Details of VAR-201810-0464

ID

VAR-201810-0464

CVE

CVE-2018-17925

TITLE

GE iFIX Cryptographic vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-011235

DESCRIPTION

Multiple instances of this vulnerability (Unsafe ActiveX Control Marked Safe For Scripting) have been identified in the third-party ActiveX object provided to GE iFIX versions 2.0 - 5.8 by Gigasoft. Only the independent use of the Gigasoft charting package outside the iFIX product may expose users to the reported vulnerability. The reported method shown to impact Internet Explorer is not exposed in the iFIX product, nor is the core functionality of the iFIX product known to be impacted. GE iFIX Contains vulnerabilities related to security features.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. iFIX is an intelligent hardware and software solution from GE Intelligent Platforms (GE-IP). There is a security hole in the Gigasoft component in GEiFix. An attacker could exploit the vulnerability to perform unauthorized operations. General Electric iFix is prone to an unspecified local security vulnerability

Trust: 2.61

sources: NVD: CVE-2018-17925 // JVNDB: JVNDB-2018-011235 // CNVD: CNVD-2018-21170 // BID: 105540 // IVD: 7d85694f-463f-11e9-a62b-000c29342cb1

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: 7d85694f-463f-11e9-a62b-000c29342cb1 // CNVD: CNVD-2018-21170

AFFECTED PRODUCTS

vendor:	ge	model:	ifix	scope:	lte	version:	5.8	Trust: 1.0
vendor:	ge	model:	ifix	scope:	gte	version:	2.0	Trust: 1.0
vendor:	ge	model:	ifix	scope:	eq	version:	5.8	Trust: 0.8
vendor:	general electric	model:	ifix	scope:	eq	version:	2.0 to 5.8	Trust: 0.8
vendor:	ge	model:	ifix	scope:	eq	version:	5.5	Trust: 0.6
vendor:	ge	model:	ifix	scope:	eq	version:	2.0	Trust: 0.6
vendor:	ge	model:	ifix	scope:	eq	version:	5.0	Trust: 0.6
vendor:	ge	model:	ifix	scope:	eq	version:	5.1	Trust: 0.6
vendor:	general	model:	electric ifix	scope:	eq	version:	5.8	Trust: 0.3
vendor:	general	model:	electric ifix	scope:	eq	version:	5.5	Trust: 0.3
vendor:	general	model:	electric ifix	scope:	eq	version:	5.1	Trust: 0.3
vendor:	general	model:	electric ifix	scope:	eq	version:	5.0	Trust: 0.3
vendor:	general	model:	electric ifix	scope:	eq	version:	2.0	Trust: 0.3
vendor:	general	model:	electric ifix	scope:	ne	version:	5.9	Trust: 0.3
vendor:	ge	model:	ifix	scope:	eq	version:	5.5*	Trust: 0.2
vendor:	ge	model:	ifix	scope:	eq	version:	2.0*	Trust: 0.2
vendor:	ge	model:	ifix	scope:	eq	version:	5.0*	Trust: 0.2
vendor:	ge	model:	ifix	scope:	eq	version:	5.1*	Trust: 0.2

sources: IVD: 7d85694f-463f-11e9-a62b-000c29342cb1 // CNVD: CNVD-2018-21170 // BID: 105540 // JVNDB: JVNDB-2018-011235 // NVD: CVE-2018-17925

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-17925
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-17925
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2018-21170
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201810-510
value:	MEDIUM
Trust: 0.6
IVD:	7d85694f-463f-11e9-a62b-000c29342cb1
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2018-17925
severity:	MEDIUM
baseScore:	4.4
vectorString:	AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.4
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-21170
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	7d85694f-463f-11e9-a62b-000c29342cb1
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2018-17925
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	1.3
impactScore:	3.4
version:	3.0
Trust: 1.8

sources: IVD: 7d85694f-463f-11e9-a62b-000c29342cb1 // CNVD: CNVD-2018-21170 // JVNDB: JVNDB-2018-011235 // CNNVD: CNNVD-201810-510 // NVD: CVE-2018-17925

PROBLEMTYPE DATA

problemtype:	CWE-623	Trust: 1.0
problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-254	Trust: 0.8

sources: JVNDB: JVNDB-2018-011235 // NVD: CVE-2018-17925

THREAT TYPE

local

Trust: 0.9

sources: BID: 105540 // CNNVD: CNNVD-201810-510

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201810-510

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-011235

PATCH

title:	Top Page	url:	https://digitalsupport.ge.com/communities/CC_Home	Trust: 0.8
title:	GEiFix does not authorize patches for operating vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/142387	Trust: 0.6
title:	GE iFIX Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86165	Trust: 0.6

sources: CNVD: CNVD-2018-21170 // JVNDB: JVNDB-2018-011235 // CNNVD: CNNVD-201810-510

EXTERNAL IDS

db:	NVD	id:	CVE-2018-17925	Trust: 3.5
db:	ICS CERT	id:	ICSA-18-282-01	Trust: 2.7
db:	BID	id:	105540	Trust: 1.9
db:	CNVD	id:	CNVD-2018-21170	Trust: 0.8
db:	CNNVD	id:	CNNVD-201810-510	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-011235	Trust: 0.8
db:	IVD	id:	7D85694F-463F-11E9-A62B-000C29342CB1	Trust: 0.2

sources: IVD: 7d85694f-463f-11e9-a62b-000c29342cb1 // CNVD: CNVD-2018-21170 // BID: 105540 // JVNDB: JVNDB-2018-011235 // CNNVD: CNNVD-201810-510 // NVD: CVE-2018-17925

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-18-282-01	Trust: 2.7
url:	http://www.securityfocus.com/bid/105540	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17925	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17925	Trust: 0.8
url:	https://www.ge.com/	Trust: 0.3

sources: CNVD: CNVD-2018-21170 // BID: 105540 // JVNDB: JVNDB-2018-011235 // CNNVD: CNNVD-201810-510 // NVD: CVE-2018-17925

CREDITS

LiMingzheng of 360 aegis.

Trust: 0.3

sources: BID: 105540

SOURCES

db:	IVD	id:	7d85694f-463f-11e9-a62b-000c29342cb1
db:	CNVD	id:	CNVD-2018-21170
db:	BID	id:	105540
db:	JVNDB	id:	JVNDB-2018-011235
db:	CNNVD	id:	CNNVD-201810-510
db:	NVD	id:	CVE-2018-17925

LAST UPDATE DATE

2024-11-23T22:58:50.376000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-21170	date:	2019-01-23T00:00:00
db:	BID	id:	105540	date:	2018-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2018-011235	date:	2019-01-09T00:00:00
db:	CNNVD	id:	CNNVD-201810-510	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-17925	date:	2024-11-21T03:55:13.250

SOURCES RELEASE DATE

db:	IVD	id:	7d85694f-463f-11e9-a62b-000c29342cb1	date:	2018-10-18T00:00:00
db:	CNVD	id:	CNVD-2018-21170	date:	2018-10-16T00:00:00
db:	BID	id:	105540	date:	2018-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2018-011235	date:	2019-01-09T00:00:00
db:	CNNVD	id:	CNNVD-201810-510	date:	2018-10-11T00:00:00
db:	NVD	id:	CVE-2018-17925	date:	2018-10-10T17:29:04.297