Sign-up

ID

VAR-201901-0742


CVE

CVE-2018-0638


TITLE

Multiple vulnerabilities in Aterm HC100RC

Trust: 0.8

sources: JVNDB: JVNDB-2018-000077

DESCRIPTION

Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator rights to execute arbitrary OS commands via import.cgi encKey parameter. Aterm HC100RC provided by NEC Corporation contains multiple vulnerabilities listed below. * OS Command Injection (CWE-78) - CVE-2018-0634, CVE-2018-0635, CVE-2018-0636, CVE-2018-0637, CVE-2018-0638, CVE-2018-0639 * Buffer Overflow (CWE-119) - CVE-2018-0640, CVE-2018-0641 Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.* A user who can access the product with administrative privileges may execute an arbitrary OS command. - CVE-2018-0634, CVE-2018-0635, CVE-2018-0636, CVE-2018-0637, CVE-2018-0638, CVE-2018-0639 * A user who can access the product with administrative privileges may execute an arbitrary code. - CVE-2018-0640, CVE-2018-0641. The NECAtermHC100RC is a network camera from NEC. An operating system command injection vulnerability exists in NECAtermHC100RC using firmware version 1.0.1 and earlier

Trust: 2.16

sources: NVD: CVE-2018-0638 // JVNDB: JVNDB-2018-000077 // CNVD: CNVD-2019-01110

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-01110

AFFECTED PRODUCTS

vendor:necmodel:aterm hc100rcscope:lteversion:1.0.1

Trust: 1.0

vendor:necmodel:aterm hc100rcscope:lteversion:camera firmware ver1.0.1

Trust: 0.8

vendor:necmodel:aterm hc100rcscope:lteversion:<=1.0.1

Trust: 0.6

vendor:necmodel:aterm hc100rcscope:eqversion:1.0.1

Trust: 0.6

sources: CNVD: CNVD-2019-01110 // JVNDB: JVNDB-2018-000077 // CNNVD: CNNVD-201901-253 // NVD: CVE-2018-0638

CVSS

SEVERITY

CVSSV2

CVSSV3

IPA: JVNDB-2018-000077
value: MEDIUM

Trust: 1.6

nvd@nist.gov: CVE-2018-0638
value: HIGH

Trust: 1.0

CNVD: CNVD-2019-01110
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201901-253
value: CRITICAL

Trust: 0.6

IPA: JVNDB-2018-000077
severity: MEDIUM
baseScore: 5.2
vectorString: AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector: ADJACENT NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.6

nvd@nist.gov: CVE-2018-0638
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

CNVD: CNVD-2019-01110
severity: MEDIUM
baseScore: 5.2
vectorString: AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 5.1
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IPA: JVNDB-2018-000077
baseSeverity: MEDIUM
baseScore: 6.8
vectorString: CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 1.6

nvd@nist.gov: CVE-2018-0638
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.9
version: 3.0

Trust: 1.0

sources: CNVD: CNVD-2019-01110 // JVNDB: JVNDB-2018-000077 // JVNDB: JVNDB-2018-000077 // CNNVD: CNNVD-201901-253 // NVD: CVE-2018-0638

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.8

problemtype:CWE-119

Trust: 0.8

sources: JVNDB: JVNDB-2018-000077 // NVD: CVE-2018-0638

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201901-253

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201901-253

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-000077

PATCH
title:NV18-011url:https://jpn.nec.com/security-info/secinfo/nv18-011.html
Trust: 0.8
title:Patch for NECAtermHC100RC Operating System Command Injection Vulnerability (CNVD-2019-01110)url:https://www.cnvd.org.cn/patchInfo/show/149873
Trust: 0.6
title:NEC Aterm HC100RC Fixes for operating system command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=88437
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-01110 // 
            
            
            
            JVNDB: JVNDB-2018-000077 // 
            
            
            
            CNNVD: CNNVD-201901-253

EXTERNAL IDS
db:NVDid:CVE-2018-0638
Trust: 3.0
db:JVNid:JVN84825660
Trust: 2.4
db:JVNDBid:JVNDB-2018-000077
Trust: 0.8
db:CNVDid:CNVD-2019-01110
Trust: 0.6
db:CNNVDid:CNNVD-201901-253
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-01110 // 
            
            
            
            JVNDB: JVNDB-2018-000077 // 
            
            
            
            CNNVD: CNNVD-201901-253 // 
            
            
            
            NVD: CVE-2018-0638

REFERENCES
url:https://jvn.jp/en/jp/jvn84825660/index.html
Trust: 2.4
url:https://jpn.nec.com/security-info/secinfo/nv18-011.html
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2018-0638
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0638
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0639
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0640
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0641
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0634
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0635
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0636
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0637
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-0637
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-0639
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-0640
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-0641
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-0634
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-0635
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-0636
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2019-01110 // 
            
            
            
            JVNDB: JVNDB-2018-000077 // 
            
            
            
            CNNVD: CNNVD-201901-253 // 
            
            
            
            NVD: CVE-2018-0638

SOURCES
db:CNVDid:CNVD-2019-01110
db:JVNDBid:JVNDB-2018-000077
db:CNNVDid:CNNVD-201901-253
db:NVDid:CVE-2018-0638

LAST UPDATE DATE
2024-11-23T21:37:45.421000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-01110date:2019-01-14T00:00:00
db:JVNDBid:JVNDB-2018-000077date:2019-08-27T00:00:00
db:CNNVDid:CNNVD-201901-253date:2019-01-10T00:00:00
db:NVDid:CVE-2018-0638date:2024-11-21T03:38:38.443

SOURCES RELEASE DATE
db:CNVDid:CNVD-2019-01110date:2019-01-14T00:00:00
db:JVNDBid:JVNDB-2018-000077date:2018-07-12T00:00:00
db:CNNVDid:CNNVD-201901-253date:2019-01-10T00:00:00
db:NVDid:CVE-2018-0638date:2019-01-09T23:29:01.077