Details of VAR-201806-0551

ID

VAR-201806-0551

CVE

CVE-2018-10619

TITLE

RSLinx Classic and FactoryTalk Linx Gateway Vulnerabilities related to unquoted search paths or elements

Trust: 0.8

sources: JVNDB: JVNDB-2018-006270

DESCRIPTION

An unquoted search path or element in RSLinx Classic Versions 3.90.01 and prior and FactoryTalk Linx Gateway Versions 3.90.00 and prior may allow an authorized, but non-privileged local user to execute arbitrary code and allow a threat actor to escalate user privileges on the affected workstation. RSLinx Classic and FactoryTalk Linx Gateway Contains vulnerabilities related to unquoted search paths or elements.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. RSLinx Classic is a software platform that allows Logix5000 programmable automation controllers to connect to a variety of Rockwell software applications. FactoryTalk Linx Gateway is software that provides an Open Platform Communications (OPC) Unified Architecture (UA) server interface that allows you to pass information from Rockwell software applications to Allen-Bradley controllers. A privilege elevation vulnerability exists in Rockwell Automation RSLinx Classic and FactoryTalk Linx Gateway. Local attackers can exploit this issue to gain elevated privileges. The following products and versions are vulnerable: RSLinx Classic Versions 3.90.01 and prior FactoryTalk Linx Gateway Versions 3.90.00 and prior. A successfulattempt would require the local user to be able to insert their code in thesystem root path undetected by the OS or other security applications whereit could potentially be executed during application startup or reboot. Ifsuccessful, the local user's code would execute with the elevated privilegesof the application.Tested on: Microsoft Windows 7 Professional SP1 (EN)

Trust: 2.88

sources: NVD: CVE-2018-10619 // JVNDB: JVNDB-2018-006270 // CNVD: CNVD-2018-12106 // BID: 104415 // IVD: e2f504cf-39ab-11e9-84c3-000c29342cb1 // ZSL: ZSL-2018-5473 // VULHUB: VHN-120396 // VULMON: CVE-2018-10619

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: e2f504cf-39ab-11e9-84c3-000c29342cb1 // CNVD: CNVD-2018-12106

AFFECTED PRODUCTS

vendor:	rockwellautomation	model:	factorytalk linx gateway	scope:	lt	version:	3.90.00	Trust: 1.0
vendor:	rockwellautomation	model:	rslinx classic	scope:	lt	version:	3.90.01	Trust: 1.0
vendor:	rockwell automation	model:	factorytalk linx gateway	scope:	lte	version:	3.90.00	Trust: 0.8
vendor:	rockwell automation	model:	rslinx classic	scope:	lte	version:	3.90.01	Trust: 0.8
vendor:	rockwell	model:	automation rslinx classic	scope:	lte	version:	<=3.90.01	Trust: 0.6
vendor:	rockwell	model:	automation factorytalk linx gateway	scope:	lte	version:	<=3.90.00	Trust: 0.6
vendor:	rockwell	model:	automation rslinx classic	scope:	eq	version:	3.90.01	Trust: 0.3
vendor:	rockwell	model:	automation rslinx classic	scope:	eq	version:	3.73.00	Trust: 0.3
vendor:	rockwell	model:	automation rslinx classic	scope:	eq	version:	3.72.00	Trust: 0.3
vendor:	rockwell	model:	automation factorytalk linx gateway	scope:	eq	version:	3.90	Trust: 0.3
vendor:	rockwell	model:	automation rslinx classic	scope:	ne	version:	4.00.01	Trust: 0.3
vendor:	rockwell	model:	automation factorytalk linx gateway	scope:	ne	version:	6.0	Trust: 0.3
vendor:	rslinx classic	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	factorytalk linx gateway	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	rockwell automation	model:	rslinx classic and factorytalk linx gateway privilege escalation	scope:	eq	version:	rockwell automation rslinx classic 3.90.01	Trust: 0.1
vendor:	rockwell automation	model:	rslinx classic and factorytalk linx gateway privilege escalation	scope:	eq	version:	rockwell automation rslinx classic 3.73.00	Trust: 0.1
vendor:	rockwell automation	model:	rslinx classic and factorytalk linx gateway privilege escalation	scope:	eq	version:	rockwell automation rslinx classic 3.72.00	Trust: 0.1
vendor:	rockwell automation	model:	rslinx classic and factorytalk linx gateway privilege escalation	scope:	eq	version:	rockwell automation rslinx classic 2.58.00	Trust: 0.1
vendor:	rockwell automation	model:	rslinx classic and factorytalk linx gateway privilege escalation	scope:	eq	version:	rockwell automation factorytalk linx gateway 3.90.00	Trust: 0.1

