Details of VAR-201801-1634

ID

VAR-201801-1634

CVE

CVE-2018-4834

TITLE

Siemens DESIGO PX Firmware file upload vulnerability

Trust: 0.8

sources: IVD: e2e2dc61-39ab-11e9-b10a-000c29342cb1 // CNVD: CNVD-2018-01794

DESCRIPTION

A vulnerability has been identified in Desigo PXC00-E.D V4.10 (All versions < V4.10.111), Desigo PXC00-E.D V5.00 (All versions < V5.0.171), Desigo PXC00-E.D V5.10 (All versions < V5.10.69), Desigo PXC00-E.D V6.00 (All versions < V6.0.204), Desigo PXC00/64/128-U V4.10 (All versions < V4.10.111 only with web module), Desigo PXC00/64/128-U V5.00 (All versions < V5.0.171 only with web module), Desigo PXC00/64/128-U V5.10 (All versions < V5.10.69 only with web module), Desigo PXC00/64/128-U V6.00 (All versions < V6.0.204 only with web module), Desigo PXC001-E.D V4.10 (All versions < V4.10.111), Desigo PXC001-E.D V5.00 (All versions < V5.0.171), Desigo PXC001-E.D V5.10 (All versions < V5.10.69), Desigo PXC001-E.D V6.00 (All versions < V6.0.204), Desigo PXC100-E.D V4.10 (All versions < V4.10.111), Desigo PXC100-E.D V5.00 (All versions < V5.0.171), Desigo PXC100-E.D V5.10 (All versions < V5.10.69), Desigo PXC100-E.D V6.00 (All versions < V6.0.204), Desigo PXC12-E.D V4.10 (All versions < V4.10.111), Desigo PXC12-E.D V5.00 (All versions < V5.0.171), Desigo PXC12-E.D V5.10 (All versions < V5.10.69), Desigo PXC12-E.D V6.00 (All versions < V6.0.204), Desigo PXC200-E.D V4.10 (All versions < V4.10.111), Desigo PXC200-E.D V5.00 (All versions < V5.0.171), Desigo PXC200-E.D V5.10 (All versions < V5.10.69), Desigo PXC200-E.D V6.00 (All versions < V6.0.204), Desigo PXC22-E.D V4.10 (All versions < V4.10.111), Desigo PXC22-E.D V5.00 (All versions < V5.0.171), Desigo PXC22-E.D V5.10 (All versions < V5.10.69), Desigo PXC22-E.D V6.00 (All versions < V6.0.204), Desigo PXC22.1-E.D V4.10 (All versions < V4.10.111), Desigo PXC22.1-E.D V5.00 (All versions < V5.0.171), Desigo PXC22.1-E.D V5.10 (All versions < V5.10.69), Desigo PXC22.1-E.D V6.00 (All versions < V6.0.204), Desigo PXC36.1-E.D V4.10 (All versions < V4.10.111), Desigo PXC36.1-E.D V5.00 (All versions < V5.0.171), Desigo PXC36.1-E.D V5.10 (All versions < V5.10.69), Desigo PXC36.1-E.D V6.00 (All versions < V6.0.204), Desigo PXC50-E.D V4.10 (All versions < V4.10.111), Desigo PXC50-E.D V5.00 (All versions < V5.0.171), Desigo PXC50-E.D V5.10 (All versions < V5.10.69), Desigo PXC50-E.D V6.00 (All versions < V6.0.204), Desigo PXM20-E V4.10 (All versions < V4.10.111), Desigo PXM20-E V5.00 (All versions < V5.0.171), Desigo PXM20-E V5.10 (All versions < V5.10.69), Desigo PXM20-E V6.00 (All versions < V6.0.204). A remote attacker with network access to the device could potentially upload a new firmware image to the devices without prior authentication. plural Desigo Automation Controller and Desigo Operator Unit Contains a vulnerability related to unlimited uploads of dangerous types of files.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The SIEMENS building automation system Desigo PX programmable automation station offers a flexible solution for alarm signals, time-based logging and trends, which can be modified or expanded at any time. A file upload vulnerability exists in the Siemens DESIGO PX firmware, which is used by unauthenticated remote attackers to upload malicious firmware. Multiple Siemens Desigo Automation Controllers are prone to an authentication-bypass vulnerability. An attacker can exploit this issue to bypass the authentication mechanism and perform unauthorized actions. This may aid in further attacks. The following products and versions are vulnerable: Versions prior to Desigo Automation Controllers Compact PXC12/22/36-E.D 6.00.204 Versions prior to Desigo Automation Controllers Modular PXC00/50/100/200-E.D 6.00.204 Versions prior to Desigo Automation Controllers PXC00/64/128-U with Web module 6.00.204 Versions prior to Desigo Automation Controllers for Integration PXC001-E.D 6.00.204, and Versions prior to Desigo Operator Unit PXM20-E 6.00.204

