Sign-up

ID

VAR-201810-0393


CVE

CVE-2018-14808


TITLE

Emerson AMS Device Manager Access control vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-010968

DESCRIPTION

Emerson AMS Device Manager v12.0 to v13.5. Non-administrative users are able to change executable and library files on the affected products. An attacker can exploit these issues to gain elevated privileges, bypass certain security restrictions and perform unauthorized actions

Trust: 1.89

sources: NVD: CVE-2018-14808 // JVNDB: JVNDB-2018-010968 // BID: 105406

AFFECTED PRODUCTS

vendor:emersonmodel:ams device managerscope:gteversion:12.0

Trust: 1.0

vendor:emersonmodel:ams device managerscope:lteversion:13.5

Trust: 1.0

vendor:emersonmodel:ams device managerscope:eqversion:13.5

Trust: 0.9

vendor:emersonmodel:ams device managerscope:eqversion:13.0

Trust: 0.9

vendor:emersonmodel:ams device managerscope:eqversion:12.5

Trust: 0.9

vendor:emersonmodel:ams device managerscope:eqversion:12.0

Trust: 0.9

vendor:emersonmodel:ams device managerscope:eqversion:12.0 to 13.5

Trust: 0.8

vendor:emersonmodel:ams device managerscope:eqversion:13.1.1

Trust: 0.6

vendor:emersonmodel:ams device managerscope:eqversion:12.4

Trust: 0.3

vendor:emersonmodel:ams device managerscope:eqversion:12.3

Trust: 0.3

vendor:emersonmodel:ams device managerscope:eqversion:12.2

Trust: 0.3

vendor:emersonmodel:ams device managerscope:eqversion:12.1

Trust: 0.3

sources: BID: 105406 // JVNDB: JVNDB-2018-010968 // NVD: CVE-2018-14808 // CNNVD: CNNVD-201809-1250

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2018-14808
value: MEDIUM

Trust: 1.8

CNNVD: CNNVD-201809-1250
value: MEDIUM

Trust: 0.6

NVD:
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

NVD: CVE-2018-14808
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

NVD:
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.0

NVD: CVE-2018-14808
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2018-010968 // NVD: CVE-2018-14808 // CNNVD: CNNVD-201809-1250

PROBLEMTYPE DATA

problemtype:CWE-269

Trust: 1.0

problemtype:CWE-284

Trust: 0.8

sources: JVNDB: JVNDB-2018-010968 // NVD: CVE-2018-14808

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201809-1250

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201809-1250

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2018-14808

PATCH
title:AMS Device Managerurl:https://www.emerson.com/en-us/catalog/ams-ams-device-manager
Trust: 0.8
title:Emerson Electric AMS Device Manager Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=85259
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-010968 // 
            
            
            
            CNNVD: CNNVD-201809-1250

EXTERNAL IDS
db:ICS CERTid:ICSA-18-270-01
Trust: 2.7
db:NVDid:CVE-2018-14808
Trust: 2.7
db:BIDid:105406
Trust: 1.9
db:JVNDBid:JVNDB-2018-010968
Trust: 0.8
db:CNNVDid:CNNVD-201809-1250
Trust: 0.6
sources:
            
            
            BID: 105406 // 
            
            
            
            JVNDB: JVNDB-2018-010968 // 
            
            
            
            NVD: CVE-2018-14808 // 
            
            
            
            CNNVD: CNNVD-201809-1250

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-18-270-01
Trust: 2.7
url:http://www.securityfocus.com/bid/105406
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-14808
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-14808
Trust: 0.8
url:http://www2.emersonprocess.com/en-us/brands/amssuite/amsdevicemanager/pages/amsdevicemanager.aspx
Trust: 0.3
sources:
            
            
            BID: 105406 // 
            
            
            
            JVNDB: JVNDB-2018-010968 // 
            
            
            
            NVD: CVE-2018-14808 // 
            
            
            
            CNNVD: CNNVD-201809-1250

CREDITS
Sergey Temnikov of Kaspersky Lab and Emerson
Trust: 0.3
sources:
            
            
            BID: 105406

SOURCES
db:BIDid:105406
db:JVNDBid:JVNDB-2018-010968
db:NVDid:CVE-2018-14808
db:CNNVDid:CNNVD-201809-1250

LAST UPDATE DATE
2023-12-18T12:43:51.091000+00:00

SOURCES UPDATE DATE
db:BIDid:105406date:2018-09-27T00:00:00
db:JVNDBid:JVNDB-2018-010968date:2018-12-28T00:00:00
db:NVDid:CVE-2018-14808date:2019-10-09T23:35:15.327
db:CNNVDid:CNNVD-201809-1250date:2019-10-17T00:00:00

SOURCES RELEASE DATE
db:BIDid:105406date:2018-09-27T00:00:00
db:JVNDBid:JVNDB-2018-010968date:2018-12-28T00:00:00
db:NVDid:CVE-2018-14808date:2018-10-01T15:29:00.573
db:CNNVDid:CNNVD-201809-1250date:2018-09-28T00:00:00