Details of VAR-201808-0675

ID

VAR-201808-0675

CVE

CVE-2018-10769

TITLE

SmartMesh Vulnerabilities in access control

Trust: 0.8

sources: JVNDB: JVNDB-2018-009255

DESCRIPTION

The transferProxy and approveProxy functions of a smart contract implementation for SmartMesh (SMT), an Ethereum ERC20 token, allow attackers to accomplish an unauthorized transfer of digital assets because replay attacks can occur with the same-named functions (with the same signatures) in other tokens: First (FST), GG Token (GG), M2C Mesh Network (MTC), M2C Mesh Network (mesh), and UG Token (UGT). SmartMesh Contains an access control vulnerability.Information may be altered. SmartMesh (SMT) is a blockchain-based IoT underlying protocol that is positioned in areas such as networkless communication and networkless payment. There are security vulnerabilities in the 'transferProxy' and 'approveProxy' functions in SMT's smart contracts. An attacker could use this vulnerability to unauthorized transfer of digital assets

Trust: 2.7

sources: NVD: CVE-2018-10769 // JVNDB: JVNDB-2018-009255 // CNVD: CNVD-2018-19606 // CNNVD: CNNVD-201808-305

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2018-19606

AFFECTED PRODUCTS

vendor:	smartmesh	model:	smartmesh	scope:	eq	version:	-	Trust: 1.6
vendor:	smartmesh	model:	smartmesh	scope:	-	version:	-	Trust: 1.4
vendor:	ugtoken	model:	ugtoken	scope:	eq	version:	-	Trust: 1.0
vendor:	mtc	model:	mtc	scope:	eq	version:	-	Trust: 1.0
vendor:	mesh	model:	mesh	scope:	eq	version:	-	Trust: 1.0
vendor:	gg token	model:	gg token	scope:	eq	version:	-	Trust: 1.0
vendor:	first	model:	first	scope:	eq	version:	-	Trust: 1.0
vendor:	first	model:	first	scope:	-	version:	-	Trust: 0.8
vendor:	gg token	model:	gg token	scope:	-	version:	-	Trust: 0.8
vendor:	mesh	model:	m2c mesh network	scope:	-	version:	-	Trust: 0.8
vendor:	mtc	model:	m2c mesh network	scope:	-	version:	-	Trust: 0.8
vendor:	ug token	model:	ug token	scope:	-	version:	-	Trust: 0.8

sources: CNVD: CNVD-2018-19606 // JVNDB: JVNDB-2018-009255 // CNNVD: CNNVD-201808-305 // NVD: CVE-2018-10769

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-10769
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-10769
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2018-19606
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201808-305
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2018-10769
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-19606
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2018-10769
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2018-19606 // JVNDB: JVNDB-2018-009255 // CNNVD: CNNVD-201808-305 // NVD: CVE-2018-10769

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-284	Trust: 0.8

sources: JVNDB: JVNDB-2018-009255 // NVD: CVE-2018-10769

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201808-305

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201808-305

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-009255

PATCH

title:	M2C Mesh Network (MTC)	url:	https://etherscan.io/address/0x8feBf7551EeA6Ce499F96537Ae0e2075c5A7301a#code	Trust: 0.8
title:	UG Token (UGT)	url:	https://etherscan.io/address/0x43ee79e379e7b78d871100ed696e803e7893b644#code	Trust: 0.8
title:	First (FST)	url:	https://etherscan.io/address/0x9E88770DA20ebea0Df87aD874c2F5cf8ab92f605#code	Trust: 0.8
title:	GG Token (GG)	url:	https://etherscan.io/address/0xF20b76Ed9d5467fDcDc1444455e303257d2827c7#code	Trust: 0.8
title:	M2C Mesh Network (mesh)	url:	https://etherscan.io/address/0x3AC6cb00f5a44712022a51fbace4C7497F56eE31#code	Trust: 0.8
title:	SMT Token	url:	https://smartmesh.io/smt-token/	Trust: 0.8

sources: JVNDB: JVNDB-2018-009255

EXTERNAL IDS

db:	NVD	id:	CVE-2018-10769	Trust: 3.0
db:	JVNDB	id:	JVNDB-2018-009255	Trust: 0.8
db:	CNVD	id:	CNVD-2018-19606	Trust: 0.6
db:	CNNVD	id:	CNNVD-201808-305	Trust: 0.6

sources: CNVD: CNVD-2018-19606 // JVNDB: JVNDB-2018-009255 // CNNVD: CNNVD-201808-305 // NVD: CVE-2018-10769

REFERENCES

url:	https://github.com/nkbai/defcon26/blob/master/docs/replay%20attacks%20on%20ethereum%20smart%20contracts.md	Trust: 3.0
url:	https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef%40%3cdev.struts.apache.org%3e	Trust: 1.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10769	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-10769	Trust: 0.8
url:	https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3cdev.struts.apache.org%3e	Trust: 0.6

sources: CNVD: CNVD-2018-19606 // JVNDB: JVNDB-2018-009255 // CNNVD: CNNVD-201808-305 // NVD: CVE-2018-10769

SOURCES

db:	CNVD	id:	CNVD-2018-19606
db:	JVNDB	id:	JVNDB-2018-009255
db:	CNNVD	id:	CNNVD-201808-305
db:	NVD	id:	CVE-2018-10769

LAST UPDATE DATE

2024-11-23T22:17:20.087000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-19606	date:	2018-09-29T00:00:00
db:	JVNDB	id:	JVNDB-2018-009255	date:	2018-11-13T00:00:00
db:	CNNVD	id:	CNNVD-201808-305	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2018-10769	date:	2024-11-21T03:42:00.560

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2018-19606	date:	2018-09-21T00:00:00
db:	JVNDB	id:	JVNDB-2018-009255	date:	2018-11-13T00:00:00
db:	CNNVD	id:	CNNVD-201808-305	date:	2018-08-13T00:00:00
db:	NVD	id:	CVE-2018-10769	date:	2018-08-10T15:29:00.237