Trust: 2.7

sources: NVD: CVE-2018-4834 // JVNDB: JVNDB-2018-001742 // CNVD: CNVD-2018-01794 // BID: 102850 // IVD: e2e2dc61-39ab-11e9-b10a-000c29342cb1 // VULMON: CVE-2018-4834

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: e2e2dc61-39ab-11e9-b10a-000c29342cb1 // CNVD: CNVD-2018-01794

AFFECTED PRODUCTS

vendor:	siemens	model:	pxc001-e.d	scope:	lt	version:	6.00.204	Trust: 1.0
vendor:	siemens	model:	pxc00\/50\/100\/200-e.d	scope:	lt	version:	6.00.204	Trust: 1.0
vendor:	siemens	model:	pxm20-e	scope:	lt	version:	6.00.204	Trust: 1.0
vendor:	siemens	model:	pxc00\/64\/128-u	scope:	lt	version:	6.00.204	Trust: 1.0
vendor:	siemens	model:	pxc12\/22\/36-e.d	scope:	lt	version:	6.00.204	Trust: 1.0
vendor:	siemens	model:	pxc00/50/100/200-e.d	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	pxc00/64/128-u	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	pxc001-e.d	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	pxc12/22/36-e.d	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	pxm20-e	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	desigo automation controllers compact pxc12/22/36-e.d	scope:	lt	version:	6.00.204	Trust: 0.6
vendor:	siemens	model:	desigo automation controllers modular pxc00/50/100/200-e.d	scope:	lt	version:	6.00.204	Trust: 0.6
vendor:	siemens	model:	desigo automation controllers pxc00/64/128-u with web module	scope:	lt	version:	6.00.204	Trust: 0.6
vendor:	siemens	model:	desigo operator unit pxm20-e	scope:	lt	version:	6.00.204	Trust: 0.6
vendor:	siemens	model:	desigo operator unit pxm20-e	scope:	eq	version:	6.0	Trust: 0.3
vendor:	siemens	model:	desigo automation controllers pxc00/64/128-u with web module	scope:	eq	version:	6.0	Trust: 0.3
vendor:	siemens	model:	desigo automation controllers modular pxc00/50/100/200-e.d	scope:	eq	version:	6.0	Trust: 0.3
vendor:	siemens	model:	desigo automation controllers for integration pxc001-e.d	scope:	eq	version:	6.0	Trust: 0.3
vendor:	siemens	model:	desigo automation controllers compact pxc12/22/36-e.d	scope:	eq	version:	6.0	Trust: 0.3
vendor:	siemens	model:	desigo operator unit pxm20-e	scope:	ne	version:	6.0.204	Trust: 0.3
vendor:	siemens	model:	desigo automation controllers pxc00/64/128-u with web module	scope:	ne	version:	6.0.204	Trust: 0.3
vendor:	siemens	model:	desigo automation controllers modular pxc00/50/100/200-e.d	scope:	ne	version:	6.0.204	Trust: 0.3
vendor:	siemens	model:	desigo automation controllers for integration pxc001-e.d	scope:	ne	version:	6.0.204	Trust: 0.3
vendor:	siemens	model:	desigo automation controllers compact pxc12/22/36-e.d	scope:	ne	version:	6.0.204	Trust: 0.3
vendor:	pxc12 22 36 e d	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	pxc00 50 100 200 e d	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	pxc00 64 128 u	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	pxc001 e d	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	pxm20 e	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: e2e2dc61-39ab-11e9-b10a-000c29342cb1 // CNVD: CNVD-2018-01794 // BID: 102850 // JVNDB: JVNDB-2018-001742 // NVD: CVE-2018-4834

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-4834
value:	HIGH
Trust: 1.0
productcert@siemens.com:	CVE-2018-4834
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2018-4834
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2018-01794
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201801-911
value:	CRITICAL
Trust: 0.6
IVD:	e2e2dc61-39ab-11e9-b10a-000c29342cb1
value:	CRITICAL
Trust: 0.2
VULMON:	CVE-2018-4834
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2018-4834
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2018-01794
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e2e2dc61-39ab-11e9-b10a-000c29342cb1
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

productcert@siemens.com:	CVE-2018-4834
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2018-4834
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: e2e2dc61-39ab-11e9-b10a-000c29342cb1 // CNVD: CNVD-2018-01794 // VULMON: CVE-2018-4834 // JVNDB: JVNDB-2018-001742 // CNNVD: CNNVD-201801-911 // NVD: CVE-2018-4834 // NVD: CVE-2018-4834

