Sign-up

ID

VAR-201808-0378


CVE

CVE-2018-14791


TITLE

Emerson DeltaV DCS Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2018-009547

DESCRIPTION

Emerson DeltaV DCS versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5 may allow non-administrative users to change executable and library files on the affected products. Emerson DeltaV DCS Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Emerson Electric DeltaV is a digital automation system from Emerson Electric. The system provides I/O on-demand configuration, embedded intelligent control and alarm panel functions. There is a security hole in Emerson Electric Deltav. An arbitrary-code-execution vulnerability 2. Multiple security-bypass vulnerabilities 3. A stack-based buffer-overflow vulnerability Attackers can exploit these issues to execute arbitrary code and bypass certain security restrictions, perform unauthorized actions, or gain sensitive information within the context of the affected system. Failed exploit attempts will likely result in denial of service conditions

Trust: 2.61

sources: NVD: CVE-2018-14791 // JVNDB: JVNDB-2018-009547 // CNVD: CNVD-2018-15737 // BID: 105105 // IVD: e2f8391f-39ab-11e9-8a62-000c29342cb1

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: e2f8391f-39ab-11e9-8a62-000c29342cb1 // CNVD: CNVD-2018-15737

AFFECTED PRODUCTS

vendor:emersonmodel:deltav distributed control systemscope:eqversion:11.3.1

Trust: 1.4

vendor:emersonmodel:deltav distributed control systemscope:eqversion:13.3.0

Trust: 1.4

vendor:emersonmodel:deltav distributed control systemscope:eqversion:13.3.1

Trust: 1.4

vendor:emersonmodel:deltav distributed control systemscope:eqversion:r5

Trust: 1.4

vendor:emersonmodel:deltavscope:eqversion:13.3.1

Trust: 1.3

vendor:emersonmodel:deltavscope:eqversion:11.3.1

Trust: 1.3

vendor:emersonmodel:deltavscope:eqversion:13.3

Trust: 1.3

vendor:emersonmodel:deltavscope:eqversion:12.3.1

Trust: 1.3

vendor:emersonmodel:deltavscope:eqversion:r5

Trust: 1.0

vendor:emersonmodel:deltav distributed control systemscope:eqversion:12.3.15

Trust: 0.8

vendor:emersonmodel:electric deltavscope:eqversion:v11.3.1

Trust: 0.6

vendor:emersonmodel:electric deltavscope:eqversion:v12.3.1

Trust: 0.6

vendor:emersonmodel:electric deltavscope:eqversion:v13.3.0

Trust: 0.6

vendor:emersonmodel:electric deltavscope:eqversion:v13.3.1

Trust: 0.6

vendor:emersonmodel:electric deltav r5scope: - version: -

Trust: 0.6

vendor:emersonmodel:deltav distributed control systemscope:eqversion:12.3.1

Trust: 0.6

vendor:deltav distributed control systemmodel: - scope:eqversion:11.3.1

Trust: 0.2

vendor:deltav distributed control systemmodel: - scope:eqversion:12.3.1

Trust: 0.2

vendor:deltav distributed control systemmodel: - scope:eqversion:13.3.0

Trust: 0.2

vendor:deltav distributed control systemmodel: - scope:eqversion:13.3.1

Trust: 0.2

vendor:deltav distributed control systemmodel:r5scope: - version: -

Trust: 0.2

sources: IVD: e2f8391f-39ab-11e9-8a62-000c29342cb1 // CNVD: CNVD-2018-15737 // BID: 105105 // JVNDB: JVNDB-2018-009547 // CNNVD: CNNVD-201808-564 // NVD: CVE-2018-14791

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-14791
value: HIGH

Trust: 1.0

NVD: CVE-2018-14791
value: HIGH

Trust: 0.8

CNVD: CNVD-2018-15737
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201808-564
value: HIGH

