Details of VAR-201905-1024

ID

VAR-201905-1024

CVE

CVE-2018-7822

TITLE

SoMachine Basic and Modicon M221 Permissions vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-015486

DESCRIPTION

An Incorrect Default Permissions (CWE-276) vulnerability exists in SoMachine Basic, all versions, and Modicon M221(all references, all versions prior to firmware V1.10.0.0) which could cause unauthorized access to SoMachine Basic resource files when logged on the system hosting SoMachine Basic. SoMachine Basic and Modicon M221 Contains a permission vulnerability.Information may be obtained. Schneider Electric SoMachine Basic and Schneider Electric Modicon M221 are both products of Schneider Electric. Schneider Electric SoMachine Basic is a software for logic controller programming. Schneider Electric Modicon M221 is a programmable logic controller. Schneider Electric SoMachine Basic and Schneider Electric Modicon M221 have an authorization issue vulnerability

Trust: 2.43

sources: NVD: CVE-2018-7822 // JVNDB: JVNDB-2018-015486 // CNVD: CNVD-2019-45191 // IVD: 30fee716-90fd-423a-8db4-6a253e5e76b4 // VULHUB: VHN-137854

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 30fee716-90fd-423a-8db4-6a253e5e76b4 // CNVD: CNVD-2019-45191

AFFECTED PRODUCTS

vendor:	schneider electric	model:	modicon m221	scope:	lt	version:	1.10.0.0	Trust: 1.8
vendor:	schneider electric	model:	somachine basic	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	somachine basic	scope:	-	version:	-	Trust: 0.8
vendor:	schneider	model:	electric modicon m221	scope:	lt	version:	v1.10.0.0	Trust: 0.6
vendor:	schneider	model:	electric somachine basic	scope:	-	version:	-	Trust: 0.6
vendor:	somachine basic	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	modicon m221	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 30fee716-90fd-423a-8db4-6a253e5e76b4 // CNVD: CNVD-2019-45191 // JVNDB: JVNDB-2018-015486 // NVD: CVE-2018-7822

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-7822
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-7822
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2019-45191
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-201905-906
value:	MEDIUM
Trust: 0.6
IVD:	30fee716-90fd-423a-8db4-6a253e5e76b4
value:	MEDIUM
Trust: 0.2
VULHUB:	VHN-137854
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2018-7822
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-45191
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	30fee716-90fd-423a-8db4-6a253e5e76b4
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-137854
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-7822
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2018-7822
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: 30fee716-90fd-423a-8db4-6a253e5e76b4 // CNVD: CNVD-2019-45191 // VULHUB: VHN-137854 // JVNDB: JVNDB-2018-015486 // CNNVD: CNNVD-201905-906 // NVD: CVE-2018-7822

PROBLEMTYPE DATA

problemtype:	CWE-276	Trust: 1.1
problemtype:	CWE-275	Trust: 0.9

sources: VULHUB: VHN-137854 // JVNDB: JVNDB-2018-015486 // NVD: CVE-2018-7822

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201905-906

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201905-906

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-015486

PATCH

title:	SEVD-2019-045-01	url:	https://www.schneider-electric.com/en/download/document/SEVD-2019-045-01/	Trust: 0.8
title:	Patch for Schneider Electric SoMachine Basic and Schneider Electric Modicon M221 Licensing Issue Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/194043	Trust: 0.6
title:	Schneider Electric SoMachine Basic and Schneider Electric Modicon M221 Remediation measures for authorization problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=92884	Trust: 0.6

sources: CNVD: CNVD-2019-45191 // JVNDB: JVNDB-2018-015486 // CNNVD: CNNVD-201905-906

EXTERNAL IDS

db:	NVD	id:	CVE-2018-7822	Trust: 3.3
db:	SCHNEIDER	id:	SEVD-2019-045-01	Trust: 1.7
db:	CNNVD	id:	CNNVD-201905-906	Trust: 0.9
db:	CNVD	id:	CNVD-2019-45191	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-015486	Trust: 0.8
db:	IVD	id:	30FEE716-90FD-423A-8DB4-6A253E5E76B4	Trust: 0.2
db:	VULHUB	id:	VHN-137854	Trust: 0.1

sources: IVD: 30fee716-90fd-423a-8db4-6a253e5e76b4 // CNVD: CNVD-2019-45191 // VULHUB: VHN-137854 // JVNDB: JVNDB-2018-015486 // CNNVD: CNNVD-201905-906 // NVD: CVE-2018-7822

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2018-7822	Trust: 2.0
url:	https://www.schneider-electric.com/en/download/document/sevd-2019-045-01/	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-7822	Trust: 0.8

sources: CNVD: CNVD-2019-45191 // VULHUB: VHN-137854 // JVNDB: JVNDB-2018-015486 // CNNVD: CNNVD-201905-906 // NVD: CVE-2018-7822

SOURCES

db:	IVD	id:	30fee716-90fd-423a-8db4-6a253e5e76b4
db:	CNVD	id:	CNVD-2019-45191
db:	VULHUB	id:	VHN-137854
db:	JVNDB	id:	JVNDB-2018-015486
db:	CNNVD	id:	CNNVD-201905-906
db:	NVD	id:	CVE-2018-7822

LAST UPDATE DATE

2024-11-23T22:12:01.296000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-45191	date:	2019-12-13T00:00:00
db:	VULHUB	id:	VHN-137854	date:	2020-08-24T00:00:00
db:	JVNDB	id:	JVNDB-2018-015486	date:	2019-06-07T00:00:00
db:	CNNVD	id:	CNNVD-201905-906	date:	2022-03-10T00:00:00
db:	NVD	id:	CVE-2018-7822	date:	2024-11-21T04:12:47.653

SOURCES RELEASE DATE

db:	IVD	id:	30fee716-90fd-423a-8db4-6a253e5e76b4	date:	2019-12-13T00:00:00
db:	CNVD	id:	CNVD-2019-45191	date:	2019-12-13T00:00:00
db:	VULHUB	id:	VHN-137854	date:	2019-05-22T00:00:00
db:	JVNDB	id:	JVNDB-2018-015486	date:	2019-06-07T00:00:00
db:	CNNVD	id:	CNNVD-201905-906	date:	2019-05-22T00:00:00
db:	NVD	id:	CVE-2018-7822	date:	2019-05-22T20:29:01.073