Details of VAR-201906-0899

ID

VAR-201906-0899

CVE

CVE-2018-18878

TITLE

Columbia Weather MicroServer Input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-015659

DESCRIPTION

In firmware version MS_2.6.9900 of Columbia Weather MicroServer, the BACnet daemon does not properly validate input, which could allow a remote attacker to send specially crafted packets causing the device to become unavailable. Columbia Weather MicroServer Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. ColumbiaWeatherSystemsWeatherMicroServer is a weather monitoring device from Columbia WeatherSystems, USA. An input validation vulnerability exists in ColumbiaWeatherSystemsWeatherMicroServerMS_2.6.9900 and earlier. A directory traversal vulnerability 2. Multiple cross-site scripting vulnerabilities 3. An authentication bypass vulnerability 4. A remote code-injection vulnerability 5. A denial-of-service vulnerability An attacker may leverage these issues to view arbitrary files within the context of the server, execute arbitrary script code in the browser of the victim in the context of the affected site, steal cookie-based authentication credentials, gain access to sensitive information or cause denial-of-service condition. This may aid in further attacks. The vulnerability stems from the failure of the network system or product to properly validate the input data

Trust: 2.61

sources: NVD: CVE-2018-18878 // JVNDB: JVNDB-2018-015659 // CNVD: CNVD-2019-07786 // BID: 107495 // VULHUB: VHN-129481 // VULMON: CVE-2018-18878

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-07786

AFFECTED PRODUCTS

vendor:	columbiaweather	model:	weather microserver	scope:	eq	version:	ms_2.6.9900	Trust: 1.0
vendor:	columbia weather	model:	microserver	scope:	eq	version:	ms_2.6.9900	Trust: 0.8
vendor:	columbia	model:	weather systems columbia weather systems weather microserver <=ms 2.6.9900	scope:	-	version:	-	Trust: 0.6
vendor:	columbia	model:	weather systems weather microserver ms 2.6.9900	scope:	-	version:	-	Trust: 0.3
vendor:	columbia	model:	weather systems weather microserver ms 2.7.9973	scope:	ne	version:	-	Trust: 0.3

sources: CNVD: CNVD-2019-07786 // BID: 107495 // JVNDB: JVNDB-2018-015659 // NVD: CVE-2018-18878

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-18878
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-18878
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-07786
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201903-639
value:	HIGH
Trust: 0.6
VULHUB:	VHN-129481
value:	HIGH
Trust: 0.1
VULMON:	CVE-2018-18878
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2018-18878
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2019-07786
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-129481
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-18878
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2019-07786 // VULHUB: VHN-129481 // VULMON: CVE-2018-18878 // JVNDB: JVNDB-2018-015659 // CNNVD: CNNVD-201903-639 // NVD: CVE-2018-18878

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-129481 // JVNDB: JVNDB-2018-015659 // NVD: CVE-2018-18878

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201903-639

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201903-639

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-015659

PATCH

title:	Weather MicroServer	url:	https://columbiaweather.com/products/weather-monitoring/microserver/	Trust: 0.8
title:	ColumbiaWeatherSystemsWeatherMicroServer enters patches for verification vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/156831	Trust: 0.6
title:	Columbia Weather Systems Weather MicroServer Enter the fix for the verification vulnerability	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=90200	Trust: 0.6

sources: CNVD: CNVD-2019-07786 // JVNDB: JVNDB-2018-015659 // CNNVD: CNNVD-201903-639

EXTERNAL IDS

db:	ICS CERT	id:	ICSA-19-078-02	Trust: 3.5
db:	NVD	id:	CVE-2018-18878	Trust: 3.5
db:	BID	id:	107495	Trust: 1.0
db:	JVNDB	id:	JVNDB-2018-015659	Trust: 0.8
db:	CNNVD	id:	CNNVD-201903-639	Trust: 0.7
db:	CNVD	id:	CNVD-2019-07786	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.0903	Trust: 0.6
db:	VULHUB	id:	VHN-129481	Trust: 0.1
db:	VULMON	id:	CVE-2018-18878	Trust: 0.1

sources: CNVD: CNVD-2019-07786 // VULHUB: VHN-129481 // VULMON: CVE-2018-18878 // BID: 107495 // JVNDB: JVNDB-2018-015659 // CNNVD: CNNVD-201903-639 // NVD: CVE-2018-18878

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-19-078-02	Trust: 3.6
url:	https://applied-risk.com/labs/advisories	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-18878	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-18878	Trust: 0.8
url:	http://www.securityfocus.com/bid/107495	Trust: 0.7
url:	https://www.auscert.org.au/bulletins/77442	Trust: 0.6
url:	https://columbiaweather.com/	Trust: 0.3
url:	https://columbiaweather.com/products/weather-monitoring/microserver/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/20.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2019-07786 // VULHUB: VHN-129481 // VULMON: CVE-2018-18878 // BID: 107495 // JVNDB: JVNDB-2018-015659 // CNNVD: CNNVD-201903-639 // NVD: CVE-2018-18878

CREDITS

John Elder and Tom Westenberg of Applied Risk.,John Elder and Tom Westenberg of Applied Risk reported these vulnerabilities to NCCIC.

Trust: 0.6

sources: CNNVD: CNNVD-201903-639

SOURCES

db:	CNVD	id:	CNVD-2019-07786
db:	VULHUB	id:	VHN-129481
db:	VULMON	id:	CVE-2018-18878
db:	BID	id:	107495
db:	JVNDB	id:	JVNDB-2018-015659
db:	CNNVD	id:	CNNVD-201903-639
db:	NVD	id:	CVE-2018-18878

LAST UPDATE DATE

2024-11-23T21:59:50.919000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-07786	date:	2019-03-22T00:00:00
db:	VULHUB	id:	VHN-129481	date:	2019-06-18T00:00:00
db:	VULMON	id:	CVE-2018-18878	date:	2019-06-18T00:00:00
db:	BID	id:	107495	date:	2019-03-19T00:00:00
db:	JVNDB	id:	JVNDB-2018-015659	date:	2019-06-21T00:00:00
db:	CNNVD	id:	CNNVD-201903-639	date:	2019-06-19T00:00:00
db:	NVD	id:	CVE-2018-18878	date:	2024-11-21T03:56:48.423

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-07786	date:	2019-03-22T00:00:00
db:	VULHUB	id:	VHN-129481	date:	2019-06-18T00:00:00
db:	VULMON	id:	CVE-2018-18878	date:	2019-06-18T00:00:00
db:	BID	id:	107495	date:	2019-03-19T00:00:00
db:	JVNDB	id:	JVNDB-2018-015659	date:	2019-06-21T00:00:00
db:	CNNVD	id:	CNNVD-201903-639	date:	2019-03-19T00:00:00
db:	NVD	id:	CVE-2018-18878	date:	2019-06-18T15:15:11.453