Sign-up

ID

VAR-201810-0790


CVE

CVE-2018-13800


TITLE

SIEMENS SIMATIC S7-1200 CPU Family Cross-Site Request Forgery Vulnerability

Trust: 1.4

sources: IVD: e2fca5f1-39ab-11e9-b8b5-000c29342cb1 // CNVD: CNVD-2018-20531 // CNNVD: CNNVD-201810-506

DESCRIPTION

A vulnerability has been identified in SIMATIC S7-1200 CPU family version 4 (All versions < V4.2.3). The web interface could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link. Successful exploitation requires user interaction by a legitimate user, who must be authenticated to the web interface. A successful attack could allow an attacker to trigger actions via the web interface that the legitimate user is allowed to perform. This could allow the attacker to read or modify parts of the device configuration. SIMATIC S7-1200 CPU The family contains a cross-site request forgery vulnerability.Information may be obtained and information may be altered. The SIEMENS SIMATIC S7-1200 CPU Family is designed for discrete and continuous control in industrial environments such as manufacturing, food and beverage, and the global chemical industry. Other attacks are also possible

Trust: 2.61

sources: NVD: CVE-2018-13800 // JVNDB: JVNDB-2018-013475 // CNVD: CNVD-2018-20531 // BID: 105542 // IVD: e2fca5f1-39ab-11e9-b8b5-000c29342cb1

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: e2fca5f1-39ab-11e9-b8b5-000c29342cb1 // CNVD: CNVD-2018-20531

AFFECTED PRODUCTS

vendor:siemensmodel:simatic s7-1200 v4scope:ltversion:4.2.3

Trust: 1.0

vendor:siemensmodel:simatic s7-1200scope:ltversion:4.2.3 4

Trust: 0.8

vendor:siemensmodel:simatic s7-1200 cpu familyscope:ltversion:4.2.3

Trust: 0.6

vendor:siemensmodel:simatic s7-1200 cpu familyscope:eqversion:4.0

Trust: 0.3

vendor:siemensmodel:simatic s7-1200 cpu familyscope:neversion:4.2.3

Trust: 0.3

vendor:simatic s7 1200 v4model: - scope:eqversion:*

Trust: 0.2

sources: IVD: e2fca5f1-39ab-11e9-b8b5-000c29342cb1 // CNVD: CNVD-2018-20531 // BID: 105542 // JVNDB: JVNDB-2018-013475 // NVD: CVE-2018-13800

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-13800
value: HIGH

Trust: 1.0

NVD: CVE-2018-13800
value: HIGH

Trust: 0.8

CNVD: CNVD-2018-20531
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201810-506
value: HIGH

Trust: 0.6

IVD: e2fca5f1-39ab-11e9-b8b5-000c29342cb1
value: HIGH

Trust: 0.2

nvd@nist.gov: CVE-2018-13800
severity: MEDIUM
baseScore: 4.9
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-20531
severity: HIGH
baseScore: 7.6
vectorString: AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 4.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: e2fca5f1-39ab-11e9-b8b5-000c29342cb1
severity: HIGH
baseScore: 7.6
vectorString: AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 4.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2018-13800
baseSeverity: HIGH
baseScore: 7.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.1
impactScore: 5.2
version: 3.0

Trust: 1.8

sources: IVD: e2fca5f1-39ab-11e9-b8b5-000c29342cb1 // CNVD: CNVD-2018-20531 // JVNDB: JVNDB-2018-013475 // CNNVD: CNNVD-201810-506 // NVD: CVE-2018-13800

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.8

sources: JVNDB: JVNDB-2018-013475 // NVD: CVE-2018-13800

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201810-506

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201810-506

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-013475

PATCH
title:SSA-507847url:https://cert-portal.siemens.com/productcert/pdf/ssa-507847.pdf
Trust: 0.8
title:Patch for SIEMENS SIMATIC S7-1200 CPU Family Cross-Site Request Forgery Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/141753
Trust: 0.6
title:SIMATIC S7-1200 CPU Repair measures for family security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86137
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-20531 // 
            
            
            
            JVNDB: JVNDB-2018-013475 // 
            
            
            
            CNNVD: CNNVD-201810-506

EXTERNAL IDS
db:NVDid:CVE-2018-13800
Trust: 3.5
db:SIEMENSid:SSA-507847
Trust: 2.2
db:BIDid:105542
Trust: 1.9
db:ICS CERTid:ICSA-18-282-04
Trust: 1.1
db:CNVDid:CNVD-2018-20531
Trust: 0.8
db:CNNVDid:CNNVD-201810-506
Trust: 0.8
db:JVNDBid:JVNDB-2018-013475
Trust: 0.8
db:IVDid:E2FCA5F1-39AB-11E9-B8B5-000C29342CB1
Trust: 0.2
sources:
            
            
            IVD: e2fca5f1-39ab-11e9-b8b5-000c29342cb1 // 
            
            
            
            CNVD: CNVD-2018-20531 // 
            
            
            
            BID: 105542 // 
            
            
            
            JVNDB: JVNDB-2018-013475 // 
            
            
            
            CNNVD: CNNVD-201810-506 // 
            
            
            
            NVD: CVE-2018-13800

REFERENCES
url:https://cert-portal.siemens.com/productcert/pdf/ssa-507847.pdf
Trust: 2.2
url:http://www.securityfocus.com/bid/105542
Trust: 1.6
url:https://ics-cert.us-cert.gov/advisories/icsa-18-282-04
Trust: 1.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-13800
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-13800
Trust: 0.8
url:http://www.siemens.com/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2018-20531 // 
            
            
            
            BID: 105542 // 
            
            
            
            JVNDB: JVNDB-2018-013475 // 
            
            
            
            CNNVD: CNNVD-201810-506 // 
            
            
            
            NVD: CVE-2018-13800

CREDITS
Lisa Fournet and Marl Joos
Trust: 0.3
sources:
            
            
            BID: 105542

SOURCES
db:IVDid:e2fca5f1-39ab-11e9-b8b5-000c29342cb1
db:CNVDid:CNVD-2018-20531
db:BIDid:105542
db:JVNDBid:JVNDB-2018-013475
db:CNNVDid:CNNVD-201810-506
db:NVDid:CVE-2018-13800

LAST UPDATE DATE
2024-11-23T23:11:58.896000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-20531date:2018-10-10T00:00:00
db:BIDid:105542date:2018-10-09T00:00:00
db:JVNDBid:JVNDB-2018-013475date:2019-03-25T00:00:00
db:CNNVDid:CNNVD-201810-506date:2019-10-17T00:00:00
db:NVDid:CVE-2018-13800date:2024-11-21T03:48:04.437

SOURCES RELEASE DATE
db:IVDid:e2fca5f1-39ab-11e9-b8b5-000c29342cb1date:2018-10-10T00:00:00
db:CNVDid:CNVD-2018-20531date:2018-10-10T00:00:00
db:BIDid:105542date:2018-10-09T00:00:00
db:JVNDBid:JVNDB-2018-013475date:2019-02-21T00:00:00
db:CNNVDid:CNNVD-201810-506date:2018-10-11T00:00:00
db:NVDid:CVE-2018-13800date:2018-10-10T17:29:03.703