Details of VAR-201807-2191

ID

VAR-201807-2191

CVE

CVE-2018-4855

TITLE

Siemens SICLOCK TC Product Information Disclosure Vulnerability

Trust: 0.8

sources: IVD: e2f66461-39ab-11e9-a686-000c29342cb1 // CNVD: CNVD-2018-12505

DESCRIPTION

A vulnerability has been identified in SICLOCK TC100 (All versions) and SICLOCK TC400 (All versions). Unencrypted storage of passwords in the client configuration files and during network transmission could allow an attacker in a privileged position to obtain access passwords. SICLOCK TC100 and SICLOCK TC400 Contains an information disclosure vulnerability.Information may be obtained. The SICROCK product line offers components for synchronizing plant and system time. An information disclosure vulnerability exists in the Siemens SICLOCK TC product. An attacker can exploit the vulnerability to read the device's access password. A denial-of-Service vulnerability 2. An authentication-bypass vulnerability 3. A remote code-execution vulnerability 4. Multiple security-bypass vulnerabilities 5. An information-disclosure vulnerability Exploiting these issues could allow an attacker to bypass authentication mechanism, obtain sensitive information, execute arbitrary code and perform unauthorized actions. Failed exploits can result in a denial-of-service condition. Both Siemens SICLOCK TC100 and SICLOCK TC400 are central clock products of Germany's Siemens (Siemens). This product can provide unified and accurate time information for all network nodes in the LAN

Trust: 2.7

sources: NVD: CVE-2018-4855 // JVNDB: JVNDB-2018-007862 // CNVD: CNVD-2018-12505 // BID: 104672 // IVD: e2f66461-39ab-11e9-a686-000c29342cb1 // VULHUB: VHN-134886

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: e2f66461-39ab-11e9-a686-000c29342cb1 // CNVD: CNVD-2018-12505

AFFECTED PRODUCTS

vendor:	siemens	model:	siclock tc400	scope:	eq	version:	-	Trust: 1.6
vendor:	siemens	model:	siclock tc100	scope:	eq	version:	-	Trust: 1.6
vendor:	siemens	model:	siclock tc100	scope:	-	version:	-	Trust: 1.4
vendor:	siemens	model:	siclock tc400	scope:	-	version:	-	Trust: 1.4
vendor:	siemens	model:	siclock tc400	scope:	eq	version:	0	Trust: 0.3
vendor:	siemens	model:	siclock tc100	scope:	eq	version:	0	Trust: 0.3
vendor:	siclock tc400	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	siclock tc100	model:	-	scope:	eq	version:	-	Trust: 0.2

sources: IVD: e2f66461-39ab-11e9-a686-000c29342cb1 // CNVD: CNVD-2018-12505 // BID: 104672 // JVNDB: JVNDB-2018-007862 // CNNVD: CNNVD-201807-164 // NVD: CVE-2018-4855

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-4855
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-4855
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2018-12505
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201807-164
value:	MEDIUM
Trust: 0.6
IVD:	e2f66461-39ab-11e9-a686-000c29342cb1
value:	MEDIUM
Trust: 0.2
VULHUB:	VHN-134886
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-4855
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-12505
severity:	MEDIUM
baseScore:	5.4
vectorString:	AV:N/AC:H/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	4.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e2f66461-39ab-11e9-a686-000c29342cb1
severity:	MEDIUM
baseScore:	5.4
vectorString:	AV:N/AC:H/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	4.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-134886
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-4855
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: IVD: e2f66461-39ab-11e9-a686-000c29342cb1 // CNVD: CNVD-2018-12505 // VULHUB: VHN-134886 // JVNDB: JVNDB-2018-007862 // CNNVD: CNNVD-201807-164 // NVD: CVE-2018-4855

PROBLEMTYPE DATA

problemtype:	CWE-311	Trust: 1.1
problemtype:	CWE-200	Trust: 0.9

sources: VULHUB: VHN-134886 // JVNDB: JVNDB-2018-007862 // NVD: CVE-2018-4855

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201807-164

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201807-164

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-007862

PATCH

title:	SSA-197012	url:	https://cert-portal.siemens.com/productcert/pdf/ssa-197012.pdf	Trust: 0.8
title:	Siemens SICLOCK TC Product Information Disclosure Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/133425	Trust: 0.6

sources: CNVD: CNVD-2018-12505 // JVNDB: JVNDB-2018-007862

EXTERNAL IDS

db:	NVD	id:	CVE-2018-4855	Trust: 3.6
db:	SIEMENS	id:	SSA-197012	Trust: 2.6
db:	BID	id:	104672	Trust: 2.0
db:	CNNVD	id:	CNNVD-201807-164	Trust: 0.9
db:	CNVD	id:	CNVD-2018-12505	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-007862	Trust: 0.8
db:	IVD	id:	E2F66461-39AB-11E9-A686-000C29342CB1	Trust: 0.2
db:	VULHUB	id:	VHN-134886	Trust: 0.1

sources: IVD: e2f66461-39ab-11e9-a686-000c29342cb1 // CNVD: CNVD-2018-12505 // VULHUB: VHN-134886 // BID: 104672 // JVNDB: JVNDB-2018-007862 // CNNVD: CNNVD-201807-164 // NVD: CVE-2018-4855

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-197012.pdf	Trust: 2.6
url:	http://www.securityfocus.com/bid/104672	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-4855	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4855	Trust: 0.8
url:	http://www.siemens.com/	Trust: 0.3

sources: CNVD: CNVD-2018-12505 // VULHUB: VHN-134886 // BID: 104672 // JVNDB: JVNDB-2018-007862 // CNNVD: CNNVD-201807-164 // NVD: CVE-2018-4855

CREDITS

The vendor reported these issues.

Trust: 0.3

sources: BID: 104672

SOURCES

db:	IVD	id:	e2f66461-39ab-11e9-a686-000c29342cb1
db:	CNVD	id:	CNVD-2018-12505
db:	VULHUB	id:	VHN-134886
db:	BID	id:	104672
db:	JVNDB	id:	JVNDB-2018-007862
db:	CNNVD	id:	CNNVD-201807-164
db:	NVD	id:	CVE-2018-4855

LAST UPDATE DATE

2024-11-23T22:17:24.630000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-12505	date:	2018-07-04T00:00:00
db:	VULHUB	id:	VHN-134886	date:	2019-10-09T00:00:00
db:	BID	id:	104672	date:	2018-07-03T00:00:00
db:	JVNDB	id:	JVNDB-2018-007862	date:	2018-09-28T00:00:00
db:	CNNVD	id:	CNNVD-201807-164	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-4855	date:	2024-11-21T04:07:35.660

SOURCES RELEASE DATE

db:	IVD	id:	e2f66461-39ab-11e9-a686-000c29342cb1	date:	2018-07-04T00:00:00
db:	CNVD	id:	CNVD-2018-12505	date:	2018-07-04T00:00:00
db:	VULHUB	id:	VHN-134886	date:	2018-07-03T00:00:00
db:	BID	id:	104672	date:	2018-07-03T00:00:00
db:	JVNDB	id:	JVNDB-2018-007862	date:	2018-09-28T00:00:00
db:	CNNVD	id:	CNNVD-201807-164	date:	2018-07-04T00:00:00
db:	NVD	id:	CVE-2018-4855	date:	2018-07-03T14:29:00.430