
        "version": "13.3.1"
      },
      {
        "model": "deltav",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "emerson",
        "version": "11.3.2"
      },
      {
        "model": "deltav",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "emerson",
        "version": "11.3.1"
      },
      {
        "model": "deltav",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "emerson",
        "version": "12.3.1"
      },
      {
        "model": "deltav",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "emerson",
        "version": "14.3"
      },
      {
        "model": "deltav",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "emerson",
        "version": "r6"
      },
      {
        "model": "deltav",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "emerson",
        "version": "r5.1"
      },
      {
        "model": "deltav distributed control system",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "emerson",
        "version": "11.3.1"
      },
      {
        "model": "deltav distributed control system",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "emerson",
        "version": "11.3.2"
      },
      {
        "model": "deltav distributed control system",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "emerson",
        "version": "12.3.1"
      },
      {
        "model": "deltav distributed control system",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "emerson",
        "version": "13.3.1"
      },
      {
        "model": "deltav distributed control system",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "emerson",
        "version": "14.3"
      },
      {
        "model": "deltav distributed control system",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "emerson",
        "version": "r5.1"
      },
      {
        "model": "deltav distributed control system",
        "scope": "lte",
        "trust": 0.8,
        "vendor": "emerson",
        "version": "r6"
      },
      {
        "model": "electric deltav distributed control system",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "emerson",
        "version": "11.3.1"
      },
      {
        "model": "electric deltav distributed control system",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "emerson",
        "version": "11.3.2"
      },
      {
        "model": "electric deltav distributed control system",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "emerson",
        "version": "12.3.1"
      },
      {
        "model": "electric deltav distributed control system",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "emerson",
        "version": "13.3.1"
      },
      {
        "model": "electric deltav distributed control system",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "emerson",
        "version": "14.3"
      },
      {
        "model": "electric deltav distributed control system r5.1",
        "scope": null,
        "trust": 0.6,
        "vendor": "emerson",
        "version": null
      },
      {
        "model": "electric deltav distributed control system \u003c=r6",
        "scope": null,
        "trust": 0.6,
        "vendor": "emerson",
        "version": null
      },
      {
        "model": "deltav r6",
        "scope": null,
        "trust": 0.3,
        "vendor": "emerson",
        "version": null
      },
      {
        "model": "deltav r5.1",
        "scope": null,
        "trust": 0.3,
        "vendor": "emerson",
        "version": null
      },
      {
        "model": "deltav",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "emerson",
        "version": "14.3.2"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "deltav distributed control system",
        "version": "11.3.1"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "deltav distributed control system",
        "version": "11.3.2"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "deltav distributed control system",
        "version": "12.3.1"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "deltav distributed control system",
        "version": "13.3.1"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "deltav distributed control system",
        "version": "14.3"
      },
      {
        "model": "r5.1",
        "scope": null,
        "trust": 0.2,
        "vendor": "deltav distributed control system",
        "version": null
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "deltav distributed control system",
        "version": "*"
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "7d84cd0f-463f-11e9-95fb-000c29342cb1"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-01681"
      },
      {
        "db": "BID",
        "id": "106522"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013887"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-19021"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:emerson:deltav:12.3.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:emerson:deltav:11.3.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:emerson:deltav:13.3.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:emerson:deltav:11.3.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:emerson:deltav:14.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:emerson:deltav:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "r6",
                "versionStartIncluding": "r5.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-19021"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Alexander Nochvay of Kaspersky Lab",
    "sources": [
      {
        "db": "BID",
        "id": "106522"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-433"
      }
    ],
    "trust": 0.9
  },
  "cve": "CVE-2018-19021",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "ADJACENT_NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 3.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 6.5,
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "LOW",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Adjacent Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Partial",
            "baseScore": 3.3,
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2018-19021",
            "impactScore": null,
            "integrityImpact": "None",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Low",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2019-01681",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "IVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 10.0,
            "id": "7d84cd0f-463f-11e9-95fb-000c29342cb1",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.2,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.9 [IVD]"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 2.8,
            "impactScore": 3.6,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Adjacent Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 6.5,
            "baseSeverity": "Medium",
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2018-19021",
            "impactScore": null,
            "integrityImpact": "None",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2018-19021",
            "trust": 1.8,
            "value": "MEDIUM"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2019-01681",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201901-433",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "IVD",
