Sign-up

ID

VAR-201810-0487


CVE

CVE-2018-17900


TITLE

STARDOM Multiple vulnerabilities in controller

Trust: 0.8

sources: JVNDB: JVNDB-2018-003717

DESCRIPTION

Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The web application improperly protects credentials which could allow an attacker to obtain credentials for remote access to controllers. Provided by Yokogawa Electric Corporation STARDOM There are multiple vulnerabilities in the controller. Provided by Yokogawa Electric Corporation STARDOM For small and medium-sized factories PLC Instrumentation system. STARDOM The controller contains several vulnerabilities: * * account ID And password information is hard-coded (CWE-798) - CVE-2018-10592 * * information leak (CWE-200) - CVE-2018-17900 * * Service disruption to remote management functions (DoS) (CWE-119) - CVE-2018-17902 * * Problems with hardcoded authentication information for maintenance functions (CWE-798) - CVE-2018-17896 * * Controller HTTP Service disruption to services (DoS) (CWE-119) - CVE-2018-17898The expected impact depends on each vulnerability, but can be affected as follows: * * A remote attacker can log into the controller and execute arbitrary commands - CVE-2018-10592 * * Authentication information for accessing the remote management function of the controller can be obtained by a remote third party - CVE-2018-17900 * * Remote operation by the remote party to the remote management function of the controller (DoS) Attack is done - CVE-2018-17902 * * A remote attacker logs in to the controller's maintenance function, acquires information, and falsifies - CVE-2018-17896 * * By a remote third party HTTP Service disruption to services (DoS) Attack is done - CVE-2018-17898. Yokogawa STARDOM Controllers FCJ, etc. are the controllers used in the basic network control system of Yokogawa Corporation of Japan. A security vulnerability exists in several Yokogawa products due to improper protection of credentials by web applications. The following products and versions are affected: Yokogawa STARDOM Controllers FCJ R4.10 and earlier; FCN-100 R4.10 and earlier; FCN-RTUR 4.10 and earlier; FCN-500 R4.10 and earlier

Trust: 1.71

sources: NVD: CVE-2018-17900 // JVNDB: JVNDB-2018-003717 // VULHUB: VHN-128406

AFFECTED PRODUCTS

vendor:yokogawamodel:fcn-100scope:lteversion:r4.10

Trust: 1.0

vendor:yokogawamodel:fcjscope:lteversion:r4.10

Trust: 1.0

vendor:yokogawamodel:fcn-rtuscope:lteversion:r4.10

Trust: 1.0

vendor:yokogawamodel:fcn-500scope:lteversion:r4.10

Trust: 1.0

vendor:yokogawa electricmodel:stardom fcjscope:lteversion:r4.02

Trust: 0.8

vendor:yokogawa electricmodel:stardom fcjscope:lteversion:r4.10

Trust: 0.8

vendor:yokogawa electricmodel:stardom fcn-100scope:lteversion:r4.02

Trust: 0.8

vendor:yokogawa electricmodel:stardom fcn-100scope:lteversion:r4.10

Trust: 0.8

vendor:yokogawa electricmodel:stardom fcn-500scope:lteversion:r4.02

Trust: 0.8

vendor:yokogawa electricmodel:stardom fcn-500scope:lteversion:r4.10

Trust: 0.8

vendor:yokogawa electricmodel:stardom fcn-rtuscope:lteversion:r4.02

Trust: 0.8

vendor:yokogawa electricmodel:stardom fcn-rtuscope:lteversion:r4.10

Trust: 0.8

vendor:yokogawamodel:fcn-500scope:eqversion:r4.10

Trust: 0.6

vendor:yokogawamodel:fcn-100scope:eqversion:r4.10

Trust: 0.6

vendor:yokogawamodel:fcjscope:eqversion:r4.10

Trust: 0.6

vendor:yokogawamodel:fcn-rtuscope:eqversion:r4.10

Trust: 0.6

sources: JVNDB: JVNDB-2018-003717 // CNNVD: CNNVD-201810-670 // NVD: CVE-2018-17900

CVSS

SEVERITY

CVSSV2

CVSSV3

JPCERT/CC: JVNDB-2018-003717
value: HIGH

Trust: 1.6

JPCERT/CC: JVNDB-2018-003717
value: MEDIUM

Trust: 1.6

nvd@nist.gov: CVE-2018-17900
value: CRITICAL

Trust: 1.0

JPCERT/CC: JVNDB-2018-003717
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201810-670
value: CRITICAL

