Details of VAR-201807-1686

ID

VAR-201807-1686

CVE

CVE-2018-8851

TITLE

Echelon SmartServer and i.LON Vulnerabilities related to certificate and password management

Trust: 0.8

sources: JVNDB: JVNDB-2018-008465

DESCRIPTION

Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices store passwords in plaintext, which may allow an attacker with access to the configuration file to log into the SmartServer web user interface. Echelon SmartServer and i.LON Contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Echelon SmartServer 1 and so on are products of Echelon Corporation of the United States. The Echelon SmartServer 1 is a versatile controller that supports building automation control and enterprise energy management. The i.LON 100 is a web server that is primarily used to configure and monitor LonWorks devices. An information disclosure vulnerability exists in several Echelon products

Trust: 2.43

sources: NVD: CVE-2018-8851 // JVNDB: JVNDB-2018-008465 // CNVD: CNVD-2018-18592 // IVD: e2f9e6d2-39ab-11e9-8f03-000c29342cb1 // VULHUB: VHN-138883

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: e2f9e6d2-39ab-11e9-8f03-000c29342cb1 // CNVD: CNVD-2018-18592

AFFECTED PRODUCTS

vendor:	echelon	model:	smartserver 2	scope:	lt	version:	4.11.007	Trust: 1.8
vendor:	echelon	model:	i.lon 600	scope:	eq	version:	-	Trust: 1.6
vendor:	echelon	model:	i.lon 100	scope:	eq	version:	-	Trust: 1.6
vendor:	echelon	model:	smartserver 1	scope:	eq	version:	-	Trust: 1.6
vendor:	echelon	model:	i.lon 100	scope:	-	version:	-	Trust: 0.8
vendor:	echelon	model:	i.lon 600	scope:	-	version:	-	Trust: 0.8
vendor:	echelon	model:	smartserver 1	scope:	-	version:	-	Trust: 0.8
vendor:	echelon	model:	smartserver	scope:	eq	version:	1	Trust: 0.6
vendor:	echelon	model:	smartserver <release	scope:	eq	version:	24.11.007	Trust: 0.6
vendor:	echelon	model:	i.lon	scope:	eq	version:	100	Trust: 0.6
vendor:	echelon	model:	i.lon	scope:	eq	version:	600	Trust: 0.6
vendor:	smartserver 1	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	smartserver 2	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	i lon 100	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	i lon 600	model:	-	scope:	eq	version:	-	Trust: 0.2

sources: IVD: e2f9e6d2-39ab-11e9-8f03-000c29342cb1 // CNVD: CNVD-2018-18592 // JVNDB: JVNDB-2018-008465 // CNNVD: CNNVD-201807-1795 // NVD: CVE-2018-8851

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-8851
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2018-8851
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2018-18592
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201807-1795
value:	CRITICAL
Trust: 0.6
IVD:	e2f9e6d2-39ab-11e9-8f03-000c29342cb1
value:	CRITICAL
Trust: 0.2
VULHUB:	VHN-138883
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-8851
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-18592
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e2f9e6d2-39ab-11e9-8f03-000c29342cb1
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-138883
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-8851
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: IVD: e2f9e6d2-39ab-11e9-8f03-000c29342cb1 // CNVD: CNVD-2018-18592 // VULHUB: VHN-138883 // JVNDB: JVNDB-2018-008465 // CNNVD: CNNVD-201807-1795 // NVD: CVE-2018-8851

PROBLEMTYPE DATA

problemtype:	CWE-522	Trust: 1.1
problemtype:	CWE-256	Trust: 1.0
problemtype:	CWE-255	Trust: 0.9

sources: VULHUB: VHN-138883 // JVNDB: JVNDB-2018-008465 // NVD: CVE-2018-8851

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201807-1795

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201807-1795

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-008465

PATCH

title:	Top Page	url:	https://www.echelon.com/	Trust: 0.8
title:	Patches for multiple Echelon product information disclosure vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/139879	Trust: 0.6
title:	Multiple Echelon Product security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=82589	Trust: 0.6

sources: CNVD: CNVD-2018-18592 // JVNDB: JVNDB-2018-008465 // CNNVD: CNNVD-201807-1795

EXTERNAL IDS

db:	NVD	id:	CVE-2018-8851	Trust: 3.3
db:	ICS CERT	id:	ICSA-18-200-03	Trust: 3.1
db:	CNNVD	id:	CNNVD-201807-1795	Trust: 0.9
db:	CNVD	id:	CNVD-2018-18592	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-008465	Trust: 0.8
db:	IVD	id:	E2F9E6D2-39AB-11E9-8F03-000C29342CB1	Trust: 0.2
db:	VULHUB	id:	VHN-138883	Trust: 0.1

sources: IVD: e2f9e6d2-39ab-11e9-8f03-000c29342cb1 // CNVD: CNVD-2018-18592 // VULHUB: VHN-138883 // JVNDB: JVNDB-2018-008465 // CNNVD: CNNVD-201807-1795 // NVD: CVE-2018-8851

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-18-200-03	Trust: 3.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-8851	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-8851	Trust: 0.8

sources: CNVD: CNVD-2018-18592 // VULHUB: VHN-138883 // JVNDB: JVNDB-2018-008465 // CNNVD: CNNVD-201807-1795 // NVD: CVE-2018-8851

SOURCES

db:	IVD	id:	e2f9e6d2-39ab-11e9-8f03-000c29342cb1
db:	CNVD	id:	CNVD-2018-18592
db:	VULHUB	id:	VHN-138883
db:	JVNDB	id:	JVNDB-2018-008465
db:	CNNVD	id:	CNNVD-201807-1795
db:	NVD	id:	CVE-2018-8851

LAST UPDATE DATE

2024-11-23T22:00:27.900000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-18592	date:	2018-09-12T00:00:00
db:	VULHUB	id:	VHN-138883	date:	2019-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2018-008465	date:	2018-10-18T00:00:00
db:	CNNVD	id:	CNNVD-201807-1795	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-8851	date:	2024-11-21T04:14:27.100

SOURCES RELEASE DATE

db:	IVD	id:	e2f9e6d2-39ab-11e9-8f03-000c29342cb1	date:	2018-09-12T00:00:00
db:	CNVD	id:	CNVD-2018-18592	date:	2018-09-11T00:00:00
db:	VULHUB	id:	VHN-138883	date:	2018-07-24T00:00:00
db:	JVNDB	id:	JVNDB-2018-008465	date:	2018-10-18T00:00:00
db:	CNNVD	id:	CNNVD-201807-1795	date:	2018-07-25T00:00:00
db:	NVD	id:	CVE-2018-8851	date:	2018-07-24T17:29:00.353