Details of VAR-201901-0856

ID

VAR-201901-0856

CVE

CVE-2018-19021

TITLE

Emerson DeltaV Distributed Control System Authentication Bypass Vulnerability

Trust: 0.8

sources: IVD: 7d84cd0f-463f-11e9-95fb-000c29342cb1 // CNVD: CNVD-2019-01681

DESCRIPTION

A specially crafted script could bypass the authentication of a maintenance port of Emerson DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior, which may allow an attacker to cause a denial of service. Emerson DeltaV DCS Contains vulnerabilities related to authorization, permissions, and access control.Service operation interruption (DoS) There is a possibility of being put into a state. The Emerson DeltaV Distributed Control System is an automated distributed control system from Emerson Electric. The system includes network security management, alarm management, batch control and change management. Emerson DeltaV is prone to an authentication-bypass vulnerability. DeltaV Distributed Control System 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior are vulnerable

Trust: 2.61

sources: NVD: CVE-2018-19021 // JVNDB: JVNDB-2018-013887 // CNVD: CNVD-2019-01681 // BID: 106522 // IVD: 7d84cd0f-463f-11e9-95fb-000c29342cb1

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 7d84cd0f-463f-11e9-95fb-000c29342cb1 // CNVD: CNVD-2019-01681

AFFECTED PRODUCTS

vendor:	emerson	model:	deltav	scope:	eq	version:	13.3.1	Trust: 1.3
vendor:	emerson	model:	deltav	scope:	eq	version:	11.3.2	Trust: 1.3
vendor:	emerson	model:	deltav	scope:	eq	version:	11.3.1	Trust: 1.3
vendor:	emerson	model:	deltav	scope:	eq	version:	12.3.1	Trust: 1.3
vendor:	emerson	model:	deltav	scope:	gte	version:	r5.1	Trust: 1.0
vendor:	emerson	model:	deltav	scope:	lte	version:	r6	Trust: 1.0
vendor:	emerson	model:	deltav	scope:	eq	version:	14.3	Trust: 1.0
vendor:	emerson	model:	deltav distributed control system	scope:	eq	version:	11.3.1	Trust: 0.8
vendor:	emerson	model:	deltav distributed control system	scope:	eq	version:	11.3.2	Trust: 0.8
vendor:	emerson	model:	deltav distributed control system	scope:	eq	version:	12.3.1	Trust: 0.8
vendor:	emerson	model:	deltav distributed control system	scope:	eq	version:	13.3.1	Trust: 0.8
vendor:	emerson	model:	deltav distributed control system	scope:	eq	version:	14.3	Trust: 0.8
vendor:	emerson	model:	deltav distributed control system	scope:	eq	version:	r5.1	Trust: 0.8
vendor:	emerson	model:	deltav distributed control system	scope:	lte	version:	r6	Trust: 0.8
vendor:	emerson	model:	electric deltav distributed control system	scope:	eq	version:	11.3.1	Trust: 0.6
vendor:	emerson	model:	electric deltav distributed control system	scope:	eq	version:	11.3.2	Trust: 0.6
vendor:	emerson	model:	electric deltav distributed control system	scope:	eq	version:	12.3.1	Trust: 0.6
vendor:	emerson	model:	electric deltav distributed control system	scope:	eq	version:	13.3.1	Trust: 0.6
vendor:	emerson	model:	electric deltav distributed control system	scope:	eq	version:	14.3	Trust: 0.6
vendor:	emerson	model:	electric deltav distributed control system r5.1	scope:	-	version:	-	Trust: 0.6
vendor:	emerson	model:	electric deltav distributed control system <=r6	scope:	-	version:	-	Trust: 0.6
vendor:	emerson	model:	deltav r6	scope:	-	version:	-	Trust: 0.3
vendor:	emerson	model:	deltav r5.1	scope:	-	version:	-	Trust: 0.3
vendor:	emerson	model:	deltav	scope:	eq	version:	14.3.2	Trust: 0.3
vendor:	deltav distributed control system	model:	-	scope:	eq	version:	11.3.1	Trust: 0.2
vendor:	deltav distributed control system	model:	-	scope:	eq	version:	11.3.2	Trust: 0.2
vendor:	deltav distributed control system	model:	-	scope:	eq	version:	12.3.1	Trust: 0.2
vendor:	deltav distributed control system	model:	-	scope:	eq	version:	13.3.1	Trust: 0.2
vendor:	deltav distributed control system	model:	-	scope:	eq	version:	14.3	Trust: 0.2
vendor:	deltav distributed control system	model:	r5.1	scope:	-	version:	-	Trust: 0.2
vendor:	deltav distributed control system	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 7d84cd0f-463f-11e9-95fb-000c29342cb1 // CNVD: CNVD-2019-01681 // BID: 106522 // JVNDB: JVNDB-2018-013887 // NVD: CVE-2018-19021

