Details of VAR-201807-1688

ID

VAR-201807-1688

CVE

CVE-2018-8859

TITLE

Echelon SmartServer and i.LON Authentication vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-008467

DESCRIPTION

Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. An attacker can bypass the required authentication specified in the security configuration file by including extra characters in the directory name when specifying the directory to be accessed. This vulnerability does not affect the i.LON 600 product. Echelon SmartServer and i.LON Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. EchelonSmartServer1, SmartServer2 and i.LON100 are products of Echelon Corporation of the United States. EchelonSmartServer1 and SmartServer2 are multi-function controllers that support building automation control and enterprise energy management. i.LON100 is a web server that is primarily used to configure and monitor LonWorks devices

Trust: 2.43

sources: NVD: CVE-2018-8859 // JVNDB: JVNDB-2018-008467 // CNVD: CNVD-2018-18593 // IVD: e2fa0de1-39ab-11e9-a35e-000c29342cb1 // VULHUB: VHN-138891

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: e2fa0de1-39ab-11e9-a35e-000c29342cb1 // CNVD: CNVD-2018-18593

AFFECTED PRODUCTS

vendor:	echelon	model:	smartserver 2	scope:	lt	version:	4.11.007	Trust: 1.8
vendor:	echelon	model:	i.lon 600	scope:	eq	version:	-	Trust: 1.6
vendor:	echelon	model:	i.lon 100	scope:	eq	version:	-	Trust: 1.6
vendor:	echelon	model:	smartserver 1	scope:	eq	version:	-	Trust: 1.6
vendor:	echelon	model:	i.lon 100	scope:	-	version:	-	Trust: 0.8
vendor:	echelon	model:	i.lon 600	scope:	-	version:	-	Trust: 0.8
vendor:	echelon	model:	smartserver 1	scope:	-	version:	-	Trust: 0.8
vendor:	echelon	model:	smartserver	scope:	eq	version:	1	Trust: 0.6
vendor:	echelon	model:	smartserver <release	scope:	eq	version:	24.11.007	Trust: 0.6
vendor:	echelon	model:	i.lon	scope:	eq	version:	100	Trust: 0.6
vendor:	smartserver 1	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	smartserver 2	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	i lon 100	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	i lon 600	model:	-	scope:	eq	version:	-	Trust: 0.2

sources: IVD: e2fa0de1-39ab-11e9-a35e-000c29342cb1 // CNVD: CNVD-2018-18593 // JVNDB: JVNDB-2018-008467 // CNNVD: CNNVD-201807-1793 // NVD: CVE-2018-8859

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-8859
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2018-8859
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2018-18593
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201807-1793
value:	CRITICAL
Trust: 0.6
IVD:	e2fa0de1-39ab-11e9-a35e-000c29342cb1
value:	CRITICAL
Trust: 0.2
VULHUB:	VHN-138891
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2018-8859
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-18593
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e2fa0de1-39ab-11e9-a35e-000c29342cb1
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-138891
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-8859
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: IVD: e2fa0de1-39ab-11e9-a35e-000c29342cb1 // CNVD: CNVD-2018-18593 // VULHUB: VHN-138891 // JVNDB: JVNDB-2018-008467 // CNNVD: CNNVD-201807-1793 // NVD: CVE-2018-8859

PROBLEMTYPE DATA

problemtype:	CWE-287	Trust: 1.9
problemtype:	CWE-288	Trust: 1.0

sources: VULHUB: VHN-138891 // JVNDB: JVNDB-2018-008467 // NVD: CVE-2018-8859

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201807-1793

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201807-1793

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-008467

PATCH

title:	Top Page	url:	https://www.echelon.com/	Trust: 0.8
title:	EchelonSmartServer1, SmartServer2 and i.LON100 authentication bypass vulnerability patches	url:	https://www.cnvd.org.cn/patchInfo/show/139871	Trust: 0.6
title:	Echelon SmartServer 1 , SmartServer 2 and i.LON 100 Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=82587	Trust: 0.6

sources: CNVD: CNVD-2018-18593 // JVNDB: JVNDB-2018-008467 // CNNVD: CNNVD-201807-1793

EXTERNAL IDS

db:	NVD	id:	CVE-2018-8859	Trust: 3.3
db:	ICS CERT	id:	ICSA-18-200-03	Trust: 3.1
db:	CNNVD	id:	CNNVD-201807-1793	Trust: 0.9
db:	CNVD	id:	CNVD-2018-18593	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-008467	Trust: 0.8
db:	IVD	id:	E2FA0DE1-39AB-11E9-A35E-000C29342CB1	Trust: 0.2
db:	VULHUB	id:	VHN-138891	Trust: 0.1

sources: IVD: e2fa0de1-39ab-11e9-a35e-000c29342cb1 // CNVD: CNVD-2018-18593 // VULHUB: VHN-138891 // JVNDB: JVNDB-2018-008467 // CNNVD: CNNVD-201807-1793 // NVD: CVE-2018-8859

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-18-200-03	Trust: 3.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-8859	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-8859	Trust: 0.8

sources: CNVD: CNVD-2018-18593 // VULHUB: VHN-138891 // JVNDB: JVNDB-2018-008467 // CNNVD: CNNVD-201807-1793 // NVD: CVE-2018-8859

SOURCES

db:	IVD	id:	e2fa0de1-39ab-11e9-a35e-000c29342cb1
db:	CNVD	id:	CNVD-2018-18593
db:	VULHUB	id:	VHN-138891
db:	JVNDB	id:	JVNDB-2018-008467
db:	CNNVD	id:	CNNVD-201807-1793
db:	NVD	id:	CVE-2018-8859

LAST UPDATE DATE

2024-11-23T22:00:27.936000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-18593	date:	2018-09-12T00:00:00
db:	VULHUB	id:	VHN-138891	date:	2019-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2018-008467	date:	2018-10-18T00:00:00
db:	CNNVD	id:	CNNVD-201807-1793	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-8859	date:	2024-11-21T04:14:28.190

SOURCES RELEASE DATE

db:	IVD	id:	e2fa0de1-39ab-11e9-a35e-000c29342cb1	date:	2018-09-12T00:00:00
db:	CNVD	id:	CNVD-2018-18593	date:	2018-09-11T00:00:00
db:	VULHUB	id:	VHN-138891	date:	2018-07-24T00:00:00
db:	JVNDB	id:	JVNDB-2018-008467	date:	2018-10-18T00:00:00
db:	CNNVD	id:	CNNVD-201807-1793	date:	2018-07-25T00:00:00
db:	NVD	id:	CVE-2018-8859	date:	2018-07-24T17:29:00.430