Trust: 0.6

VULHUB: VHN-128406
value: MEDIUM

Trust: 0.1

JPCERT/CC: JVNDB-2018-003717
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.6

JPCERT/CC: JVNDB-2018-003717
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.6

nvd@nist.gov: CVE-2018-17900
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

JPCERT/CC: JVNDB-2018-003717
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-128406
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

JPCERT/CC: JVNDB-2018-003717
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: LOW
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 1.6

nvd@nist.gov: CVE-2018-17900
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.0

JPCERT/CC: JVNDB-2018-003717
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

JPCERT/CC: JVNDB-2018-003717
baseSeverity: CRITICAL
baseScore: 9.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: LOW
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

JPCERT/CC: JVNDB-2018-003717
baseSeverity: HIGH
baseScore: 8.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: LOW
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-128406 // JVNDB: JVNDB-2018-003717 // JVNDB: JVNDB-2018-003717 // JVNDB: JVNDB-2018-003717 // JVNDB: JVNDB-2018-003717 // JVNDB: JVNDB-2018-003717 // CNNVD: CNNVD-201810-670 // NVD: CVE-2018-17900

PROBLEMTYPE DATA

problemtype:CWE-522

Trust: 1.1

problemtype:CWE-255

Trust: 0.1

sources: VULHUB: VHN-128406 // NVD: CVE-2018-17900

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201810-670

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201810-670

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-003717

PATCH
title:YSAR-18-0004 STARDOM コントローラにハードコードパスワードの脆弱性url:https://web-material3.yokogawa.com/19/6712/details/YSAR-18-0004-J.pdf
Trust: 0.8
title:YSAR-18-0007: STARDOMコントローラに複数の脆弱性url:https://web-material3.yokogawa.com/YSAR-18-0007-J.jp.pdf
Trust: 0.8
title:Multiple Yokogawa Product security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=85788
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-003717 // 
            
            
            
            CNNVD: CNNVD-201810-670

EXTERNAL IDS
db:NVDid:CVE-2018-17900
Trust: 2.5
db:ICS CERTid:ICSA-18-151-03
Trust: 2.5
db:JVNid:JVNVU92639220
Trust: 0.8
db:JVNDBid:JVNDB-2018-003717
Trust: 0.8
db:CNNVDid:CNNVD-201810-670
Trust: 0.7
db:VULHUBid:VHN-128406
Trust: 0.1
sources:
            
            
            VULHUB: VHN-128406 // 
            
            
            
            JVNDB: JVNDB-2018-003717 // 
            
            
            
            CNNVD: CNNVD-201810-670 // 
            
            
            
            NVD: CVE-2018-17900

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-18-151-03
Trust: 2.5
url:https://web-material3.yokogawa.com/ysar-18-0007-e.pdf
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17900
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17902
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17896
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17898
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10592
Trust: 0.8
url:https://jvn.jp/vu/jvnvu92639220/
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-17900
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-17902
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-10592
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-17896
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-17898
Trust: 0.8
sources:
            
            
            VULHUB: VHN-128406 // 
            
            
            
            JVNDB: JVNDB-2018-003717 // 
            
            
            
            CNNVD: CNNVD-201810-670 // 
            
            
            
            NVD: CVE-2018-17900

SOURCES
db:VULHUBid:VHN-128406
db:JVNDBid:JVNDB-2018-003717
db:CNNVDid:CNNVD-201810-670
db:NVDid:CVE-2018-17900

LAST UPDATE DATE
2024-11-23T21:52:47.121000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-128406date:2019-10-09T00:00:00
db:JVNDBid:JVNDB-2018-003717date:2019-07-24T00:00:00
db:CNNVDid:CNNVD-201810-670date:2019-10-17T00:00:00
db:NVDid:CVE-2018-17900date:2024-11-21T03:55:10.177

SOURCES RELEASE DATE
db:VULHUBid:VHN-128406date:2018-10-12T00:00:00
db:JVNDBid:JVNDB-2018-003717date:2018-06-04T00:00:00
db:CNNVDid:CNNVD-201810-670date:2018-10-15T00:00:00
db:NVDid:CVE-2018-17900date:2018-10-12T14:29:01.207