Details of VAR-201803-2162

ID

VAR-201803-2162

CVE

CVE-2018-5717

TITLE

NCR S2 Dispenser Vulnerable to out-of-bounds writing

Trust: 0.8

sources: JVNDB: JVNDB-2018-003478

DESCRIPTION

Memory write mechanism in NCR S2 Dispenser controller before firmware version 0x0108 allows an unauthenticated user to upgrade or downgrade the firmware of the device, including to older versions with known vulnerabilities. NCR S2 Dispenser Contains an out-of-bounds vulnerability.Information may be tampered with. NCRS2Dispensercontroller is a distributor control board product of NCR Corporation of the United States. An attacker could exploit this vulnerability to upgrade or downgrade device firmware

Trust: 2.16

sources: NVD: CVE-2018-5717 // JVNDB: JVNDB-2018-003478 // CNVD: CNVD-2018-05958

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2018-05958

AFFECTED PRODUCTS

vendor:	ncr	model:	s2 dispenser controller	scope:	lt	version:	0x0108	Trust: 1.0
vendor:	ncr	model:	s2 dispenser	scope:	lt	version:	0x0108	Trust: 0.8
vendor:	ncr	model:	s2 dispenser controller	scope:	eq	version:	0x0108	Trust: 0.6

sources: CNVD: CNVD-2018-05958 // JVNDB: JVNDB-2018-003478 // NVD: CVE-2018-5717

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-5717
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-5717
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2018-05958
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201803-721
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2018-5717
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:C/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	COMPLETE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-05958
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2018-5717
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2018-05958 // JVNDB: JVNDB-2018-003478 // CNNVD: CNNVD-201803-721 // NVD: CVE-2018-5717

PROBLEMTYPE DATA

problemtype:

CWE-787

Trust: 1.8

sources: JVNDB: JVNDB-2018-003478 // NVD: CVE-2018-5717

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201803-721

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201803-721

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-003478

PATCH

title:	Top Page	url:	https://www.ncr.com/	Trust: 0.8
title:	Patch for NCRS2Dispensercontroller authentication vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/122601	Trust: 0.6
title:	NCR S2 Dispenser controller Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=79321	Trust: 0.6

sources: CNVD: CNVD-2018-05958 // JVNDB: JVNDB-2018-003478 // CNNVD: CNNVD-201803-721

EXTERNAL IDS

db:	NVD	id:	CVE-2018-5717	Trust: 3.0
db:	JVNDB	id:	JVNDB-2018-003478	Trust: 0.8
db:	CNVD	id:	CNVD-2018-05958	Trust: 0.6
db:	CNNVD	id:	CNNVD-201803-721	Trust: 0.6

sources: CNVD: CNVD-2018-05958 // JVNDB: JVNDB-2018-003478 // CNNVD: CNNVD-201803-721 // NVD: CVE-2018-5717

REFERENCES

url:	https://www.ncr.com/sites/default/files/ncr_security_alert_-_2018-04_v3.pdf	Trust: 2.2
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5717	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-5717	Trust: 0.8

sources: CNVD: CNVD-2018-05958 // JVNDB: JVNDB-2018-003478 // CNNVD: CNNVD-201803-721 // NVD: CVE-2018-5717

SOURCES

db:	CNVD	id:	CNVD-2018-05958
db:	JVNDB	id:	JVNDB-2018-003478
db:	CNNVD	id:	CNNVD-201803-721
db:	NVD	id:	CVE-2018-5717

LAST UPDATE DATE

2024-11-23T23:08:45.645000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-05958	date:	2018-03-22T00:00:00
db:	JVNDB	id:	JVNDB-2018-003478	date:	2018-05-24T00:00:00
db:	CNNVD	id:	CNNVD-201803-721	date:	2018-03-21T00:00:00
db:	NVD	id:	CVE-2018-5717	date:	2024-11-21T04:09:14.297

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2018-05958	date:	2018-03-22T00:00:00
db:	JVNDB	id:	JVNDB-2018-003478	date:	2018-05-24T00:00:00
db:	CNNVD	id:	CNNVD-201803-721	date:	2018-03-21T00:00:00
db:	NVD	id:	CVE-2018-5717	date:	2018-03-20T14:29:00.523