Sign-up

ID

VAR-201810-0485


CVE

CVE-2018-17898


TITLE

STARDOM Multiple vulnerabilities in controller

Trust: 0.8

sources: JVNDB: JVNDB-2018-003717

DESCRIPTION

Yokogawa STARDOM Controllers FCJ,FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The controller application fails to prevent memory exhaustion by unauthorized requests. This could allow an attacker to cause the controller to become unstable. Provided by Yokogawa Electric Corporation STARDOM There are multiple vulnerabilities in the controller. Provided by Yokogawa Electric Corporation STARDOM For small and medium-sized factories PLC Instrumentation system. STARDOM The controller contains several vulnerabilities: * * account ID And password information is hard-coded (CWE-798) - CVE-2018-10592 * * information leak (CWE-200) - CVE-2018-17900 * * Service disruption to remote management functions (DoS) (CWE-119) - CVE-2018-17902 * * Problems with hardcoded authentication information for maintenance functions (CWE-798) - CVE-2018-17896 * * Controller HTTP Service disruption to services (DoS) (CWE-119) - CVE-2018-17898The expected impact depends on each vulnerability, but can be affected as follows: * * A remote attacker can log into the controller and execute arbitrary commands - CVE-2018-10592 * * Authentication information for accessing the remote management function of the controller can be obtained by a remote third party - CVE-2018-17900 * * Remote operation by the remote party to the remote management function of the controller (DoS) Attack is done - CVE-2018-17902 * * A remote attacker logs in to the controller's maintenance function, acquires information, and falsifies - CVE-2018-17896 * * By a remote third party HTTP Service disruption to services (DoS) Attack is done - CVE-2018-17898. Yokogawa STARDOM Controllers FCJ, etc. are the controllers used in the basic network control system of Yokogawa Corporation of Japan. A security vulnerability exists in several Yokogawa products. Attackers can exploit this vulnerability to make the controller unable to run stably (memory exhaustion). The following products and versions are affected: Yokogawa STARDOM Controllers FCJ R4.10 and earlier; FCN-100 R4.10 and earlier; FCN-RTUR 4.10 and earlier; FCN-500 R4.10 and earlier

Trust: 1.71

sources: NVD: CVE-2018-17898 // JVNDB: JVNDB-2018-003717 // VULHUB: VHN-128403

AFFECTED PRODUCTS

vendor:yokogawamodel:fcn-100scope:lteversion:r4.10

Trust: 1.0

vendor:yokogawamodel:fcjscope:lteversion:r4.10

Trust: 1.0

vendor:yokogawamodel:fcn-rtuscope:lteversion:r4.10

Trust: 1.0

vendor:yokogawamodel:fcn-500scope:lteversion:r4.10

Trust: 1.0

vendor:yokogawa electricmodel:stardom fcjscope:lteversion:r4.02

Trust: 0.8

vendor:yokogawa electricmodel:stardom fcjscope:lteversion:r4.10

Trust: 0.8

vendor:yokogawa electricmodel:stardom fcn-100scope:lteversion:r4.02

Trust: 0.8

vendor:yokogawa electricmodel:stardom fcn-100scope:lteversion:r4.10

Trust: 0.8

vendor:yokogawa electricmodel:stardom fcn-500scope:lteversion:r4.02

Trust: 0.8

vendor:yokogawa electricmodel:stardom fcn-500scope:lteversion:r4.10

Trust: 0.8

vendor:yokogawa electricmodel:stardom fcn-rtuscope:lteversion:r4.02

Trust: 0.8

vendor:yokogawa electricmodel:stardom fcn-rtuscope:lteversion:r4.10

Trust: 0.8

vendor:yokogawamodel:fcn-500scope:eqversion:r4.10

Trust: 0.6

vendor:yokogawamodel:fcn-100scope:eqversion:r4.10

Trust: 0.6

vendor:yokogawamodel:fcjscope:eqversion:r4.10

Trust: 0.6

vendor:yokogawamodel:fcn-rtuscope:eqversion:r4.10

Trust: 0.6

sources: JVNDB: JVNDB-2018-003717 // CNNVD: CNNVD-201810-669 // NVD: CVE-2018-17898