            "id": "7d84cd0f-463f-11e9-95fb-000c29342cb1",
            "trust": 0.2,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "7d84cd0f-463f-11e9-95fb-000c29342cb1"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-01681"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013887"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-19021"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-433"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "A specially crafted script could bypass the authentication of a maintenance port of Emerson DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior, which may allow an attacker to cause a denial of service. Emerson DeltaV DCS Contains vulnerabilities related to authorization, permissions, and access control.Service operation interruption (DoS) There is a possibility of being put into a state. The Emerson DeltaV Distributed Control System is an automated distributed control system from Emerson Electric. The system includes network security management, alarm management, batch control and change management. Emerson DeltaV is prone to an authentication-bypass vulnerability. \nDeltaV Distributed Control System 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior are vulnerable",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-19021"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013887"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-01681"
      },
      {
        "db": "BID",
        "id": "106522"
      },
      {
        "db": "IVD",
        "id": "7d84cd0f-463f-11e9-95fb-000c29342cb1"
      }
    ],
    "trust": 2.61
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2018-19021",
        "trust": 3.5
      },
      {
        "db": "ICS CERT",
        "id": "ICSA-19-010-01",
        "trust": 2.7
      },
      {
        "db": "BID",
        "id": "106522",
        "trust": 2.5
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-01681",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-433",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013887",
        "trust": 0.8
      },
      {
        "db": "IVD",
        "id": "7D84CD0F-463F-11E9-95FB-000C29342CB1",
        "trust": 0.2
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "7d84cd0f-463f-11e9-95fb-000c29342cb1"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-01681"
      },
      {
        "db": "BID",
        "id": "106522"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013887"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-19021"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-433"
      }
    ]
  },
  "id": "VAR-201901-0856",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "IVD",
        "id": "7d84cd0f-463f-11e9-95fb-000c29342cb1"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-01681"
      }
    ],
    "trust": 1.8
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "ICS"
        ],
        "sub_category": null,
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "7d84cd0f-463f-11e9-95fb-000c29342cb1"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-01681"
      }
    ]
  },
  "last_update_date": "2023-12-18T13:23:49.749000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "DeltaV Distributed Control System",
        "trust": 0.8,
        "url": "https://www.emerson.com/en-us/automation/control-and-safety-systems/distributed-control-systems-dcs/deltav-distributed-control-system"
      },
      {
        "title": "Emerson DeltaV Distributed Control System Authentication Vulnerability Vulnerability Patch",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchinfo/show/150173"
      },
      {
        "title": "Emerson DeltaV Distributed Control System Security vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=88591"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-01681"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013887"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-433"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-307",
        "trust": 1.0
      },
      {
        "problemtype": "CWE-264",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013887"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-19021"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.7,
        "url": "https://ics-cert.us-cert.gov/advisories/icsa-19-010-01"
      },
      {
        "trust": 2.2,
        "url": "http://www.securityfocus.com/bid/106522"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-19021"
      },
      {
        "trust": 0.8,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-19021"
      },
      {
        "trust": 0.3,
        "url": "http://emerson.com"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-01681"
      },
      {
        "db": "BID",
        "id": "106522"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013887"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-19021"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-433"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "IVD",
        "id": "7d84cd0f-463f-11e9-95fb-000c29342cb1"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-01681"
      },
      {
        "db": "BID",
        "id": "106522"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013887"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-19021"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-433"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-01-16T00:00:00",
        "db": "IVD",
        "id": "7d84cd0f-463f-11e9-95fb-000c29342cb1"
      },
      {
        "date": "2019-01-16T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2019-01681"
      },
      {
        "date": "2019-01-10T00:00:00",
        "db": "BID",
        "id": "106522"
      },
      {
        "date": "2019-03-05T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-013887"
      },
      {
        "date": "2019-01-25T20:29:00.283000",
        "db": "NVD",
        "id": "CVE-2018-19021"
      },
      {
        "date": "2019-01-14T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201901-433"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-01-16T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2019-01681"
      },
      {
        "date": "2019-01-10T00:00:00",
        "db": "BID",
        "id": "106522"
      },
      {
        "date": "2019-03-05T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-013887"
      },
      {
        "date": "2022-07-12T15:17:13.403000",
        "db": "NVD",
        "id": "CVE-2018-19021"
      },
      {
        "date": "2019-10-17T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201901-433"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote or local",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-433"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Emerson DeltaV Distributed Control System Authentication Bypass Vulnerability",
    "sources": [
      {
        "db": "IVD",
        "id": "7d84cd0f-463f-11e9-95fb-000c29342cb1"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-01681"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "permissions and access control",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-433"
      }
    ],
    "trust": 0.6
  }
}

