Sign-up

ID

VAR-201810-0489


CVE

CVE-2018-17902


TITLE

STARDOM Multiple vulnerabilities in controller

Trust: 0.8

sources: JVNDB: JVNDB-2018-003717

DESCRIPTION

Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The application utilizes multiple methods of session management which could result in a denial of service to the remote management functions. Provided by Yokogawa Electric Corporation STARDOM There are multiple vulnerabilities in the controller. Provided by Yokogawa Electric Corporation STARDOM For small and medium-sized factories PLC Instrumentation system. STARDOM The controller contains several vulnerabilities: * * account ID And password information is hard-coded (CWE-798) - CVE-2018-10592 * * information leak (CWE-200) - CVE-2018-17900 * * Service disruption to remote management functions (DoS) (CWE-119) - CVE-2018-17902 * * Problems with hardcoded authentication information for maintenance functions (CWE-798) - CVE-2018-17896 * * Controller HTTP Service disruption to services (DoS) (CWE-119) - CVE-2018-17898The expected impact depends on each vulnerability, but can be affected as follows: * * A remote attacker can log into the controller and execute arbitrary commands - CVE-2018-10592 * * Authentication information for accessing the remote management function of the controller can be obtained by a remote third party - CVE-2018-17900 * * Remote operation by the remote party to the remote management function of the controller (DoS) Attack is done - CVE-2018-17902 * * A remote attacker logs in to the controller's maintenance function, acquires information, and falsifies - CVE-2018-17896 * * By a remote third party HTTP Service disruption to services (DoS) Attack is done - CVE-2018-17898. Yokogawa STARDOM Controllers FCJ, etc. are the controllers used in the basic network control system of Yokogawa Corporation of Japan. A session fixation vulnerability exists in several Yokogawa products. An attacker could exploit this vulnerability to cause a denial of service. The following products and versions are affected: Yokogawa STARDOM Controllers FCJ R4.10 and earlier; FCN-100 R4.10 and earlier; FCN-RTUR 4.10 and earlier; FCN-500 R4.10 and earlier

Trust: 1.71

sources: NVD: CVE-2018-17902 // JVNDB: JVNDB-2018-003717 // VULHUB: VHN-128408

AFFECTED PRODUCTS

vendor:yokogawamodel:fcn-100scope:lteversion:r4.10

Trust: 1.0

vendor:yokogawamodel:fcjscope:lteversion:r4.10

Trust: 1.0

vendor:yokogawamodel:fcn-rtuscope:lteversion:r4.10

Trust: 1.0

vendor:yokogawamodel:fcn-500scope:lteversion:r4.10

Trust: 1.0

vendor:yokogawa electricmodel:stardom fcjscope:lteversion:r4.02

Trust: 0.8

vendor:yokogawa electricmodel:stardom fcjscope:lteversion:r4.10

Trust: 0.8

vendor:yokogawa electricmodel:stardom fcn-100scope:lteversion:r4.02

Trust: 0.8

vendor:yokogawa electricmodel:stardom fcn-100scope:lteversion:r4.10

Trust: 0.8

vendor:yokogawa electricmodel:stardom fcn-500scope:lteversion:r4.02

Trust: 0.8

vendor:yokogawa electricmodel:stardom fcn-500scope:lteversion:r4.10

Trust: 0.8

vendor:yokogawa electricmodel:stardom fcn-rtuscope:lteversion:r4.02

Trust: 0.8

vendor:yokogawa electricmodel:stardom fcn-rtuscope:lteversion:r4.10

Trust: 0.8

vendor:yokogawamodel:fcn-500scope:eqversion:r4.10

Trust: 0.6

vendor:yokogawamodel:fcn-100scope:eqversion:r4.10

Trust: 0.6

vendor:yokogawamodel:fcjscope:eqversion:r4.10

Trust: 0.6

vendor:yokogawamodel:fcn-rtuscope:eqversion:r4.10

Trust: 0.6

sources: JVNDB: JVNDB-2018-003717 // CNNVD: CNNVD-201810-652 // NVD: CVE-2018-17902

CVSS

SEVERITY

CVSSV2

CVSSV3

JPCERT/CC: JVNDB-2018-003717
value: HIGH

Trust: 1.6

JPCERT/CC: JVNDB-2018-003717
value: MEDIUM

Trust: 1.6

nvd@nist.gov: CVE-2018-17902
value: MEDIUM

Trust: 1.0

JPCERT/CC: JVNDB-2018-003717
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201810-652
value: MEDIUM

