Details of VAR-201811-0106

ID

VAR-201811-0106

CVE

CVE-2018-17918

TITLE

Circontrol CirCarLife Authentication vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-011779

DESCRIPTION

Circontrol CirCarLife all versions prior to 4.3.1, authentication to the device can be bypassed by entering the URL of a specific page. Circontrol CirCarLife Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. CIRCONTROL CirCarLife is a set of parking lot automation management system of Spain CIRCONTROL company. CIRCONTROL CirCarLife Prior to version 4.3.1 there were security vulnerabilities. An authentication-bypass vulnerability 2

Trust: 2.7

sources: NVD: CVE-2018-17918 // JVNDB: JVNDB-2018-011779 // CNVD: CNVD-2019-44953 // BID: 105816 // IVD: 609077b1-a493-404f-a627-066516e8991d // VULHUB: VHN-128425

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 609077b1-a493-404f-a627-066516e8991d // CNVD: CNVD-2019-44953

AFFECTED PRODUCTS

vendor:	circontrol	model:	circarlife	scope:	lt	version:	4.3.1	Trust: 1.6
vendor:	circontrol s a	model:	circarlife	scope:	lt	version:	4.3.1	Trust: 0.8
vendor:	circontrol	model:	circarlife	scope:	eq	version:	4.3	Trust: 0.6
vendor:	circontrol	model:	circarlife	scope:	eq	version:	-	Trust: 0.6
vendor:	circontrol	model:	circarlife	scope:	eq	version:	0	Trust: 0.3
vendor:	circontrol	model:	circarlife	scope:	ne	version:	4.3.1	Trust: 0.3
vendor:	circarlife	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 609077b1-a493-404f-a627-066516e8991d // CNVD: CNVD-2019-44953 // BID: 105816 // JVNDB: JVNDB-2018-011779 // CNNVD: CNNVD-201811-022 // NVD: CVE-2018-17918

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-17918
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2018-17918
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2019-44953
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201811-022
value:	CRITICAL
Trust: 0.6
IVD:	609077b1-a493-404f-a627-066516e8991d
value:	CRITICAL
Trust: 0.2
VULHUB:	VHN-128425
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2018-17918
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-44953
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	609077b1-a493-404f-a627-066516e8991d
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-128425
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-17918
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: IVD: 609077b1-a493-404f-a627-066516e8991d // CNVD: CNVD-2019-44953 // VULHUB: VHN-128425 // JVNDB: JVNDB-2018-011779 // CNNVD: CNNVD-201811-022 // NVD: CVE-2018-17918

PROBLEMTYPE DATA

problemtype:	CWE-287	Trust: 1.9
problemtype:	CWE-288	Trust: 1.0

sources: VULHUB: VHN-128425 // JVNDB: JVNDB-2018-011779 // NVD: CVE-2018-17918

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201811-022

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201811-022

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-011779

PATCH

title:	Top Page	url:	https://circontrol.com/	Trust: 0.8
title:	Patch for CIRCONTROL CirCarLife has an unknown vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/193517	Trust: 0.6
title:	CIRCONTROL CirCarLife Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86568	Trust: 0.6

sources: CNVD: CNVD-2019-44953 // JVNDB: JVNDB-2018-011779 // CNNVD: CNNVD-201811-022

EXTERNAL IDS

db:	NVD	id:	CVE-2018-17918	Trust: 3.6
db:	ICS CERT	id:	ICSA-18-305-03	Trust: 3.4
db:	BID	id:	105816	Trust: 2.6
db:	CNNVD	id:	CNNVD-201811-022	Trust: 0.9
db:	CNVD	id:	CNVD-2019-44953	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-011779	Trust: 0.8
db:	IVD	id:	609077B1-A493-404F-A627-066516E8991D	Trust: 0.2
db:	VULHUB	id:	VHN-128425	Trust: 0.1

sources: IVD: 609077b1-a493-404f-a627-066516e8991d // CNVD: CNVD-2019-44953 // VULHUB: VHN-128425 // BID: 105816 // JVNDB: JVNDB-2018-011779 // CNNVD: CNNVD-201811-022 // NVD: CVE-2018-17918

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-18-305-03	Trust: 3.4
url:	http://www.securityfocus.com/bid/105816	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17918	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17918	Trust: 0.8
url:	https://circontrol.com/intelligent-charging-solutions/	Trust: 0.3

sources: CNVD: CNVD-2019-44953 // VULHUB: VHN-128425 // BID: 105816 // JVNDB: JVNDB-2018-011779 // CNNVD: CNNVD-201811-022 // NVD: CVE-2018-17918

CREDITS

Ankit Anubhav of NewSky Security, M. Can Kurnaz Senior Consultant at KPMG Netherlands, Alim Solmaz Security Consultant at Atos, Michael John Chief Information Security Officer at WePower Network, and Gyorgy Miru Security Researcher at Verint.

Trust: 0.3

sources: BID: 105816

SOURCES

db:	IVD	id:	609077b1-a493-404f-a627-066516e8991d
db:	CNVD	id:	CNVD-2019-44953
db:	VULHUB	id:	VHN-128425
db:	BID	id:	105816
db:	JVNDB	id:	JVNDB-2018-011779
db:	CNNVD	id:	CNNVD-201811-022
db:	NVD	id:	CVE-2018-17918

LAST UPDATE DATE

2024-11-23T21:52:40.176000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-44953	date:	2019-12-11T00:00:00
db:	VULHUB	id:	VHN-128425	date:	2019-10-09T00:00:00
db:	BID	id:	105816	date:	2018-11-01T00:00:00
db:	JVNDB	id:	JVNDB-2018-011779	date:	2019-01-23T00:00:00
db:	CNNVD	id:	CNNVD-201811-022	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-17918	date:	2024-11-21T03:55:12.433

SOURCES RELEASE DATE

db:	IVD	id:	609077b1-a493-404f-a627-066516e8991d	date:	2019-12-11T00:00:00
db:	CNVD	id:	CNVD-2019-44953	date:	2019-12-10T00:00:00
db:	VULHUB	id:	VHN-128425	date:	2018-11-02T00:00:00
db:	BID	id:	105816	date:	2018-11-01T00:00:00
db:	JVNDB	id:	JVNDB-2018-011779	date:	2019-01-23T00:00:00
db:	CNNVD	id:	CNNVD-201811-022	date:	2018-11-02T00:00:00
db:	NVD	id:	CVE-2018-17918	date:	2018-11-02T15:29:00.590