sources: ZSL: ZSL-2018-5473 // IVD: e2f504cf-39ab-11e9-84c3-000c29342cb1 // CNVD: CNVD-2018-12106 // BID: 104415 // JVNDB: JVNDB-2018-006270 // NVD: CVE-2018-10619

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-10619
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-10619
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2018-12106
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201806-378
value:	HIGH
Trust: 0.6
IVD:	e2f504cf-39ab-11e9-84c3-000c29342cb1
value:	HIGH
Trust: 0.2
ZSL:	ZSL-2018-5473
value:	(3/5)
Trust: 0.1
VULHUB:	VHN-120396
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2018-10619
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-10619
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2018-12106
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e2f504cf-39ab-11e9-84c3-000c29342cb1
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-120396
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-10619
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: ZSL: ZSL-2018-5473 // IVD: e2f504cf-39ab-11e9-84c3-000c29342cb1 // CNVD: CNVD-2018-12106 // VULHUB: VHN-120396 // VULMON: CVE-2018-10619 // JVNDB: JVNDB-2018-006270 // CNNVD: CNNVD-201806-378 // NVD: CVE-2018-10619

PROBLEMTYPE DATA

problemtype:

CWE-428

Trust: 1.9

sources: VULHUB: VHN-120396 // JVNDB: JVNDB-2018-006270 // NVD: CVE-2018-10619

THREAT TYPE

local

Trust: 0.9

sources: BID: 104415 // CNNVD: CNNVD-201806-378

TYPE

Code problem

Trust: 0.8

sources: IVD: e2f504cf-39ab-11e9-84c3-000c29342cb1 // CNNVD: CNNVD-201806-378

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-006270

EXPLOIT AVAILABILITY

sources: ZSL: ZSL-2018-5473 // VULHUB: VHN-120396 // VULMON: CVE-2018-10619

PATCH

title:	RSLinx	url:	https://www.rockwellautomation.com/rockwellsoftware/products/rslinx.page	Trust: 0.8
title:	Patch for Rockwell Automation RSLinx Classic and FactoryTalk Linx Gateway Privilege Escalation Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/132831	Trust: 0.6
title:	Rockwell Automation RSLinx Classic and FactoryTalk Linx Gateway Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=80730	Trust: 0.6

sources: CNVD: CNVD-2018-12106 // JVNDB: JVNDB-2018-006270 // CNNVD: CNNVD-201806-378

EXTERNAL IDS

db:	NVD	id:	CVE-2018-10619	Trust: 3.8
db:	ICS CERT	id:	ICSA-18-158-01	Trust: 3.6
db:	BID	id:	104415	Trust: 2.2
db:	EXPLOIT-DB	id:	44892	Trust: 1.9
db:	CNNVD	id:	CNNVD-201806-378	Trust: 0.9
db:	CNVD	id:	CNVD-2018-12106	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-006270	Trust: 0.8
db:	PACKETSTORM	id:	148187	Trust: 0.2
db:	IVD	id:	E2F504CF-39AB-11E9-84C3-000C29342CB1	Trust: 0.2
db:	CXSECURITY	id:	WLB-2018060148	Trust: 0.1
db:	ZSL	id:	ZSL-2018-5473	Trust: 0.1
db:	SEEBUG	id:	SSVID-98944	Trust: 0.1
db:	VULHUB	id:	VHN-120396	Trust: 0.1
db:	VULMON	id:	CVE-2018-10619	Trust: 0.1

sources: ZSL: ZSL-2018-5473 // IVD: e2f504cf-39ab-11e9-84c3-000c29342cb1 // CNVD: CNVD-2018-12106 // VULHUB: VHN-120396 // VULMON: CVE-2018-10619 // BID: 104415 // JVNDB: JVNDB-2018-006270 // CNNVD: CNNVD-201806-378 // NVD: CVE-2018-10619

