Sign-up

ID

VAR-201810-1416


CVE

CVE-2018-5402


TITLE

Auto-Maskin DCU 210E RP 210E and Marine Pro Observer App

Trust: 0.8

sources: CERT/CC: VU#176301

DESCRIPTION

The Auto-Maskin DCU 210E, RP-210E, and Marine Pro Observer Android App use an embedded webserver that uses unencrypted plaintext for the transmission of the administrator PIN Impact: An attacker once authenticated can change configurations, upload new configuration files, and upload executable code via file upload for firmware updates. Requires access to the network. Affected releases are Auto-Maskin DCU-210E, RP-210E, and the Marine Pro Observer Android App. Versions prior to 3.7 on ARMv7. Auto-Maskin RP With remote panel DCU The control unit is a product that monitors and controls the ship's engine. These products have multiple vulnerabilities related to authentication and encryption that can be accessed by an attacker and take over the engine operation of the ship. Problems with hard-coded credentials (CWE-798) - CVE-2018-5399 DCU 210E No firmware Dropbear SSH server Is included, but this is not documented. Also, SSH The username and password for the connection are hard-coded and the password is easily guessable. Insufficient validation of connection source (CWE-346) - CVE-2018-5400 The product uses a proprietary protocol that is not documented to communicate with other equipment. Modbus We are communicating, but we have not verified the validity of the connection between devices. Sensitive information is sent in clear text (CWE-319) - CVE-2018-5401 The product is not encrypted Modbus Sending control information using communication. Sensitive information is sent in clear text (CWE-319) - CVE-2018-5402 The web server included in the product is an administrator using plain text that is not encrypted. PIN Sending code. These vulnerabilities Brian Satira Mr and Brian Olson Reported by him.An attacker could use this vulnerability to obtain information such as device configuration, configuration information, and sensor operating status. Also any Modbus ( control ) Information may also be sent. An hard-coded credentials security bypass Vulnerability. 2. A security-bypass vulnerability. 3. Multiple information disclosure vulnerabilities. Attackers may exploit these issues to gain unauthorized access to the affected application, or to bypass certain security restrictions to perform unauthorized actions, and obtain sensitive information. Auto-Maskin DCU-210E and RP-210E are engine control panels

Trust: 2.7

sources: NVD: CVE-2018-5402 // CERT/CC: VU#176301 // JVNDB: JVNDB-2018-008149 // BID: 105714 // VULHUB: VHN-135433

AFFECTED PRODUCTS

vendor:auto maskinmodel:marine pro observerscope:eqversion: -

Trust: 1.6

vendor:auto maskinmodel:dcu 210escope:eqversion: -

Trust: 1.6

vendor:auto maskinmodel:rp 210escope:eqversion: -

Trust: 1.6

vendor:auto maskin asmodel: - scope: - version: -

Trust: 0.8

vendor:auto maskinmodel:dcu 210escope: - version: -

Trust: 0.8

vendor:auto maskinmodel:marine pro observerscope: - version: -

Trust: 0.8

vendor:auto maskinmodel:rp 210escope: - version: -

Trust: 0.8

vendor:auto maskinmodel:as marine pro observerscope:eqversion:0

Trust: 0.3

vendor:auto maskinmodel:as dcu 210e rp 210escope:eqversion:0

Trust: 0.3

sources: CERT/CC: VU#176301 // BID: 105714 // JVNDB: JVNDB-2018-008149 // CNNVD: CNNVD-201810-262 // NVD: CVE-2018-5402

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-5402
value: HIGH

Trust: 1.0

cret@cert.org: CVE-2018-5402
value: CRITICAL

Trust: 1.0

CNNVD: CNNVD-201810-262
value: HIGH

Trust: 0.6

VULHUB: VHN-135433
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-5402
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VULHUB: VHN-135433
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-5402
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.0

cret@cert.org: CVE-2018-5402
baseSeverity: CRITICAL
baseScore: 9.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 5.2
version: 3.0

