Details of VAR-201901-0861

ID

VAR-201901-0861

CVE

CVE-2018-18995

TITLE

ABB GATE-E1 and GATE-E2 Vulnerabilities related to lack of authentication for critical functions

Trust: 0.8

sources: JVNDB: JVNDB-2018-014106

DESCRIPTION

Pluto Safety PLC Gateway Ethernet devices ABB GATE-E1 and GATE-E2 all versions do not allow authentication to be configured on administrative telnet or web interfaces, which could enable various effects vectors, including conducting device resets, reading or modifying registers, and changing configuration settings such as IP addresses. ABB GATE-E1 and GATE-E2 Is vulnerable to a lack of authentication for critical functions.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ABB GATE-E2 is prone to a cross-site scripting vulnerability and an authentication-bypass vulnerability. Attackers can exploit these issues to execute arbitrary code in the context of the browser, obtain sensitive information; other attacks may also be possible. Both ABB GATE-E1 and GATE-E2 are Ethernet gateway devices of Swiss ABB Company. A security vulnerability exists in ABB GATE-E1 (EOL 2013) and GATE-E2 (EOL OCT 2018), which stems from the fact that the device does not allow authentication to be configured on the management telnet or web interface. An attacker could exploit this vulnerability to reset the device, read or modify the registry, and modify configuration settings such as the IP address

Trust: 1.98

sources: NVD: CVE-2018-18995 // JVNDB: JVNDB-2018-014106 // BID: 106247 // VULHUB: VHN-129610

AFFECTED PRODUCTS

vendor:	abb	model:	gate-e2	scope:	eq	version:	*	Trust: 1.0
vendor:	abb	model:	gate-e1	scope:	eq	version:	*	Trust: 1.0
vendor:	abb	model:	gate-e1	scope:	-	version:	-	Trust: 0.8
vendor:	abb	model:	gate-e2	scope:	-	version:	-	Trust: 0.8
vendor:	abb	model:	gate-e2	scope:	eq	version:	0	Trust: 0.3
vendor:	abb	model:	gate-e1	scope:	eq	version:	0	Trust: 0.3

sources: BID: 106247 // JVNDB: JVNDB-2018-014106 // NVD: CVE-2018-18995

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-18995
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2018-18995
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-201812-790
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-129610
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2018-18995
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-129610
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-18995
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-129610 // JVNDB: JVNDB-2018-014106 // CNNVD: CNNVD-201812-790 // NVD: CVE-2018-18995

PROBLEMTYPE DATA

problemtype:

CWE-306

Trust: 1.9

sources: VULHUB: VHN-129610 // JVNDB: JVNDB-2018-014106 // NVD: CVE-2018-18995

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201812-790

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201812-790

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-014106

PATCH

title:

Top Page

url:

https://new.abb.com/

Trust: 0.8

sources: JVNDB: JVNDB-2018-014106

EXTERNAL IDS

db:	ICS CERT	id:	ICSA-18-352-01	Trust: 2.8
db:	NVD	id:	CVE-2018-18995	Trust: 2.8
db:	BID	id:	106247	Trust: 2.0
db:	JVNDB	id:	JVNDB-2018-014106	Trust: 0.8
db:	CNNVD	id:	CNNVD-201812-790	Trust: 0.7
db:	NSFOCUS	id:	42290	Trust: 0.6
db:	VULHUB	id:	VHN-129610	Trust: 0.1

sources: VULHUB: VHN-129610 // BID: 106247 // JVNDB: JVNDB-2018-014106 // CNNVD: CNNVD-201812-790 // NVD: CVE-2018-18995

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-18-352-01	Trust: 2.8
url:	http://www.securityfocus.com/bid/106247	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-18995	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-18995	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/42290	Trust: 0.6
url:	http://www.abb.com/	Trust: 0.3
url:	https://search-ext.abb.com/library/download.aspx?documentid=2cmt2018-005753&languagecode=en&documentpartid=&action=launch	Trust: 0.3
url:	https://search-ext.abb.com/library/download.aspx?documentid=2cmt2018-005751&languagecode=en&documentpartid=&action=launch	Trust: 0.3

sources: VULHUB: VHN-129610 // BID: 106247 // JVNDB: JVNDB-2018-014106 // CNNVD: CNNVD-201812-790 // NVD: CVE-2018-18995

CREDITS

Nelson Berg of Applied Risk

Trust: 0.3

sources: BID: 106247

SOURCES

db:	VULHUB	id:	VHN-129610
db:	BID	id:	106247
db:	JVNDB	id:	JVNDB-2018-014106
db:	CNNVD	id:	CNNVD-201812-790
db:	NVD	id:	CVE-2018-18995

LAST UPDATE DATE

2024-11-23T22:26:04.486000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-129610	date:	2019-10-09T00:00:00
db:	BID	id:	106247	date:	2018-12-18T00:00:00
db:	JVNDB	id:	JVNDB-2018-014106	date:	2019-03-12T00:00:00
db:	CNNVD	id:	CNNVD-201812-790	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-18995	date:	2024-11-21T03:57:00.443

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-129610	date:	2019-01-03T00:00:00
db:	BID	id:	106247	date:	2018-12-18T00:00:00
db:	JVNDB	id:	JVNDB-2018-014106	date:	2019-03-12T00:00:00
db:	CNNVD	id:	CNNVD-201812-790	date:	2018-12-19T00:00:00
db:	NVD	id:	CVE-2018-18995	date:	2019-01-03T22:29:00.247