Details of VAR-201810-0321

ID

VAR-201810-0321

CVE

CVE-2018-0446

TITLE

Cisco Industrial Network Director Cross-Site Request Forgery Vulnerability

Trust: 1.4

sources: IVD: e2fd422e-39ab-11e9-a4a5-000c29342cb1 // CNVD: CNVD-2018-20671 // CNNVD: CNNVD-201810-174

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Industrial Network Director could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious, customized link. A successful exploit could allow the attacker to perform arbitrary actions on the affected device via a web browser and with the privileges of the user. Cisco Industrial Network Director is an industrial automation management system from Cisco. The system is automated through the visualization of industrial Ethernet infrastructure. This issue is being tracked by Cisco bug ID CSCvk00412

Trust: 2.7

sources: NVD: CVE-2018-0446 // JVNDB: JVNDB-2018-012998 // CNVD: CNVD-2018-20671 // BID: 105683 // IVD: e2fd422e-39ab-11e9-a4a5-000c29342cb1 // VULHUB: VHN-118648

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: e2fd422e-39ab-11e9-a4a5-000c29342cb1 // CNVD: CNVD-2018-20671

AFFECTED PRODUCTS

vendor:	cisco	model:	network level service	scope:	eq	version:	1.5\(0.128\)	Trust: 1.6
vendor:	cisco	model:	network level service	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	industrial network director	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	industrial network director	scope:	eq	version:	0	Trust: 0.3
vendor:	network level service	model:	-	scope:	eq	version:	1.5(0.128)	Trust: 0.2

sources: IVD: e2fd422e-39ab-11e9-a4a5-000c29342cb1 // CNVD: CNVD-2018-20671 // BID: 105683 // JVNDB: JVNDB-2018-012998 // CNNVD: CNNVD-201810-174 // NVD: CVE-2018-0446

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-0446
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-0446
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2018-20671
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201810-174
value:	HIGH
Trust: 0.6
IVD:	e2fd422e-39ab-11e9-a4a5-000c29342cb1
value:	HIGH
Trust: 0.2
VULHUB:	VHN-118648
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-0446
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-20671
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e2fd422e-39ab-11e9-a4a5-000c29342cb1
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-118648
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-0446
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: IVD: e2fd422e-39ab-11e9-a4a5-000c29342cb1 // CNVD: CNVD-2018-20671 // VULHUB: VHN-118648 // JVNDB: JVNDB-2018-012998 // CNNVD: CNNVD-201810-174 // NVD: CVE-2018-0446

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-118648 // JVNDB: JVNDB-2018-012998 // NVD: CVE-2018-0446

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201810-174

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201810-174

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-012998

PATCH

title:	cisco-sa-20181003-ind-csrf	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-ind-csrf	Trust: 0.8
title:	Patch for Cisco Industrial Network Director Cross-Site Request Forgery Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/141795	Trust: 0.6
title:	Cisco Industrial Network Director Fixes for cross-site request forgery vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=85388	Trust: 0.6

sources: CNVD: CNVD-2018-20671 // JVNDB: JVNDB-2018-012998 // CNNVD: CNNVD-201810-174

EXTERNAL IDS

db:	NVD	id:	CVE-2018-0446	Trust: 3.6
db:	CNNVD	id:	CNNVD-201810-174	Trust: 0.9
db:	CNVD	id:	CNVD-2018-20671	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-012998	Trust: 0.8
db:	BID	id:	105683	Trust: 0.3
db:	IVD	id:	E2FD422E-39AB-11E9-A4A5-000C29342CB1	Trust: 0.2
db:	VULHUB	id:	VHN-118648	Trust: 0.1

sources: IVD: e2fd422e-39ab-11e9-a4a5-000c29342cb1 // CNVD: CNVD-2018-20671 // VULHUB: VHN-118648 // BID: 105683 // JVNDB: JVNDB-2018-012998 // CNNVD: CNNVD-201810-174 // NVD: CVE-2018-0446

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20181003-ind-csrf	Trust: 2.0
url:	https://nvd.nist.gov/vuln/detail/cve-2018-0446	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0446	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: CNVD: CNVD-2018-20671 // VULHUB: VHN-118648 // BID: 105683 // JVNDB: JVNDB-2018-012998 // CNNVD: CNNVD-201810-174 // NVD: CVE-2018-0446

CREDITS

Cisco

Trust: 0.3

sources: BID: 105683

SOURCES

db:	IVD	id:	e2fd422e-39ab-11e9-a4a5-000c29342cb1
db:	CNVD	id:	CNVD-2018-20671
db:	VULHUB	id:	VHN-118648
db:	BID	id:	105683
db:	JVNDB	id:	JVNDB-2018-012998
db:	CNNVD	id:	CNNVD-201810-174
db:	NVD	id:	CVE-2018-0446

LAST UPDATE DATE

2024-11-23T22:21:55.238000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-20671	date:	2018-10-12T00:00:00
db:	VULHUB	id:	VHN-118648	date:	2019-10-09T00:00:00
db:	BID	id:	105683	date:	2018-10-03T00:00:00
db:	JVNDB	id:	JVNDB-2018-012998	date:	2019-02-12T00:00:00
db:	CNNVD	id:	CNNVD-201810-174	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-0446	date:	2024-11-21T03:38:14.890

SOURCES RELEASE DATE

db:	IVD	id:	e2fd422e-39ab-11e9-a4a5-000c29342cb1	date:	2018-10-12T00:00:00
db:	CNVD	id:	CNVD-2018-20671	date:	2018-10-11T00:00:00
db:	VULHUB	id:	VHN-118648	date:	2018-10-05T00:00:00
db:	BID	id:	105683	date:	2018-10-03T00:00:00
db:	JVNDB	id:	JVNDB-2018-012998	date:	2019-02-12T00:00:00
db:	CNNVD	id:	CNNVD-201810-174	date:	2018-10-08T00:00:00
db:	NVD	id:	CVE-2018-0446	date:	2018-10-05T14:29:02.700