Trust: 0.6

VULHUB: VHN-128408
value: MEDIUM

Trust: 0.1

JPCERT/CC: JVNDB-2018-003717
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.6

JPCERT/CC: JVNDB-2018-003717
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.6

nvd@nist.gov: CVE-2018-17902
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

JPCERT/CC: JVNDB-2018-003717
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-128408
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

JPCERT/CC: JVNDB-2018-003717
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: LOW
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 1.6

nvd@nist.gov: CVE-2018-17902
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: LOW
exploitabilityScore: 3.9
impactScore: 1.4
version: 3.0

Trust: 1.0

JPCERT/CC: JVNDB-2018-003717
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

JPCERT/CC: JVNDB-2018-003717
baseSeverity: CRITICAL
baseScore: 9.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: LOW
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

JPCERT/CC: JVNDB-2018-003717
baseSeverity: HIGH
baseScore: 8.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: LOW
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-128408 // JVNDB: JVNDB-2018-003717 // JVNDB: JVNDB-2018-003717 // JVNDB: JVNDB-2018-003717 // JVNDB: JVNDB-2018-003717 // JVNDB: JVNDB-2018-003717 // CNNVD: CNNVD-201810-652 // NVD: CVE-2018-17902

PROBLEMTYPE DATA

problemtype:CWE-384

Trust: 1.1

sources: VULHUB: VHN-128408 // NVD: CVE-2018-17902

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201810-652

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201810-652

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-003717

PATCH
title:YSAR-18-0004 STARDOM コントローラにハードコードパスワードの脆弱性url:https://web-material3.yokogawa.com/19/6712/details/YSAR-18-0004-J.pdf
Trust: 0.8
title:YSAR-18-0007: STARDOMコントローラに複数の脆弱性url:https://web-material3.yokogawa.com/YSAR-18-0007-J.jp.pdf
Trust: 0.8
title:Multiple Yokogawa Product security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=85770
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-003717 // 
            
            
            
            CNNVD: CNNVD-201810-652

EXTERNAL IDS
db:NVDid:CVE-2018-17902
Trust: 2.5
db:ICS CERTid:ICSA-18-151-03
Trust: 2.5
db:JVNid:JVNVU92639220
Trust: 0.8
db:JVNDBid:JVNDB-2018-003717
Trust: 0.8
db:CNNVDid:CNNVD-201810-652
Trust: 0.7
db:VULHUBid:VHN-128408
Trust: 0.1
sources:
            
            
            VULHUB: VHN-128408 // 
            
            
            
            JVNDB: JVNDB-2018-003717 // 
            
            
            
            CNNVD: CNNVD-201810-652 // 
            
            
            
            NVD: CVE-2018-17902

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-18-151-03
Trust: 2.5
url:https://web-material3.yokogawa.com/ysar-18-0007-e.pdf
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17900
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17902
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17896
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17898
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10592
Trust: 0.8
url:https://jvn.jp/vu/jvnvu92639220/
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-17900
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-17902
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-10592
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-17896
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-17898
Trust: 0.8
sources:
            
            
            VULHUB: VHN-128408 // 
            
            
            
            JVNDB: JVNDB-2018-003717 // 
            
            
            
            CNNVD: CNNVD-201810-652 // 
            
            
            
            NVD: CVE-2018-17902

SOURCES
db:VULHUBid:VHN-128408
db:JVNDBid:JVNDB-2018-003717
db:CNNVDid:CNNVD-201810-652
db:NVDid:CVE-2018-17902

LAST UPDATE DATE
2024-11-23T21:52:47.095000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-128408date:2019-10-09T00:00:00
db:JVNDBid:JVNDB-2018-003717date:2019-07-24T00:00:00
db:CNNVDid:CNNVD-201810-652date:2019-10-17T00:00:00
db:NVDid:CVE-2018-17902date:2024-11-21T03:55:10.433

SOURCES RELEASE DATE
db:VULHUBid:VHN-128408date:2018-10-12T00:00:00
db:JVNDBid:JVNDB-2018-003717date:2018-06-04T00:00:00
db:CNNVDid:CNNVD-201810-652date:2018-10-15T00:00:00
db:NVDid:CVE-2018-17902date:2018-10-12T14:29:01.423