Trust: 0.6

IVD: e2f8391f-39ab-11e9-8a62-000c29342cb1
value: HIGH

Trust: 0.2

nvd@nist.gov: CVE-2018-14791
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-15737
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: e2f8391f-39ab-11e9-8a62-000c29342cb1
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2018-14791
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2018-14791
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: e2f8391f-39ab-11e9-8a62-000c29342cb1 // CNVD: CNVD-2018-15737 // JVNDB: JVNDB-2018-009547 // CNNVD: CNNVD-201808-564 // NVD: CVE-2018-14791

PROBLEMTYPE DATA

problemtype:CWE-269

Trust: 1.0

problemtype:CWE-264

Trust: 0.8

sources: JVNDB: JVNDB-2018-009547 // NVD: CVE-2018-14791

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201808-564

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201808-564

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-009547

PATCH
title:DeltaV Distributed Control Systemurl:https://www.emerson.com/en-us/automation/control-and-safety-systems/distributed-control-systems-dcs/deltav-distributed-control-system
Trust: 0.8
title:Emerson Electric DeltaV Rights Management Patch for Vulnerable Vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/138023
Trust: 0.6
title:Emerson Electric DeltaV Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=84152
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-15737 // 
            
            
            
            JVNDB: JVNDB-2018-009547 // 
            
            
            
            CNNVD: CNNVD-201808-564

EXTERNAL IDS
db:NVDid:CVE-2018-14791
Trust: 3.5
db:ICS CERTid:ICSA-18-228-01
Trust: 3.3
db:BIDid:105105
Trust: 1.9
db:CNVDid:CNVD-2018-15737
Trust: 0.8
db:CNNVDid:CNNVD-201808-564
Trust: 0.8
db:JVNDBid:JVNDB-2018-009547
Trust: 0.8
db:IVDid:E2F8391F-39AB-11E9-8A62-000C29342CB1
Trust: 0.2
sources:
            
            
            IVD: e2f8391f-39ab-11e9-8a62-000c29342cb1 // 
            
            
            
            CNVD: CNVD-2018-15737 // 
            
            
            
            BID: 105105 // 
            
            
            
            JVNDB: JVNDB-2018-009547 // 
            
            
            
            CNNVD: CNNVD-201808-564 // 
            
            
            
            NVD: CVE-2018-14791

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-18-228-01
Trust: 3.3
url:http://www.securityfocus.com/bid/105105
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-14791
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-14791
Trust: 0.8
url:http://emerson.com
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2018-15737 // 
            
            
            
            BID: 105105 // 
            
            
            
            JVNDB: JVNDB-2018-009547 // 
            
            
            
            CNNVD: CNNVD-201808-564 // 
            
            
            
            NVD: CVE-2018-14791

CREDITS
Ori Perez of CyberX,Younes Dragoni of Nozomi Networks, and Emerson.
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201808-564

SOURCES
db:IVDid:e2f8391f-39ab-11e9-8a62-000c29342cb1
db:CNVDid:CNVD-2018-15737
db:BIDid:105105
db:JVNDBid:JVNDB-2018-009547
db:CNNVDid:CNNVD-201808-564
db:NVDid:CVE-2018-14791

LAST UPDATE DATE
2024-11-23T21:52:56.282000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-15737date:2018-08-21T00:00:00
db:BIDid:105105date:2018-08-16T00:00:00
db:JVNDBid:JVNDB-2018-009547date:2018-11-21T00:00:00
db:CNNVDid:CNNVD-201808-564date:2019-10-17T00:00:00
db:NVDid:CVE-2018-14791date:2024-11-21T03:49:48.110

SOURCES RELEASE DATE
db:IVDid:e2f8391f-39ab-11e9-8a62-000c29342cb1date:2018-08-21T00:00:00
db:CNVDid:CNVD-2018-15737date:2018-08-22T00:00:00
db:BIDid:105105date:2018-08-16T00:00:00
db:JVNDBid:JVNDB-2018-009547date:2018-11-21T00:00:00
db:CNNVDid:CNNVD-201808-564date:2018-08-20T00:00:00
db:NVDid:CVE-2018-14791date:2018-08-23T19:29:00.907