FKIE_CVE-2018-10612

Vulnerability from fkie_nvd - Published: 2019-01-29 16:29 - Updated: 2024-11-21 03:41
Severity ?
9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
In 3S-Smart Software Solutions GmbH CODESYS Control V3 products prior to version 3.5.14.0, user access management and communication encryption is not enabled by default, which could allow an attacker access to the device and sensitive information, including user credentials.
References
ics-cert@hq.dhs.govhttp://www.securityfocus.com/bid/106248Third Party Advisory, VDB Entry
ics-cert@hq.dhs.govhttps://ics-cert.us-cert.gov/advisories/ICSA-18-352-03Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/106248Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108https://ics-cert.us-cert.gov/advisories/ICSA-18-352-03Third Party Advisory, US Government Resource
Impacted products
Vendor Product Version
codesys control_for_beaglebone_sl *
codesys control_for_empc-a\/imx6_sl *
codesys control_for_iot2000_sl *
codesys control_for_linux_sl *
codesys control_for_pfc100_sl *
codesys control_for_pfc200_sl *
codesys control_for_raspberry_pi_sl *
codesys control_rte_sl *
codesys control_runtime_toolkit *
codesys control_win_sl *
codesys development_system_v3 *
codesys hmi_sl *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:codesys:control_for_beaglebone_sl:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "30E5A50D-470A-4C7D-A634-E97AE95B38B5",
              "versionEndExcluding": "3.5.14.0",
              "versionStartIncluding": "3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:codesys:control_for_empc-a\\/imx6_sl:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "455BEF47-4D2A-4314-AF1D-C5C46236B135",
              "versionEndExcluding": "3.5.14.0",
              "versionStartIncluding": "3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:codesys:control_for_iot2000_sl:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D2E52640-4AA9-40C1-A00E-374334F761C7",
              "versionEndExcluding": "3.5.14.0",
              "versionStartIncluding": "3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:codesys:control_for_linux_sl:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C87347FA-38EA-4299-A822-63FCF0E34577",
              "versionEndExcluding": "3.5.14.0",
              "versionStartIncluding": "3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:codesys:control_for_pfc100_sl:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8D3E05BC-83BC-49C8-91AD-64A1EE9D36BD",
              "versionEndExcluding": "3.5.14.0",
              "versionStartIncluding": "3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:codesys:control_for_pfc200_sl:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "40D2875A-E1DF-4C7D-9DD7-7BE8D617EF3C",
              "versionEndExcluding": "3.5.14.0",
              "versionStartIncluding": "3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:codesys:control_for_raspberry_pi_sl:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EE9699B0-CCE3-42AB-8208-492382D59582",
              "versionEndExcluding": "3.5.14.0",
              "versionStartIncluding": "3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:codesys:control_rte_sl:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "20CFD36A-208D-444C-A3C3-C2B11CAF65AC",
              "versionEndExcluding": "3.5.14.0",
              "versionStartIncluding": "3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:codesys:control_runtime_toolkit:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1E623E98-8040-43D2-81B5-D6B06B374472",
              "versionEndExcluding": "3.5.14.0",
              "versionStartIncluding": "3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:codesys:control_win_sl:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AA6D880C-195D-4830-B0B5-7D7BC32182B4",
              "versionEndExcluding": "3.5.14.0",
              "versionStartIncluding": "3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:codesys:development_system_v3:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "00F359B4-0530-47A3-BFBB-BA7D32104919",
              "versionEndExcluding": "3.5.14.0",
              "versionStartIncluding": "3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:codesys:hmi_sl:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "63F51840-0A93-43BD-B8D0-145C7C52C7B0",
              "versionEndExcluding": "3.5.14.0",
              "versionStartIncluding": "3.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In 3S-Smart Software Solutions GmbH CODESYS Control V3 products prior to version 3.5.14.0, user access management and communication encryption is not enabled by default, which could allow an attacker access to the device and sensitive information, including user credentials."
    },
    {
      "lang": "es",
      "value": "En los productos CODESYS Control V3, de 3S-Smart Software Solutions GmbH, en versiones anteriores a la 3.5.14.0, la gesti\u00f3n de accesos de usuarios y el cifrado de las comunicaciones no est\u00e1 habilitado por defecto, lo que podr\u00eda permitir que un atacante acceda al dispositivo y a su informaci\u00f3n sensible, incluyendo las credenciales de usuario."
    }
  ],
  "id": "CVE-2018-10612",
  "lastModified": "2024-11-21T03:41:39.853",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 10.0,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-01-29T16:29:00.247",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/106248"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-352-03"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/106248"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-352-03"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "ics-cert@hq.dhs.gov",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-311"
        },
        {
          "lang": "en",
          "value": "CWE-732"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.