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-18-158-01	Trust: 3.7
url:	https://www.exploit-db.com/exploits/44892/	Trust: 2.0
url:	http://www.securityfocus.com/bid/104415	Trust: 1.9
url:	https://nvd.nist.gov/vuln/detail/cve-2018-10619	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10619	Trust: 0.8
url:	http://www.rockwellautomation.com/	Trust: 0.3
url:	https://compatibility.rockwellautomation.com/pages/multiproductdownload.aspx?crumb=112	Trust: 0.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10619	Trust: 0.1
url:	https://packetstormsecurity.com/files/148187	Trust: 0.1
url:	https://cxsecurity.com/issue/wlb-2018060148	Trust: 0.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/144534	Trust: 0.1
url:	https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1073800	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/428.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: ZSL: ZSL-2018-5473 // CNVD: CNVD-2018-12106 // VULHUB: VHN-120396 // VULMON: CVE-2018-10619 // BID: 104415 // JVNDB: JVNDB-2018-006270 // CNNVD: CNNVD-201806-378 // NVD: CVE-2018-10619

CREDITS

Gjoko Krstic of Zero Science Lab

Trust: 0.3

sources: BID: 104415

SOURCES

db:	ZSL	id:	ZSL-2018-5473
db:	IVD	id:	e2f504cf-39ab-11e9-84c3-000c29342cb1
db:	CNVD	id:	CNVD-2018-12106
db:	VULHUB	id:	VHN-120396
db:	VULMON	id:	CVE-2018-10619
db:	BID	id:	104415
db:	JVNDB	id:	JVNDB-2018-006270
db:	CNNVD	id:	CNNVD-201806-378
db:	NVD	id:	CVE-2018-10619

LAST UPDATE DATE

2024-11-23T21:53:06.675000+00:00

SOURCES UPDATE DATE

db:	ZSL	id:	ZSL-2018-5473	date:	2018-06-22T00:00:00
db:	CNVD	id:	CNVD-2018-12106	date:	2018-06-26T00:00:00
db:	VULHUB	id:	VHN-120396	date:	2019-10-09T00:00:00
db:	VULMON	id:	CVE-2018-10619	date:	2019-10-09T00:00:00
db:	BID	id:	104415	date:	2018-06-07T00:00:00
db:	JVNDB	id:	JVNDB-2018-006270	date:	2018-08-15T00:00:00
db:	CNNVD	id:	CNNVD-201806-378	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-10619	date:	2024-11-21T03:41:40.697

SOURCES RELEASE DATE

db:	ZSL	id:	ZSL-2018-5473	date:	2018-06-10T00:00:00
db:	IVD	id:	e2f504cf-39ab-11e9-84c3-000c29342cb1	date:	2018-06-26T00:00:00
db:	CNVD	id:	CNVD-2018-12106	date:	2018-06-26T00:00:00
db:	VULHUB	id:	VHN-120396	date:	2018-06-07T00:00:00
db:	VULMON	id:	CVE-2018-10619	date:	2018-06-07T00:00:00
db:	BID	id:	104415	date:	2018-06-07T00:00:00
db:	JVNDB	id:	JVNDB-2018-006270	date:	2018-08-14T00:00:00
db:	CNNVD	id:	CNNVD-201806-378	date:	2018-06-08T00:00:00
db:	NVD	id:	CVE-2018-10619	date:	2018-06-07T20:29:00.213