PROBLEMTYPE DATA

problemtype:	CWE-434	Trust: 1.8
problemtype:	CWE-306	Trust: 1.0

sources: JVNDB: JVNDB-2018-001742 // NVD: CVE-2018-4834

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201801-911

TYPE

Code problem

Trust: 0.8

sources: IVD: e2e2dc61-39ab-11e9-b10a-000c29342cb1 // CNNVD: CNNVD-201801-911

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-001742

PATCH

title:	SSA-824231	url:	https://cert-portal.siemens.com/productcert/pdf/ssa-824231.pdf	Trust: 0.8
title:	Siemens DESIGO PX firmware file upload vulnerability patch	url:	https://www.cnvd.org.cn/patchInfo/show/114337	Trust: 0.6
title:	Multiple Siemens Product security vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=78050	Trust: 0.6
title:	Siemens Security Advisories: Siemens Security Advisory	url:	https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=ad565e4187fa42b73d7b4e67bd2ff770	Trust: 0.1

sources: CNVD: CNVD-2018-01794 // VULMON: CVE-2018-4834 // JVNDB: JVNDB-2018-001742 // CNNVD: CNNVD-201801-911

EXTERNAL IDS

db:	NVD	id:	CVE-2018-4834	Trust: 3.6
db:	SIEMENS	id:	SSA-824231	Trust: 2.6
db:	ICS CERT	id:	ICSA-18-025-02	Trust: 1.0
db:	BID	id:	102850	Trust: 1.0
db:	CNVD	id:	CNVD-2018-01794	Trust: 0.8
db:	CNNVD	id:	CNNVD-201801-911	Trust: 0.8
db:	ICS CERT	id:	ICSA-18-025-02B	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-001742	Trust: 0.8
db:	IVD	id:	E2E2DC61-39AB-11E9-B10A-000C29342CB1	Trust: 0.2
db:	VULMON	id:	CVE-2018-4834	Trust: 0.1

sources: IVD: e2e2dc61-39ab-11e9-b10a-000c29342cb1 // CNVD: CNVD-2018-01794 // VULMON: CVE-2018-4834 // BID: 102850 // JVNDB: JVNDB-2018-001742 // CNNVD: CNNVD-201801-911 // NVD: CVE-2018-4834

REFERENCES

url:	https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-824231.pdf	Trust: 1.6
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-824231.pdf	Trust: 1.6
url:	http://www.securityfocus.com/bid/102850	Trust: 1.3
url:	https://ics-cert.us-cert.gov/advisories/icsa-18-025-02	Trust: 1.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-4834	Trust: 0.8
url:	https://ics-cert.us-cert.gov/advisories/icsa-18-025-02b	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4834	Trust: 0.8
url:	http://www.siemens.com/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/434.html	Trust: 0.1
url:	https://tools.cisco.com/security/center/viewalert.x?alertid=56580	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2018-01794 // VULMON: CVE-2018-4834 // BID: 102850 // JVNDB: JVNDB-2018-001742 // CNNVD: CNNVD-201801-911 // NVD: CVE-2018-4834

CREDITS

Can Demirel and Melih Berk Eksioglu from Biznet Bilisim

Trust: 0.3

sources: BID: 102850

SOURCES

db:	IVD	id:	e2e2dc61-39ab-11e9-b10a-000c29342cb1
db:	CNVD	id:	CNVD-2018-01794
db:	VULMON	id:	CVE-2018-4834
db:	BID	id:	102850
db:	JVNDB	id:	JVNDB-2018-001742
db:	CNNVD	id:	CNNVD-201801-911
db:	NVD	id:	CVE-2018-4834

LAST UPDATE DATE

2024-11-23T22:00:42.005000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-01794	date:	2018-01-25T00:00:00
db:	VULMON	id:	CVE-2018-4834	date:	2019-10-09T00:00:00
db:	BID	id:	102850	date:	2018-01-25T00:00:00
db:	JVNDB	id:	JVNDB-2018-001742	date:	2018-03-05T00:00:00
db:	CNNVD	id:	CNNVD-201801-911	date:	2023-06-14T00:00:00
db:	NVD	id:	CVE-2018-4834	date:	2024-11-21T04:07:32.887

SOURCES RELEASE DATE

db:	IVD	id:	e2e2dc61-39ab-11e9-b10a-000c29342cb1	date:	2018-01-25T00:00:00
db:	CNVD	id:	CNVD-2018-01794	date:	2018-01-25T00:00:00
db:	VULMON	id:	CVE-2018-4834	date:	2018-01-24T00:00:00
db:	BID	id:	102850	date:	2018-01-25T00:00:00
db:	JVNDB	id:	JVNDB-2018-001742	date:	2018-03-05T00:00:00
db:	CNNVD	id:	CNNVD-201801-911	date:	2018-01-25T00:00:00
db:	NVD	id:	CVE-2018-4834	date:	2018-01-24T16:29:00.233