Details of VAR-201808-0964

ID

VAR-201808-0964

CVE

CVE-2018-7792

TITLE

Schneider Electric Modicon M221 Password Decoding Vulnerability

Trust: 0.8

sources: IVD: c5600743-aa0e-400f-846c-b060da074498 // CNVD: CNVD-2019-06191

DESCRIPTION

A Permissions, Privileges, and Access Control vulnerability exists in Schneider Electric's Modicon M221 product (all references, all versions prior to firmware V1.6.2.0). The vulnerability allows unauthorized users to decode the password using rainbow table. The Modicon M221 is a logic controller from Schneider Electric. Attackers can exploit these issues to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks

Trust: 2.7

sources: NVD: CVE-2018-7792 // JVNDB: JVNDB-2018-009999 // CNVD: CNVD-2019-06191 // BID: 105182 // IVD: c5600743-aa0e-400f-846c-b060da074498 // VULHUB: VHN-137824

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: c5600743-aa0e-400f-846c-b060da074498 // CNVD: CNVD-2019-06191

AFFECTED PRODUCTS

vendor:	schneider electric	model:	modicon m221	scope:	lt	version:	1.6.2.0	Trust: 1.8
vendor:	schneider	model:	electric modicon m221	scope:	lt	version:	1.6.2.0	Trust: 0.6
vendor:	schneider electric	model:	modicon m221	scope:	eq	version:	1.1.1.5	Trust: 0.6
vendor:	schneider electric	model:	modicon m221	scope:	eq	version:	1.5.0.1	Trust: 0.3
vendor:	schneider electric	model:	modicon m221	scope:	eq	version:	1.5.0.0	Trust: 0.3
vendor:	schneider electric	model:	modicon m221	scope:	eq	version:	0	Trust: 0.3
vendor:	schneider electric	model:	modicon m221	scope:	ne	version:	1.6.2.0	Trust: 0.3
vendor:	modicon m221	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: c5600743-aa0e-400f-846c-b060da074498 // CNVD: CNVD-2019-06191 // BID: 105182 // JVNDB: JVNDB-2018-009999 // CNNVD: CNNVD-201808-909 // NVD: CVE-2018-7792

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-7792
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-7792
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-06191
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201808-909
value:	HIGH
Trust: 0.6
IVD:	c5600743-aa0e-400f-846c-b060da074498
value:	HIGH
Trust: 0.2
VULHUB:	VHN-137824
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-7792
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-06191
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	c5600743-aa0e-400f-846c-b060da074498
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-137824
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-7792
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2018-7792
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: c5600743-aa0e-400f-846c-b060da074498 // CNVD: CNVD-2019-06191 // VULHUB: VHN-137824 // JVNDB: JVNDB-2018-009999 // CNNVD: CNNVD-201808-909 // NVD: CVE-2018-7792

PROBLEMTYPE DATA

problemtype:	CWE-862	Trust: 1.1
problemtype:	CWE-264	Trust: 0.9

sources: VULHUB: VHN-137824 // JVNDB: JVNDB-2018-009999 // NVD: CVE-2018-7792

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201808-909

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201808-909

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-009999

PATCH

title:	SEVD-2018-235-01	url:	https://www.schneider-electric.com/en/download/document/SEVD-2018-235-01/	Trust: 0.8
title:	Patch for SchneiderElectricModiconM221 Password Decryption Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/155259	Trust: 0.6
title:	Schneider Electric Modicon M221 Fixes for permission permissions and access control vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=100302	Trust: 0.6

sources: CNVD: CNVD-2019-06191 // JVNDB: JVNDB-2018-009999 // CNNVD: CNNVD-201808-909

EXTERNAL IDS

db:	NVD	id:	CVE-2018-7792	Trust: 3.6
db:	BID	id:	105182	Trust: 2.0
db:	ICS CERT	id:	ICSA-18-240-01	Trust: 1.7
db:	SCHNEIDER	id:	SEVD-2018-235-01	Trust: 1.7
db:	CNNVD	id:	CNNVD-201808-909	Trust: 0.9
db:	CNVD	id:	CNVD-2019-06191	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-009999	Trust: 0.8
db:	IVD	id:	C5600743-AA0E-400F-846C-B060DA074498	Trust: 0.2
db:	VULHUB	id:	VHN-137824	Trust: 0.1

sources: IVD: c5600743-aa0e-400f-846c-b060da074498 // CNVD: CNVD-2019-06191 // VULHUB: VHN-137824 // BID: 105182 // JVNDB: JVNDB-2018-009999 // CNNVD: CNNVD-201808-909 // NVD: CVE-2018-7792

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-18-240-01	Trust: 1.7
url:	http://www.securityfocus.com/bid/105182	Trust: 1.7
url:	https://www.schneider-electric.com/en/download/document/sevd-2018-235-01/	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-7792	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-7792	Trust: 0.8
url:	http://www.schneider-electric.com/products/ww/en/	Trust: 0.3

sources: CNVD: CNVD-2019-06191 // VULHUB: VHN-137824 // BID: 105182 // JVNDB: JVNDB-2018-009999 // CNNVD: CNNVD-201808-909 // NVD: CVE-2018-7792

CREDITS

Irfan Ahmed, Sushma Kalle, and Nehal Ameen of the University of New Orleans, Hyunguk Yoo

Trust: 0.6

sources: CNNVD: CNNVD-201808-909

SOURCES

db:	IVD	id:	c5600743-aa0e-400f-846c-b060da074498
db:	CNVD	id:	CNVD-2019-06191
db:	VULHUB	id:	VHN-137824
db:	BID	id:	105182
db:	JVNDB	id:	JVNDB-2018-009999
db:	CNNVD	id:	CNNVD-201808-909
db:	NVD	id:	CVE-2018-7792

LAST UPDATE DATE

2024-11-23T21:52:50.981000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-06191	date:	2019-03-06T00:00:00
db:	VULHUB	id:	VHN-137824	date:	2019-10-03T00:00:00
db:	BID	id:	105182	date:	2018-08-28T00:00:00
db:	JVNDB	id:	JVNDB-2018-009999	date:	2019-01-08T00:00:00
db:	CNNVD	id:	CNNVD-201808-909	date:	2022-03-10T00:00:00
db:	NVD	id:	CVE-2018-7792	date:	2024-11-21T04:12:44.640

SOURCES RELEASE DATE

db:	IVD	id:	c5600743-aa0e-400f-846c-b060da074498	date:	2019-03-06T00:00:00
db:	CNVD	id:	CNVD-2019-06191	date:	2019-03-06T00:00:00
db:	VULHUB	id:	VHN-137824	date:	2018-08-29T00:00:00
db:	BID	id:	105182	date:	2018-08-28T00:00:00
db:	JVNDB	id:	JVNDB-2018-009999	date:	2018-12-04T00:00:00
db:	CNNVD	id:	CNNVD-201808-909	date:	2018-08-29T00:00:00
db:	NVD	id:	CVE-2018-7792	date:	2018-08-29T21:29:01.273