CVSS

SEVERITY

CVSSV2

CVSSV3

JPCERT/CC: JVNDB-2018-003717
value: HIGH

Trust: 1.6

JPCERT/CC: JVNDB-2018-003717
value: MEDIUM

Trust: 1.6

nvd@nist.gov: CVE-2018-17898
value: HIGH

Trust: 1.0

JPCERT/CC: JVNDB-2018-003717
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201810-669
value: HIGH

Trust: 0.6

VULHUB: VHN-128403
value: HIGH

Trust: 0.1

JPCERT/CC: JVNDB-2018-003717
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.6

JPCERT/CC: JVNDB-2018-003717
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.6

nvd@nist.gov: CVE-2018-17898
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

JPCERT/CC: JVNDB-2018-003717
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-128403
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

JPCERT/CC: JVNDB-2018-003717
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: LOW
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 1.6

nvd@nist.gov: CVE-2018-17898
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.0

JPCERT/CC: JVNDB-2018-003717
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

JPCERT/CC: JVNDB-2018-003717
baseSeverity: CRITICAL
baseScore: 9.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: LOW
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

JPCERT/CC: JVNDB-2018-003717
baseSeverity: HIGH
baseScore: 8.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: LOW
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-128403 // JVNDB: JVNDB-2018-003717 // JVNDB: JVNDB-2018-003717 // JVNDB: JVNDB-2018-003717 // JVNDB: JVNDB-2018-003717 // JVNDB: JVNDB-2018-003717 // CNNVD: CNNVD-201810-669 // NVD: CVE-2018-17898

PROBLEMTYPE DATA

problemtype:CWE-400

Trust: 1.1

sources: VULHUB: VHN-128403 // NVD: CVE-2018-17898

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201810-669

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-201810-669

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-003717

PATCH
title:YSAR-18-0004 STARDOM コントローラにハードコードパスワードの脆弱性url:https://web-material3.yokogawa.com/19/6712/details/YSAR-18-0004-J.pdf
Trust: 0.8
title:YSAR-18-0007: STARDOMコントローラに複数の脆弱性url:https://web-material3.yokogawa.com/YSAR-18-0007-J.jp.pdf
Trust: 0.8
title:Multiple Yokogawa Product security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=85787
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-003717 // 
            
            
            
            CNNVD: CNNVD-201810-669

EXTERNAL IDS
db:ICS CERTid:ICSA-18-151-03
Trust: 2.5
db:NVDid:CVE-2018-17898
Trust: 2.5
db:JVNid:JVNVU92639220
Trust: 0.8
db:JVNDBid:JVNDB-2018-003717
Trust: 0.8
db:CNNVDid:CNNVD-201810-669
Trust: 0.7
db:VULHUBid:VHN-128403
Trust: 0.1
sources:
            
            
            VULHUB: VHN-128403 // 
            
            
            
            JVNDB: JVNDB-2018-003717 // 
            
            
            
            CNNVD: CNNVD-201810-669 // 
            
            
            
            NVD: CVE-2018-17898

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-18-151-03
Trust: 2.5
url:https://web-material3.yokogawa.com/ysar-18-0007-e.pdf
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17900
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17902
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17896
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17898
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10592
Trust: 0.8
url:https://jvn.jp/vu/jvnvu92639220/
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-17900
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-17902
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-10592
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-17896
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-17898
Trust: 0.8
sources:
            
            
            VULHUB: VHN-128403 // 
            
            
            
            JVNDB: JVNDB-2018-003717 // 
            
            
            
            CNNVD: CNNVD-201810-669 // 
            
            
            
            NVD: CVE-2018-17898

SOURCES
db:VULHUBid:VHN-128403
db:JVNDBid:JVNDB-2018-003717
db:CNNVDid:CNNVD-201810-669
db:NVDid:CVE-2018-17898

LAST UPDATE DATE
2024-11-23T21:52:47.220000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-128403date:2019-10-09T00:00:00
db:JVNDBid:JVNDB-2018-003717date:2019-07-24T00:00:00
db:CNNVDid:CNNVD-201810-669date:2019-10-17T00:00:00
db:NVDid:CVE-2018-17898date:2024-11-21T03:55:09.900

SOURCES RELEASE DATE
db:VULHUBid:VHN-128403date:2018-10-12T00:00:00
db:JVNDBid:JVNDB-2018-003717date:2018-06-04T00:00:00
db:CNNVDid:CNNVD-201810-669date:2018-10-15T00:00:00
db:NVDid:CVE-2018-17898date:2018-10-12T14:29:01.033