Sign-up

ID

VAR-201805-0501


CVE

CVE-2018-0270


TITLE

Cisco IoT Field Network Director Cross-Site Request Forgery Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2018-10006 // CNNVD: CNNVD-201805-632

DESCRIPTION

A vulnerability in the web-based management interface of Cisco IoT Field Network Director (IoT-FND) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and alter the data of existing users and groups on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. If the user has administrative privileges, the attacker could create a new, privileged account to obtain full control over the device interface. This vulnerability affects Connected Grid Network Management System, if running a software release prior to IoT-FND Release 3.0; and IoT Field Network Director, if running a software release prior to IoT-FND Release 4.1.1-6 or 4.2.0-123. Cisco Bug IDs: CSCvi02448. Vendors have confirmed this vulnerability Bug ID CSCvi02448 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The system has functions such as equipment management, asset tracking and intelligent metering. Other attacks are also possible

Trust: 3.15

sources: NVD: CVE-2018-0270 // JVNDB: JVNDB-2018-005155 // CNVD: CNVD-2018-10006 // CNNVD: CNNVD-201805-632 // BID: 104242 // VULHUB: VHN-118472 // VULMON: CVE-2018-0270

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2018-10006

AFFECTED PRODUCTS

vendor:ciscomodel:iot field network directorscope:eqversion:4.2\(0.4\)

Trust: 1.6

vendor:ciscomodel:iot field network directorscope: - version: -

Trust: 1.4

vendor:ciscomodel:iot field network directorscope:eqversion:4.1

Trust: 0.3

vendor:ciscomodel:iot field network directorscope:neversion:4.2.0-123

Trust: 0.3

vendor:ciscomodel:iot field network directorscope:neversion:4.1.1-6

Trust: 0.3

vendor:ciscomodel:iot field network directorscope:neversion:3.0

Trust: 0.3

sources: CNVD: CNVD-2018-10006 // BID: 104242 // JVNDB: JVNDB-2018-005155 // CNNVD: CNNVD-201805-632 // NVD: CVE-2018-0270

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-0270
value: HIGH

Trust: 1.0

NVD: CVE-2018-0270
value: HIGH

Trust: 0.8

CNVD: CNVD-2018-10006
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201805-632
value: HIGH

Trust: 0.6

VULHUB: VHN-118472
value: MEDIUM

Trust: 0.1

VULMON: CVE-2018-0270
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-0270
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2018-10006
severity: HIGH
baseScore: 9.4
vectorString: AV:N/AC:L/AU:N/C:N/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 9.2
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-118472
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-0270
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2018-10006 // VULHUB: VHN-118472 // VULMON: CVE-2018-0270 // JVNDB: JVNDB-2018-005155 // CNNVD: CNNVD-201805-632 // NVD: CVE-2018-0270

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-118472 // JVNDB: JVNDB-2018-005155 // NVD: CVE-2018-0270

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201805-632

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201805-632

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-005155

PATCH
title:cisco-sa-20180516-fndurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-fnd
Trust: 0.8
title:Patch for Cisco IoT Field Network Director Cross-Site Request Forgery Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/129699
Trust: 0.6
title:Cisco IoT Field Network Director Fixes for cross-site request forgery vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=83556
Trust: 0.6
title:Cisco: Cisco IoT Field Network Director Cross-Site Request Forgery Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20180516-fnd
Trust: 0.1
title:Threatposturl:https://threatpost.com/cisco-warns-of-three-critical-bugs-in-digital-network-architecture-platform/132057/
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2018-10006 // 
            
            
            
            VULMON: CVE-2018-0270 // 
            
            
            
            JVNDB: JVNDB-2018-005155 // 
            
            
            
            CNNVD: CNNVD-201805-632

EXTERNAL IDS
db:NVDid:CVE-2018-0270
Trust: 3.5
db:BIDid:104242
Trust: 2.1
db:JVNDBid:JVNDB-2018-005155
Trust: 0.8
db:CNNVDid:CNNVD-201805-632
Trust: 0.7
db:CNVDid:CNVD-2018-10006
Trust: 0.6
db:VULHUBid:VHN-118472
Trust: 0.1
db:VULMONid:CVE-2018-0270
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2018-10006 // 
            
            
            
            VULHUB: VHN-118472 // 
            
            
            
            VULMON: CVE-2018-0270 // 
            
            
            
            BID: 104242 // 
            
            
            
            JVNDB: JVNDB-2018-005155 // 
            
            
            
            CNNVD: CNNVD-201805-632 // 
            
            
            
            NVD: CVE-2018-0270

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20180516-fnd
Trust: 2.8
url:http://www.securityfocus.com/bid/104242
Trust: 1.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0270
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-0270
Trust: 0.8
url:http://www.cisco.com
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/352.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://threatpost.com/cisco-warns-of-three-critical-bugs-in-digital-network-architecture-platform/132057/
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2018-10006 // 
            
            
            
            VULHUB: VHN-118472 // 
            
            
            
            VULMON: CVE-2018-0270 // 
            
            
            
            BID: 104242 // 
            
            
            
            JVNDB: JVNDB-2018-005155 // 
            
            
            
            CNNVD: CNNVD-201805-632 // 
            
            
            
            NVD: CVE-2018-0270

CREDITS
Cisco
Trust: 0.3
sources:
            
            
            BID: 104242

SOURCES
db:CNVDid:CNVD-2018-10006
db:VULHUBid:VHN-118472
db:VULMONid:CVE-2018-0270
db:BIDid:104242
db:JVNDBid:JVNDB-2018-005155
db:CNNVDid:CNNVD-201805-632
db:NVDid:CVE-2018-0270

LAST UPDATE DATE
2024-11-23T22:52:05.393000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-10006date:2018-05-22T00:00:00
db:VULHUBid:VHN-118472date:2019-10-09T00:00:00
db:VULMONid:CVE-2018-0270date:2019-10-09T00:00:00
db:BIDid:104242date:2018-05-16T00:00:00
db:JVNDBid:JVNDB-2018-005155date:2018-07-09T00:00:00
db:CNNVDid:CNNVD-201805-632date:2019-10-17T00:00:00
db:NVDid:CVE-2018-0270date:2024-11-21T03:37:51.163

SOURCES RELEASE DATE
db:CNVDid:CNVD-2018-10006date:2018-05-22T00:00:00
db:VULHUBid:VHN-118472date:2018-05-17T00:00:00
db:VULMONid:CVE-2018-0270date:2018-05-17T00:00:00
db:BIDid:104242date:2018-05-16T00:00:00
db:JVNDBid:JVNDB-2018-005155date:2018-07-09T00:00:00
db:CNNVDid:CNNVD-201805-632date:2018-05-18T00:00:00
db:NVDid:CVE-2018-0270date:2018-05-17T03:29:00.310