Sign-up

ID

VAR-201905-0771


CVE

CVE-2018-11691


TITLE

Emerson VE6046 Vulnerabilities related to the use of hard-coded credentials on devices

Trust: 0.8

sources: JVNDB: JVNDB-2018-015441

DESCRIPTION

Emerson DeltaV Smart Switch Command Center application, available in versions 11.3.x and 12.3.1, was unable to change the DeltaV Smart Switches’ management password upon commissioning. Emerson released patches for DeltaV workstations to address this issue, and the patches can be downloaded from Emerson’s Guardian Support Portal. Please refer to the DeltaV Security Notification DSN19003 (KBA NK-1900-0808) for more information about this issue. DeltaV versions 13.3 and higher use the Network Device Command Center application to manage DeltaV Smart Switches, and this newer application is not impacted by this issue. After patching the Smart Switch Command Center, users are required to either commission the DeltaV Smart Switches or change password using the tool. Emerson VE6046 The device contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Emerson DeltaV Distributed Control System is prone to a security-bypass vulnerability. Attackers can exploit this issue to bypass the authentication mechanism and gain access to the vulnerable device. Emerson Electric VE6046 is an intelligent switch made by Emerson Electric (Emerson Electric) in the United States. A trust management issue vulnerability exists in Emerson Electric VE6046 version 09.0.12. This vulnerability stems from the lack of an effective trust management mechanism in network systems or products. Attackers can use default passwords or hard-coded passwords, hard-coded certificates, etc. to attack affected components

Trust: 2.07

sources: NVD: CVE-2018-11691 // JVNDB: JVNDB-2018-015441 // BID: 109110 // VULHUB: VHN-121576 // VULMON: CVE-2018-11691

AFFECTED PRODUCTS

vendor:emersonmodel:ve6046scope:eqversion:09.0.12

Trust: 1.8

vendor:emersonmodel:deltav distributed control systemscope:eqversion:12.3

Trust: 0.3

vendor:emersonmodel:deltav distributed control systemscope:eqversion:11.3

Trust: 0.3

sources: BID: 109110 // JVNDB: JVNDB-2018-015441 // NVD: CVE-2018-11691

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-11691
value: CRITICAL

Trust: 1.0

NVD: CVE-2018-11691
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201905-587
value: CRITICAL

Trust: 0.6

VULHUB: VHN-121576
value: HIGH

Trust: 0.1

VULMON: CVE-2018-11691
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2018-11691
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-121576
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-11691
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-121576 // VULMON: CVE-2018-11691 // JVNDB: JVNDB-2018-015441 // CNNVD: CNNVD-201905-587 // NVD: CVE-2018-11691

PROBLEMTYPE DATA

problemtype:CWE-798

Trust: 1.9

sources: VULHUB: VHN-121576 // JVNDB: JVNDB-2018-015441 // NVD: CVE-2018-11691

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201905-587

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201905-587

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-015441

PATCH
title:DeltaV Smart Switchesurl:http://www.emerson.com/documents/automation/deltav-smart-switches-en-179014.pdf
Trust: 0.8
title:Automation Solutionsurl:http://www.emerson.com/en-us/automation-solutions
Trust: 0.8
title:DeltaV Smart Switchesurl:http://www.emerson.com/en-us/catalog/deltav-deltav-smart-switches
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2018-015441

EXTERNAL IDS
db:NVDid:CVE-2018-11691
Trust: 2.9
db:ICS CERTid:ICSA-19-190-01
Trust: 2.9
db:BIDid:109110
Trust: 2.1
db:JVNDBid:JVNDB-2018-015441
Trust: 0.8
db:CNNVDid:CNNVD-201905-587
Trust: 0.7
db:AUSCERTid:ESB-2019.2521
Trust: 0.6
db:VULHUBid:VHN-121576
Trust: 0.1
db:VULMONid:CVE-2018-11691
Trust: 0.1
sources:
            
            
            VULHUB: VHN-121576 // 
            
            
            
            VULMON: CVE-2018-11691 // 
            
            
            
            BID: 109110 // 
            
            
            
            JVNDB: JVNDB-2018-015441 // 
            
            
            
            CNNVD: CNNVD-201905-587 // 
            
            
            
            NVD: CVE-2018-11691

REFERENCES
url:https://www.us-cert.gov/ics/advisories/icsa-19-190-01
Trust: 2.9
url:http://www.securityfocus.com/bid/109110
Trust: 2.5
url:http://www.emerson.com/documents/automation/deltav-smart-switches-en-179014.pdf
Trust: 1.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-11691
Trust: 1.4
url:http://emerson.com
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-11691
Trust: 0.8
url:http://www.emerson.com/en-us/catalog/deltav-deltav-smart-switches
Trust: 0.6
url:http://www.emerson.com/en-us/automation-solutions
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2019.2521/
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/798.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULHUB: VHN-121576 // 
            
            
            
            VULMON: CVE-2018-11691 // 
            
            
            
            BID: 109110 // 
            
            
            
            JVNDB: JVNDB-2018-015441 // 
            
            
            
            CNNVD: CNNVD-201905-587 // 
            
            
            
            NVD: CVE-2018-11691

CREDITS
Benjamin Crosasso of Sanofi
Trust: 0.9
sources:
            
            
            BID: 109110 // 
            
            
            
            CNNVD: CNNVD-201905-587

SOURCES
db:VULHUBid:VHN-121576
db:VULMONid:CVE-2018-11691
db:BIDid:109110
db:JVNDBid:JVNDB-2018-015441
db:CNNVDid:CNNVD-201905-587
db:NVDid:CVE-2018-11691

LAST UPDATE DATE
2024-11-23T22:51:48.911000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-121576date:2020-02-10T00:00:00
db:VULMONid:CVE-2018-11691date:2020-02-10T00:00:00
db:BIDid:109110date:2019-07-09T00:00:00
db:JVNDBid:JVNDB-2018-015441date:2019-07-10T00:00:00
db:CNNVDid:CNNVD-201905-587date:2020-02-12T00:00:00
db:NVDid:CVE-2018-11691date:2024-11-21T03:43:50.057

SOURCES RELEASE DATE
db:VULHUBid:VHN-121576date:2019-05-14T00:00:00
db:VULMONid:CVE-2018-11691date:2019-05-14T00:00:00
db:BIDid:109110date:2019-07-09T00:00:00
db:JVNDBid:JVNDB-2018-015441date:2019-06-04T00:00:00
db:CNNVDid:CNNVD-201905-587date:2019-05-14T00:00:00
db:NVDid:CVE-2018-11691date:2019-05-14T16:29:01.360