Details of VAR-201808-0962

ID

VAR-201808-0962

CVE

CVE-2018-7790

TITLE

Schneider Electric Modicon M221 Vulnerability in information management

Trust: 0.8

sources: JVNDB: JVNDB-2018-010010

DESCRIPTION

An Information Management Error vulnerability exists in Schneider Electric's Modicon M221 product (all references, all versions prior to firmware V1.6.2.0). The vulnerability allows unauthorized users to replay authentication sequences. If an attacker exploits this vulnerability and connects to a Modicon M221, the attacker can upload the original program from the PLC. Schneider Electric Modicon M221 Contains information management vulnerabilities.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The Modicon M221 is a logic controller from Schneider Electric. Attackers can exploit these issues to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks

Trust: 2.79

sources: NVD: CVE-2018-7790 // JVNDB: JVNDB-2018-010010 // CNVD: CNVD-2019-06189 // BID: 105182 // IVD: 49145ed1-5915-4f3a-bcbd-df38b5f91bb0 // VULHUB: VHN-137822 // VULMON: CVE-2018-7790

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: 49145ed1-5915-4f3a-bcbd-df38b5f91bb0 // CNVD: CNVD-2019-06189

AFFECTED PRODUCTS

vendor:	schneider electric	model:	modicon m221	scope:	lt	version:	1.6.2.0	Trust: 1.8
vendor:	schneider	model:	electric modicon m221	scope:	lt	version:	1.6.2.0	Trust: 0.6
vendor:	schneider electric	model:	modicon m221	scope:	eq	version:	1.1.1.5	Trust: 0.6
vendor:	schneider electric	model:	modicon m221	scope:	eq	version:	1.5.0.1	Trust: 0.3
vendor:	schneider electric	model:	modicon m221	scope:	eq	version:	1.5.0.0	Trust: 0.3
vendor:	schneider electric	model:	modicon m221	scope:	eq	version:	0	Trust: 0.3
vendor:	schneider electric	model:	modicon m221	scope:	ne	version:	1.6.2.0	Trust: 0.3
vendor:	modicon m221	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 49145ed1-5915-4f3a-bcbd-df38b5f91bb0 // CNVD: CNVD-2019-06189 // BID: 105182 // JVNDB: JVNDB-2018-010010 // CNNVD: CNNVD-201808-907 // NVD: CVE-2018-7790

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-7790
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2018-7790
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2019-06189
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201808-907
value:	CRITICAL
Trust: 0.6
IVD:	49145ed1-5915-4f3a-bcbd-df38b5f91bb0
value:	CRITICAL
Trust: 0.2
VULHUB:	VHN-137822
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2018-7790
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-7790
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	CVE-2018-7790
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.9
CNVD:	CNVD-2019-06189
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	49145ed1-5915-4f3a-bcbd-df38b5f91bb0
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-137822
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-7790
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2018-7790
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: 49145ed1-5915-4f3a-bcbd-df38b5f91bb0 // CNVD: CNVD-2019-06189 // VULHUB: VHN-137822 // VULMON: CVE-2018-7790 // JVNDB: JVNDB-2018-010010 // CNNVD: CNNVD-201808-907 // NVD: CVE-2018-7790

PROBLEMTYPE DATA

problemtype:	CWE-294	Trust: 1.1
problemtype:	CWE-199	Trust: 0.9

sources: VULHUB: VHN-137822 // JVNDB: JVNDB-2018-010010 // NVD: CVE-2018-7790

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201808-907

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201808-907

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-010010

PATCH

title:	SEVD-2018-235-01	url:	https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2018-235-01-Modicon-M221.pdf&p_Doc_Ref=SEVD-2018-235-01	Trust: 0.8
title:	SchneiderElectricModiconM221 Certification Sequence Replay Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/155255	Trust: 0.6
title:	Schneider Electric Modicon M221 Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=100300	Trust: 0.6
title:	CVE-2018-7790	url:	https://github.com/AlAIAL90/CVE-2018-7790	Trust: 0.1

