Details of VAR-201902-0691

ID

VAR-201902-0691

CVE

CVE-2018-7839

TITLE

IIoT Monitor Cryptographic vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-014380

DESCRIPTION

A Cryptographic Issue (CWE-310) vulnerability exists in IIoT Monitor 3.1.38 which could allow information disclosure. IIoT Monitor Contains a cryptographic vulnerability.Information may be obtained. This vulnerability allows the decryption of the administrator password on vulnerable installations of Schneider Electric IIoT Monitor. Authentication is not required to exploit this vulnerability.The specific flaw exists within encryption of the administrator password in the AESEncryption class. A hard-coded cryptographic key is used which can allow the reversal of the encryption process. An attacker can leverage this vulnerability in conjunction with other vulnerabilities to bypass authentication on the system. Schneider Electric IIoT Monitor is an industrial IoT monitor from Schneider Electric of France. Attackers can exploit this issue to obtain sensitive information that may aid in further attacks

Trust: 3.78

sources: NVD: CVE-2018-7839 // JVNDB: JVNDB-2018-014380 // ZDI: ZDI-19-031 // CNVD: CNVD-2019-45188 // CNNVD: CNNVD-201901-746 // BID: 106941 // IVD: 504652dc-fdd7-45b6-8d68-fd077b26fc7e

IOT TAXONOMY

category:	['IoT', 'ICS']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: 504652dc-fdd7-45b6-8d68-fd077b26fc7e // CNVD: CNVD-2019-45188

AFFECTED PRODUCTS

vendor:	schneider electric	model:	iiot monitor	scope:	eq	version:	3.1.38	Trust: 2.1
vendor:	schneider electric	model:	iiot monitor	scope:	-	version:	-	Trust: 0.7
vendor:	schneider	model:	electric iiot monitor	scope:	lte	version:	<=3.1.38	Trust: 0.6
vendor:	iiot monitor	model:	-	scope:	eq	version:	3.1.38	Trust: 0.2

sources: IVD: 504652dc-fdd7-45b6-8d68-fd077b26fc7e // ZDI: ZDI-19-031 // CNVD: CNVD-2019-45188 // BID: 106941 // JVNDB: JVNDB-2018-014380 // NVD: CVE-2018-7839

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-7839
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-7839
value:	MEDIUM
Trust: 0.8
ZDI:	CVE-2018-7839
value:	MEDIUM
Trust: 0.7
CNVD:	CNVD-2019-45188
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-201901-746
value:	MEDIUM
Trust: 0.6
IVD:	504652dc-fdd7-45b6-8d68-fd077b26fc7e
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2018-7839
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-45188
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	504652dc-fdd7-45b6-8d68-fd077b26fc7e
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2018-7839
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	3.6
version:	3.0
Trust: 1.8
ZDI:	CVE-2018-7839
baseSeverity:	MEDIUM
baseScore:	6.2
vectorString:	AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.5
impactScore:	3.6
version:	3.0
Trust: 0.7

sources: IVD: 504652dc-fdd7-45b6-8d68-fd077b26fc7e // ZDI: ZDI-19-031 // CNVD: CNVD-2019-45188 // JVNDB: JVNDB-2018-014380 // CNNVD: CNNVD-201901-746 // NVD: CVE-2018-7839

PROBLEMTYPE DATA

problemtype:

CWE-310

Trust: 1.8

sources: JVNDB: JVNDB-2018-014380 // NVD: CVE-2018-7839

THREAT TYPE

local

Trust: 0.9

sources: BID: 106941 // CNNVD: CNNVD-201901-746

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201901-746

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-014380

PATCH

title:	SEVD-2018-354-03	url:	https://www.schneider-electric.com/en/download/document/SEVD-2018-354-03/	Trust: 0.8
title:	Schneider Electric has issued an update to correct this vulnerability.	url:	https://ics-cert.us-cert.gov/advisories/ICSA-19-008-02	Trust: 0.7
title:	Patch for Schneider Electric IIoT Monitor Crypto Issue Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/194017	Trust: 0.6
title:	Schneider Electric IIoT Monitor Fixes for encryption problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=88850	Trust: 0.6