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-19021
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-19021
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2019-01681
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201901-433
value:	MEDIUM
Trust: 0.6
IVD:	7d84cd0f-463f-11e9-95fb-000c29342cb1
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2018-19021
severity:	LOW
baseScore:	3.3
vectorString:	AV:A/AC:L/AU:N/C:N/I:N/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	6.5
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-01681
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	7d84cd0f-463f-11e9-95fb-000c29342cb1
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2018-19021
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2018-19021
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	ADJACENT NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: 7d84cd0f-463f-11e9-95fb-000c29342cb1 // CNVD: CNVD-2019-01681 // JVNDB: JVNDB-2018-013887 // CNNVD: CNNVD-201901-433 // NVD: CVE-2018-19021

PROBLEMTYPE DATA

problemtype:	CWE-307	Trust: 1.0
problemtype:	CWE-264	Trust: 0.8

sources: JVNDB: JVNDB-2018-013887 // NVD: CVE-2018-19021

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201901-433

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201901-433

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-013887

PATCH

title:	DeltaV Distributed Control System	url:	https://www.emerson.com/en-us/automation/control-and-safety-systems/distributed-control-systems-dcs/deltav-distributed-control-system	Trust: 0.8
title:	Emerson DeltaV Distributed Control System Authentication Vulnerability Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/150173	Trust: 0.6
title:	Emerson DeltaV Distributed Control System Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=88591	Trust: 0.6

sources: CNVD: CNVD-2019-01681 // JVNDB: JVNDB-2018-013887 // CNNVD: CNNVD-201901-433

EXTERNAL IDS

db:	NVD	id:	CVE-2018-19021	Trust: 3.5
db:	ICS CERT	id:	ICSA-19-010-01	Trust: 2.7
db:	BID	id:	106522	Trust: 2.5
db:	CNVD	id:	CNVD-2019-01681	Trust: 0.8
db:	CNNVD	id:	CNNVD-201901-433	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-013887	Trust: 0.8
db:	IVD	id:	7D84CD0F-463F-11E9-95FB-000C29342CB1	Trust: 0.2

sources: IVD: 7d84cd0f-463f-11e9-95fb-000c29342cb1 // CNVD: CNVD-2019-01681 // BID: 106522 // JVNDB: JVNDB-2018-013887 // CNNVD: CNNVD-201901-433 // NVD: CVE-2018-19021

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-19-010-01	Trust: 2.7
url:	http://www.securityfocus.com/bid/106522	Trust: 2.2
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-19021	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-19021	Trust: 0.8
url:	http://emerson.com	Trust: 0.3

sources: CNVD: CNVD-2019-01681 // BID: 106522 // JVNDB: JVNDB-2018-013887 // CNNVD: CNNVD-201901-433 // NVD: CVE-2018-19021

CREDITS

Alexander Nochvay of Kaspersky Lab

Trust: 0.9

sources: BID: 106522 // CNNVD: CNNVD-201901-433

SOURCES

db:	IVD	id:	7d84cd0f-463f-11e9-95fb-000c29342cb1
db:	CNVD	id:	CNVD-2019-01681
db:	BID	id:	106522
db:	JVNDB	id:	JVNDB-2018-013887
db:	CNNVD	id:	CNNVD-201901-433
db:	NVD	id:	CVE-2018-19021

LAST UPDATE DATE

2024-11-23T22:48:30.705000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-01681	date:	2019-01-16T00:00:00
db:	BID	id:	106522	date:	2019-01-10T00:00:00
db:	JVNDB	id:	JVNDB-2018-013887	date:	2019-03-05T00:00:00
db:	CNNVD	id:	CNNVD-201901-433	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-19021	date:	2024-11-21T03:57:10.977

SOURCES RELEASE DATE

db:	IVD	id:	7d84cd0f-463f-11e9-95fb-000c29342cb1	date:	2019-01-16T00:00:00
db:	CNVD	id:	CNVD-2019-01681	date:	2019-01-16T00:00:00
db:	BID	id:	106522	date:	2019-01-10T00:00:00
db:	JVNDB	id:	JVNDB-2018-013887	date:	2019-03-05T00:00:00
db:	CNNVD	id:	CNNVD-201901-433	date:	2019-01-14T00:00:00
db:	NVD	id:	CVE-2018-19021	date:	2019-01-25T20:29:00.283