Details of VAR-201807-2190

ID

VAR-201807-2190

CVE

CVE-2018-4854

TITLE

SICLOCK TC100 and SICLOCK TC400 Access control vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-007861

DESCRIPTION

A vulnerability has been identified in SICLOCK TC100 (All versions) and SICLOCK TC400 (All versions). An attacker with network access to port 69/udp could modify the administrative client stored on the device. If a legitimate user downloads and executes the modified client from the affected device, then he/she could obtain code execution on the client system. SICLOCK TC100 and SICLOCK TC400 Contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The SICROCK product line offers components for synchronizing plant and system time. An unauthorized operating vulnerability exists in the Siemens SICLOCK TC product. A denial-of-Service vulnerability 2. An authentication-bypass vulnerability 3. A remote code-execution vulnerability 4. Multiple security-bypass vulnerabilities 5. An information-disclosure vulnerability Exploiting these issues could allow an attacker to bypass authentication mechanism, obtain sensitive information, execute arbitrary code and perform unauthorized actions. Failed exploits can result in a denial-of-service condition. Both Siemens SICLOCK TC100 and SICLOCK TC400 are central clock products of Germany's Siemens (Siemens). This product can provide unified and accurate time information for all network nodes in the LAN

Trust: 2.7

sources: NVD: CVE-2018-4854 // JVNDB: JVNDB-2018-007861 // CNVD: CNVD-2018-12504 // BID: 104672 // IVD: e2f66462-39ab-11e9-bb1d-000c29342cb1 // VULHUB: VHN-134885

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: e2f66462-39ab-11e9-bb1d-000c29342cb1 // CNVD: CNVD-2018-12504

AFFECTED PRODUCTS

vendor:	siemens	model:	siclock tc400	scope:	eq	version:	-	Trust: 1.6
vendor:	siemens	model:	siclock tc100	scope:	eq	version:	-	Trust: 1.6
vendor:	siemens	model:	siclock tc100	scope:	-	version:	-	Trust: 1.4
vendor:	siemens	model:	siclock tc400	scope:	-	version:	-	Trust: 1.4
vendor:	siemens	model:	siclock tc400	scope:	eq	version:	0	Trust: 0.3
vendor:	siemens	model:	siclock tc100	scope:	eq	version:	0	Trust: 0.3
vendor:	siclock tc400	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	siclock tc100	model:	-	scope:	eq	version:	-	Trust: 0.2

sources: IVD: e2f66462-39ab-11e9-bb1d-000c29342cb1 // CNVD: CNVD-2018-12504 // BID: 104672 // JVNDB: JVNDB-2018-007861 // CNNVD: CNNVD-201807-165 // NVD: CVE-2018-4854

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-4854
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-4854
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2018-12504
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201807-165
value:	HIGH
Trust: 0.6
IVD:	e2f66462-39ab-11e9-bb1d-000c29342cb1
value:	HIGH
Trust: 0.2
VULHUB:	VHN-134885
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2018-4854
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-12504
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e2f66462-39ab-11e9-bb1d-000c29342cb1
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-134885
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-4854
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: IVD: e2f66462-39ab-11e9-bb1d-000c29342cb1 // CNVD: CNVD-2018-12504 // VULHUB: VHN-134885 // JVNDB: JVNDB-2018-007861 // CNNVD: CNNVD-201807-165 // NVD: CVE-2018-4854

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-306	Trust: 1.0
problemtype:	CWE-284	Trust: 0.9

sources: VULHUB: VHN-134885 // JVNDB: JVNDB-2018-007861 // NVD: CVE-2018-4854

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201807-165

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201807-165

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-007861

PATCH

title:	SSA-197012	url:	https://cert-portal.siemens.com/productcert/pdf/ssa-197012.pdf	Trust: 0.8
title:	Patch for Siemens SICLOCK TC Product Unauthorized Operation Vulnerability (CNVD-2018-12504)	url:	https://www.cnvd.org.cn/patchInfo/show/133423	Trust: 0.6

sources: CNVD: CNVD-2018-12504 // JVNDB: JVNDB-2018-007861

EXTERNAL IDS

db:	NVD	id:	CVE-2018-4854	Trust: 3.6
db:	SIEMENS	id:	SSA-197012	Trust: 2.6
db:	BID	id:	104672	Trust: 2.0
db:	CNNVD	id:	CNNVD-201807-165	Trust: 0.9
db:	CNVD	id:	CNVD-2018-12504	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-007861	Trust: 0.8
db:	IVD	id:	E2F66462-39AB-11E9-BB1D-000C29342CB1	Trust: 0.2
db:	VULHUB	id:	VHN-134885	Trust: 0.1

sources: IVD: e2f66462-39ab-11e9-bb1d-000c29342cb1 // CNVD: CNVD-2018-12504 // VULHUB: VHN-134885 // BID: 104672 // JVNDB: JVNDB-2018-007861 // CNNVD: CNNVD-201807-165 // NVD: CVE-2018-4854

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-197012.pdf	Trust: 2.6
url:	http://www.securityfocus.com/bid/104672	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-4854	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4854	Trust: 0.8
url:	http://www.siemens.com/	Trust: 0.3

sources: CNVD: CNVD-2018-12504 // VULHUB: VHN-134885 // BID: 104672 // JVNDB: JVNDB-2018-007861 // CNNVD: CNNVD-201807-165 // NVD: CVE-2018-4854

CREDITS

The vendor reported these issues.

Trust: 0.3

sources: BID: 104672

SOURCES

db:	IVD	id:	e2f66462-39ab-11e9-bb1d-000c29342cb1
db:	CNVD	id:	CNVD-2018-12504
db:	VULHUB	id:	VHN-134885
db:	BID	id:	104672
db:	JVNDB	id:	JVNDB-2018-007861
db:	CNNVD	id:	CNNVD-201807-165
db:	NVD	id:	CVE-2018-4854

LAST UPDATE DATE

2024-11-23T22:17:24.550000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-12504	date:	2018-07-04T00:00:00
db:	VULHUB	id:	VHN-134885	date:	2019-10-09T00:00:00
db:	BID	id:	104672	date:	2018-07-03T00:00:00
db:	JVNDB	id:	JVNDB-2018-007861	date:	2018-09-28T00:00:00
db:	CNNVD	id:	CNNVD-201807-165	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-4854	date:	2024-11-21T04:07:35.533

SOURCES RELEASE DATE

db:	IVD	id:	e2f66462-39ab-11e9-bb1d-000c29342cb1	date:	2018-07-04T00:00:00
db:	CNVD	id:	CNVD-2018-12504	date:	2018-07-04T00:00:00
db:	VULHUB	id:	VHN-134885	date:	2018-07-03T00:00:00
db:	BID	id:	104672	date:	2018-07-03T00:00:00
db:	JVNDB	id:	JVNDB-2018-007861	date:	2018-09-28T00:00:00
db:	CNNVD	id:	CNNVD-201807-165	date:	2018-07-04T00:00:00
db:	NVD	id:	CVE-2018-4854	date:	2018-07-03T14:29:00.367