Trust: 1.0

sources: VULHUB: VHN-135433 // CNNVD: CNNVD-201810-262 // NVD: CVE-2018-5402 // NVD: CVE-2018-5402

PROBLEMTYPE DATA

problemtype:CWE-310

Trust: 1.1

problemtype:CWE-319

Trust: 1.0

sources: VULHUB: VHN-135433 // NVD: CVE-2018-5402

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201810-262

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201810-262

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-008149

EXTERNAL IDS
db:CERT/CCid:VU#176301
Trust: 3.6
db:NVDid:CVE-2018-5402
Trust: 2.8
db:ICS CERTid:ICSA-20-051-04
Trust: 1.7
db:JVNid:JVNVU99039923
Trust: 0.8
db:JVNDBid:JVNDB-2018-008149
Trust: 0.8
db:CNNVDid:CNNVD-201810-262
Trust: 0.7
db:AUSCERTid:ESB-2020.0648
Trust: 0.6
db:BIDid:105714
Trust: 0.3
db:VULHUBid:VHN-135433
Trust: 0.1
sources:
            
            
            CERT/CC: VU#176301 // 
            
            
            
            VULHUB: VHN-135433 // 
            
            
            
            BID: 105714 // 
            
            
            
            JVNDB: JVNDB-2018-008149 // 
            
            
            
            CNNVD: CNNVD-201810-262 // 
            
            
            
            NVD: CVE-2018-5402

REFERENCES
url:https://www.kb.cert.org/vuls/id/176301
Trust: 2.8
url:https://www.us-cert.gov/ics/advisories/icsa-20-051-04
Trust: 1.7
url:about vulnerability notes
Trust: 0.8
url:contact us about this vulnerability
Trust: 0.8
url:provide a vendor statement
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5401
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5402
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5399
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5400
Trust: 0.8
url:https://jvn.jp/vu/jvnvu99039923/
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-5399
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-5400
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-5401
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-5402
Trust: 0.8
url:https://www.auscert.org.au/bulletins/esb-2020.0648/
Trust: 0.6
url:https://www.auto-maskin.com/
Trust: 0.3
sources:
            
            
            CERT/CC: VU#176301 // 
            
            
            
            VULHUB: VHN-135433 // 
            
            
            
            BID: 105714 // 
            
            
            
            JVNDB: JVNDB-2018-008149 // 
            
            
            
            CNNVD: CNNVD-201810-262 // 
            
            
            
            NVD: CVE-2018-5402

CREDITS
Brian Satira and Brian Olson
Trust: 0.3
sources:
            
            
            BID: 105714

SOURCES
db:CERT/CCid:VU#176301
db:VULHUBid:VHN-135433
db:BIDid:105714
db:JVNDBid:JVNDB-2018-008149
db:CNNVDid:CNNVD-201810-262
db:NVDid:CVE-2018-5402

LAST UPDATE DATE
2024-11-23T21:38:03.693000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#176301date:2018-10-16T00:00:00
db:VULHUBid:VHN-135433date:2019-10-09T00:00:00
db:BIDid:105714date:2018-10-06T00:00:00
db:JVNDBid:JVNDB-2018-008149date:2019-08-28T00:00:00
db:CNNVDid:CNNVD-201810-262date:2020-02-25T00:00:00
db:NVDid:CVE-2018-5402date:2024-11-21T04:08:44.850

SOURCES RELEASE DATE
db:CERT/CCid:VU#176301date:2018-10-06T00:00:00
db:VULHUBid:VHN-135433date:2018-10-08T00:00:00
db:BIDid:105714date:2018-10-06T00:00:00
db:JVNDBid:JVNDB-2018-008149date:2018-10-10T00:00:00
db:CNNVDid:CNNVD-201810-262date:2018-10-09T00:00:00
db:NVDid:CVE-2018-5402date:2018-10-08T15:29:02.977