CVE-2024-8310 (GCVE-0-2024-8310)

Vulnerability from cvelistv5 – Published: 2024-09-27 16:33 – Updated: 2024-09-27 19:19
VLAI?
Title
OPW Fuel Management Systems SiteSentinel Missing Authentication for Critical Function
Summary
OPW Fuel Management Systems SiteSentinel could allow an attacker to bypass authentication to the server and obtain full admin privileges.
Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-306 - Missing Authentication for Critical Function
Assigner
References
Impacted products
Vendor Product Version
OPW Fuel Managements Systems SiteSentinel Affected: 0 , < 17Q2.1 (custom)
Create a notification for this product.
Credits
Pedro Umbelino of Bitsight reported this vulnerability to CISA.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:opwglobal:sitesentinel_firmware:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "sitesentinel_firmware",
            "vendor": "opwglobal",
            "versions": [
              {
                "lessThan": "17q2.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-8310",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-27T18:45:08.451522Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-27T19:19:33.579Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SiteSentinel",
          "vendor": "OPW Fuel Managements Systems",
          "versions": [
            {
              "lessThan": "17Q2.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Pedro Umbelino of Bitsight reported this vulnerability to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "OPW Fuel Management Systems SiteSentinel \ncould allow an attacker to bypass authentication to the server and obtain full admin privileges.\n\n\u003cbr\u003e"
            }
          ],
          "value": "OPW Fuel Management Systems SiteSentinel \ncould allow an attacker to bypass authentication to the server and obtain full admin privileges."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306 Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-27T16:33:39.522Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-268-01"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eOPW Fuel Management Systems\u0027 parent company, Dover Fueling Systems \n(DFS), recommends users install all versions of the product behind a \nfirewall as primary protection.\u003c/p\u003e\n\u003cp\u003eDFS recommends user running versions prior to V17Q.2.1 upgrade to \nV17Q.2.1. Users with products that were distributed with versions newer \nthan V17Q.2.1 should contact DFS using the link below to confirm that \ntheir build has the required fixes.\u003c/p\u003e\n\u003cp\u003eThe software is available to authorized service providers for DFS products. Users should \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.doverfuelingsolutions.com/contact-us\"\u003econtact DFS\u003c/a\u003e\u003c/p\u003e service providers to have the software on their system upgraded or changed.\n\n\u003cbr\u003e"
            }
          ],
          "value": "OPW Fuel Management Systems\u0027 parent company, Dover Fueling Systems \n(DFS), recommends users install all versions of the product behind a \nfirewall as primary protection.\n\n\nDFS recommends user running versions prior to V17Q.2.1 upgrade to \nV17Q.2.1. Users with products that were distributed with versions newer \nthan V17Q.2.1 should contact DFS using the link below to confirm that \ntheir build has the required fixes.\n\n\nThe software is available to authorized service providers for DFS products. Users should  contact DFS https://www.doverfuelingsolutions.com/contact-us \n\n service providers to have the software on their system upgraded or changed."
        }
      ],
      "source": {
        "advisory": "ICSA-24-268-01",
        "discovery": "EXTERNAL"
      },
      "title": "OPW Fuel Management Systems SiteSentinel Missing Authentication for Critical Function",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2024-8310",
    "datePublished": "2024-09-27T16:33:39.522Z",
    "dateReserved": "2024-08-29T14:29:19.568Z",
    "dateUpdated": "2024-09-27T19:19:33.579Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"OPW Fuel Management Systems SiteSentinel \\ncould allow an attacker to bypass authentication to the server and obtain full admin privileges.\"}, {\"lang\": \"es\", \"value\": \"OPW Fuel Management Systems SiteSentinel podr\\u00edan permitir que un atacante eluda la autenticaci\\u00f3n en el servidor y obtenga privilegios de administrador completos.\"}]",
      "id": "CVE-2024-8310",
      "lastModified": "2024-09-30T12:45:57.823",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
      "published": "2024-09-27T17:15:13.970",
      "references": "[{\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-24-268-01\", \"source\": \"ics-cert@hq.dhs.gov\"}]",
      "sourceIdentifier": "ics-cert@hq.dhs.gov",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-306\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-8310\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2024-09-27T17:15:13.970\",\"lastModified\":\"2024-09-30T12:45:57.823\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OPW Fuel Management Systems SiteSentinel \\ncould allow an attacker to bypass authentication to the server and obtain full admin privileges.\"},{\"lang\":\"es\",\"value\":\"OPW Fuel Management Systems SiteSentinel podr\u00edan permitir que un atacante eluda la autenticaci\u00f3n en el servidor y obtenga privilegios de administrador completos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]}],\"references\":[{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-24-268-01\",\"source\":\"ics-cert@hq.dhs.gov\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-8310\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-27T18:45:08.451522Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:o:opwglobal:sitesentinel_firmware:*:*:*:*:*:*:*:*\"], \"vendor\": \"opwglobal\", \"product\": \"sitesentinel_firmware\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"17q2.1\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-27T19:17:52.703Z\"}}], \"cna\": {\"title\": \"OPW Fuel Management Systems SiteSentinel Missing Authentication for Critical Function\", \"source\": {\"advisory\": \"ICSA-24-268-01\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Pedro Umbelino of Bitsight reported this vulnerability to CISA.\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"OPW Fuel Managements Systems\", \"product\": \"SiteSentinel\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"17Q2.1\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"OPW Fuel Management Systems\u0027 parent company, Dover Fueling Systems \\n(DFS), recommends users install all versions of the product behind a \\nfirewall as primary protection.\\n\\n\\nDFS recommends user running versions prior to V17Q.2.1 upgrade to \\nV17Q.2.1. Users with products that were distributed with versions newer \\nthan V17Q.2.1 should contact DFS using the link below to confirm that \\ntheir build has the required fixes.\\n\\n\\nThe software is available to authorized service providers for DFS products. Users should  contact DFS https://www.doverfuelingsolutions.com/contact-us \\n\\n service providers to have the software on their system upgraded or changed.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eOPW Fuel Management Systems\u0027 parent company, Dover Fueling Systems \\n(DFS), recommends users install all versions of the product behind a \\nfirewall as primary protection.\u003c/p\u003e\\n\u003cp\u003eDFS recommends user running versions prior to V17Q.2.1 upgrade to \\nV17Q.2.1. Users with products that were distributed with versions newer \\nthan V17Q.2.1 should contact DFS using the link below to confirm that \\ntheir build has the required fixes.\u003c/p\u003e\\n\u003cp\u003eThe software is available to authorized service providers for DFS products. Users should \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://www.doverfuelingsolutions.com/contact-us\\\"\u003econtact DFS\u003c/a\u003e\u003c/p\u003e service providers to have the software on their system upgraded or changed.\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-24-268-01\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"OPW Fuel Management Systems SiteSentinel \\ncould allow an attacker to bypass authentication to the server and obtain full admin privileges.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"OPW Fuel Management Systems SiteSentinel \\ncould allow an attacker to bypass authentication to the server and obtain full admin privileges.\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-306\", \"description\": \"CWE-306 Missing Authentication for Critical Function\"}]}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2024-09-27T16:33:39.522Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-8310\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-27T19:19:33.579Z\", \"dateReserved\": \"2024-08-29T14:29:19.568Z\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"datePublished\": \"2024-09-27T16:33:39.522Z\", \"assignerShortName\": \"icscert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.