sources: ZDI: ZDI-19-031 // CNVD: CNVD-2019-45188 // JVNDB: JVNDB-2018-014380 // CNNVD: CNNVD-201901-746

EXTERNAL IDS

db:	NVD	id:	CVE-2018-7839	Trust: 4.2
db:	ICS CERT	id:	ICSA-19-008-02	Trust: 2.4
db:	SCHNEIDER	id:	SEVD-2018-354-03	Trust: 1.9
db:	CNVD	id:	CNVD-2019-45188	Trust: 0.8
db:	CNNVD	id:	CNNVD-201901-746	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-014380	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-7119	Trust: 0.7
db:	ZDI	id:	ZDI-19-031	Trust: 0.7
db:	BID	id:	106941	Trust: 0.3
db:	IVD	id:	504652DC-FDD7-45B6-8D68-FD077B26FC7E	Trust: 0.2

sources: IVD: 504652dc-fdd7-45b6-8d68-fd077b26fc7e // ZDI: ZDI-19-031 // CNVD: CNVD-2019-45188 // BID: 106941 // JVNDB: JVNDB-2018-014380 // CNNVD: CNNVD-201901-746 // NVD: CVE-2018-7839

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-19-008-02	Trust: 3.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-7839	Trust: 2.0
url:	https://www.schneider-electric.com/en/download/document/sevd-2018-354-03/	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-7839	Trust: 0.8
url:	https://www.schneider-electric.com/en/download/document/sevd-2018-354-03/vendor advisory	Trust: 0.6
url:	http://www.schneider-electric.com/site/home/index.cfm/ww/?selectcountry=true	Trust: 0.3
url:	https://download.schneider-electric.com/files?p_endoctype=technical+leaflet&p_file_name=sevd-2018-354-03-iiot+monitor+security+notification+-+v1.1.pdf&p_doc_ref=sevd-2018-354-03	Trust: 0.3

sources: ZDI: ZDI-19-031 // CNVD: CNVD-2019-45188 // BID: 106941 // JVNDB: JVNDB-2018-014380 // CNNVD: CNNVD-201901-746 // NVD: CVE-2018-7839

CREDITS

rgod of 9sg Security Team - rgod@9sgsec.com

Trust: 1.3

sources: ZDI: ZDI-19-031 // CNNVD: CNNVD-201901-746

SOURCES

db:	IVD	id:	504652dc-fdd7-45b6-8d68-fd077b26fc7e
db:	ZDI	id:	ZDI-19-031
db:	CNVD	id:	CNVD-2019-45188
db:	BID	id:	106941
db:	JVNDB	id:	JVNDB-2018-014380
db:	CNNVD	id:	CNNVD-201901-746
db:	NVD	id:	CVE-2018-7839

LAST UPDATE DATE

2024-11-23T22:17:10.533000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-19-031	date:	2019-01-16T00:00:00
db:	CNVD	id:	CNVD-2019-45188	date:	2019-12-13T00:00:00
db:	BID	id:	106941	date:	2018-12-20T00:00:00
db:	JVNDB	id:	JVNDB-2018-014380	date:	2019-03-25T00:00:00
db:	CNNVD	id:	CNNVD-201901-746	date:	2019-06-10T00:00:00
db:	NVD	id:	CVE-2018-7839	date:	2024-11-21T04:12:51.377

SOURCES RELEASE DATE

db:	IVD	id:	504652dc-fdd7-45b6-8d68-fd077b26fc7e	date:	2019-12-13T00:00:00
db:	ZDI	id:	ZDI-19-031	date:	2019-01-16T00:00:00
db:	CNVD	id:	CNVD-2019-45188	date:	2019-12-13T00:00:00
db:	BID	id:	106941	date:	2018-12-20T00:00:00
db:	JVNDB	id:	JVNDB-2018-014380	date:	2019-03-19T00:00:00
db:	CNNVD	id:	CNNVD-201901-746	date:	2019-01-21T00:00:00
db:	NVD	id:	CVE-2018-7839	date:	2019-02-06T23:29:00.637