GHSA-QPCC-RCR6-2CJ9

Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-05-13 01:33

Details

Severity ?

6.5 (Medium)


                  
                    CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2018-19021"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-25T20:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A specially crafted script could bypass the authentication of a maintenance port of Emerson DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior, which may allow an attacker to cause a denial of service.",
  "id": "GHSA-qpcc-rcr6-2cj9",
  "modified": "2022-05-13T01:33:36Z",
  "published": "2022-05-13T01:33:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19021"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-010-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106522"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

ICSA-19-010-01

Vulnerability from csaf_cisa - Published: 2019-01-10 00:00 - Updated: 2019-01-10 00:00

Summary

Emerson DeltaV

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

Successful exploitation of this vulnerability could allow an attacker to shut down a service, resulting in a denial of service.

Critical infrastructure sectors

Chemical, Critical Manufacturing, Energy

Countries/areas deployed

Worldwide

Company headquarters location

United States

Recommended Practices

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Recommended Practices

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

Exploitability

No known public exploits specifically target this vulnerability. This vulnerability is exploitable from an adjacent network.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Alexander Nochvay"
        ],
        "organization": "Kaspersky Lab",
        "summary": "reporting this vulnerability to Emerson"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of this vulnerability could allow an attacker to shut down a service, resulting in a denial of service.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Chemical, Critical Manufacturing, Energy",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "United States",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target this vulnerability. This vulnerability is exploitable from an adjacent network.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-19-010-01 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2019/icsa-19-010-01.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-19-010-01 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-19-010-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "Emerson DeltaV",
    "tracking": {
      "current_release_date": "2019-01-10T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-19-010-01",
      "initial_release_date": "2019-01-10T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2019-01-10T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSA-19-010-01 Emerson DeltaV"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "11.3.1 | 11.3.2 | 12.3.1 | 13.3.1 | 14.3 | R5.1 | \u003c= R6",
                "product": {
                  "name": "DeltaV DCS: Versions 11.3.1 11.3.2 12.3.1 13.3.1 14.3 R5.1 R6 and prior",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "DeltaV DCS"
          }
        ],
        "category": "vendor",
        "name": "Emerson"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-19021",
      "cwe": {
        "id": "CWE-307",
        "name": "Improper Restriction of Excessive Authentication Attempts"
      },
      "notes": [
        {
          "category": "summary",
          "text": "A specially crafted script could bypass the authentication of a maintenance port of a service, which may allow an attacker to cause a denial of service.CVE-2018-19021 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19021"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, and R6",
          "product_ids": [
            "CSAFPID-0001"
          ]
        },
        {
          "category": "mitigation",
          "details": "Software patches are available to users with access to the Emerson Guardian Support Portal at",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://guardian.emersonprocess.com/"
        },
        {
          "category": "mitigation",
          "details": "For more information, please refer to the article for this vulnerability on the Emerson website.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        },
        {
          "category": "mitigation",
          "details": "To limit exposure to these and other vulnerabilities, Emerson recommends that DeltaV systems and related components be deployed and configured as described in the DeltaV Security Manual which can be found in Emerson\u0027s Guardian Support Portal.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2018-19021 (GCVE-0-2018-19021)

FKIE_CVE-2018-19021

GSD-2018-19021

CNVD-2019-01681

VAR-201901-0856

GHSA-QPCC-RCR6-2CJ9

ICSA-19-010-01

Tags

Sightings

Nomenclature