sources: CNVD: CNVD-2019-06189 // VULMON: CVE-2018-7790 // JVNDB: JVNDB-2018-010010 // CNNVD: CNNVD-201808-907

EXTERNAL IDS

db:	NVD	id:	CVE-2018-7790	Trust: 3.7
db:	BID	id:	105182	Trust: 2.1
db:	ICS CERT	id:	ICSA-18-240-01	Trust: 1.8
db:	SCHNEIDER	id:	SEVD-2018-235-01	Trust: 1.8
db:	CNVD	id:	CNVD-2019-06189	Trust: 0.8
db:	CNNVD	id:	CNNVD-201808-907	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-010010	Trust: 0.8
db:	IVD	id:	49145ED1-5915-4F3A-BCBD-DF38B5F91BB0	Trust: 0.2
db:	VULHUB	id:	VHN-137822	Trust: 0.1
db:	VULMON	id:	CVE-2018-7790	Trust: 0.1

sources: IVD: 49145ed1-5915-4f3a-bcbd-df38b5f91bb0 // CNVD: CNVD-2019-06189 // VULHUB: VHN-137822 // VULMON: CVE-2018-7790 // BID: 105182 // JVNDB: JVNDB-2018-010010 // CNNVD: CNNVD-201808-907 // NVD: CVE-2018-7790

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-18-240-01	Trust: 1.8
url:	http://www.securityfocus.com/bid/105182	Trust: 1.8
url:	https://www.schneider-electric.com/en/download/document/sevd-2018-235-01/	Trust: 1.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-7790	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-7790	Trust: 0.8
url:	http://www.schneider-electric.com/products/ww/en/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/294.html	Trust: 0.1
url:	https://github.com/alaial90/cve-2018-7790	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2019-06189 // VULHUB: VHN-137822 // VULMON: CVE-2018-7790 // BID: 105182 // JVNDB: JVNDB-2018-010010 // CNNVD: CNNVD-201808-907 // NVD: CVE-2018-7790

CREDITS

Irfan Ahmed, Sushma Kalle, and Nehal Ameen of the University of New Orleans, Hyunguk Yoo

Trust: 0.6

sources: CNNVD: CNNVD-201808-907

SOURCES

db:	IVD	id:	49145ed1-5915-4f3a-bcbd-df38b5f91bb0
db:	CNVD	id:	CNVD-2019-06189
db:	VULHUB	id:	VHN-137822
db:	VULMON	id:	CVE-2018-7790
db:	BID	id:	105182
db:	JVNDB	id:	JVNDB-2018-010010
db:	CNNVD	id:	CNNVD-201808-907
db:	NVD	id:	CVE-2018-7790

LAST UPDATE DATE

2024-11-23T21:52:51.061000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-06189	date:	2019-03-06T00:00:00
db:	VULHUB	id:	VHN-137822	date:	2019-10-03T00:00:00
db:	VULMON	id:	CVE-2018-7790	date:	2021-08-19T00:00:00
db:	BID	id:	105182	date:	2018-08-28T00:00:00
db:	JVNDB	id:	JVNDB-2018-010010	date:	2019-01-08T00:00:00
db:	CNNVD	id:	CNNVD-201808-907	date:	2022-03-10T00:00:00
db:	NVD	id:	CVE-2018-7790	date:	2024-11-21T04:12:44.423

SOURCES RELEASE DATE

db:	IVD	id:	49145ed1-5915-4f3a-bcbd-df38b5f91bb0	date:	2019-03-06T00:00:00
db:	CNVD	id:	CNVD-2019-06189	date:	2019-03-06T00:00:00
db:	VULHUB	id:	VHN-137822	date:	2018-08-29T00:00:00
db:	VULMON	id:	CVE-2018-7790	date:	2018-08-29T00:00:00
db:	BID	id:	105182	date:	2018-08-28T00:00:00
db:	JVNDB	id:	JVNDB-2018-010010	date:	2018-12-04T00:00:00
db:	CNNVD	id:	CNNVD-201808-907	date:	2018-08-29T00:00:00
db:	NVD	id:	CVE-2018-7790	date:	2018-08-29T21:29:01.070