Details of VAR-201810-0479

ID

VAR-201810-0479

CVE

CVE-2018-17892

TITLE

NUUO CMS Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2018-010889

DESCRIPTION

NUUO CMS all versions 3.1 and prior, The application implements a method of user account control that causes standard account security features to not be utilized as intended, which could allow user account compromise and may allow for remote code execution. NUUO CMS Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NUUO CMS is a central software management platform from NUUO. The platform is used to centrally manage NVR (DVR), IP cameras and other devices, and provides user management and alarm management. A remote attacker could exploit the vulnerability to compromise a user's account and possibly execute code. NUUO CMS is prone to multiple remote code-execution and security-bypass vulnerabilities. Failed exploit attempts may result in a denial-of-service condition. NUUO CMS 3.1 and prior are vulnerable

Trust: 2.61

sources: NVD: CVE-2018-17892 // JVNDB: JVNDB-2018-010889 // CNVD: CNVD-2018-21168 // BID: 105717 // IVD: e2fd9050-39ab-11e9-9b21-000c29342cb1

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: e2fd9050-39ab-11e9-9b21-000c29342cb1 // CNVD: CNVD-2018-21168

AFFECTED PRODUCTS

vendor:	nuuo	model:	cms	scope:	lte	version:	3.1	Trust: 1.8
vendor:	nuuo	model:	cms	scope:	eq	version:	3.1	Trust: 0.9
vendor:	nuuo	model:	cms	scope:	lte	version:	<=3.1	Trust: 0.8
vendor:	nuuo	model:	cms	scope:	eq	version:	3.0	Trust: 0.3
vendor:	nuuo	model:	cms	scope:	eq	version:	2.9	Trust: 0.3
vendor:	nuuo	model:	cms	scope:	eq	version:	2.6	Trust: 0.3
vendor:	nuuo	model:	cms	scope:	eq	version:	1.3.1	Trust: 0.3
vendor:	nuuo	model:	cms	scope:	eq	version:	2.0	Trust: 0.3
vendor:	nuuo	model:	cms	scope:	ne	version:	3.3.0.18	Trust: 0.3

sources: IVD: e2fd9050-39ab-11e9-9b21-000c29342cb1 // CNVD: CNVD-2018-21168 // BID: 105717 // JVNDB: JVNDB-2018-010889 // CNNVD: CNNVD-201810-666 // NVD: CVE-2018-17892

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-17892
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-17892
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2018-21168
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201810-666
value:	HIGH
Trust: 0.6
IVD:	e2fd9050-39ab-11e9-9b21-000c29342cb1
value:	HIGH
Trust: 0.2

nvd@nist.gov:	CVE-2018-17892
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-21168
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e2fd9050-39ab-11e9-9b21-000c29342cb1
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2018-17892
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: IVD: e2fd9050-39ab-11e9-9b21-000c29342cb1 // CNVD: CNVD-2018-21168 // JVNDB: JVNDB-2018-010889 // CNNVD: CNNVD-201810-666 // NVD: CVE-2018-17892

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-732	Trust: 1.0
problemtype:	CWE-264	Trust: 0.8

sources: JVNDB: JVNDB-2018-010889 // NVD: CVE-2018-17892

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 151260 // CNNVD: CNNVD-201810-666

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201810-666

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-010889

PATCH

title:	Central Management System	url:	https://www.nuuo.com/ProductNode.php?node=3	Trust: 0.8
title:	Patch for NUUO CMS Code Execution Vulnerability (CNVD-2018-21168)	url:	https://www.cnvd.org.cn/patchInfo/show/142377	Trust: 0.6
title:	NUUO CMS Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=85784	Trust: 0.6

sources: CNVD: CNVD-2018-21168 // JVNDB: JVNDB-2018-010889 // CNNVD: CNNVD-201810-666

EXTERNAL IDS

db:	NVD	id:	CVE-2018-17892	Trust: 3.6
db:	ICS CERT	id:	ICSA-18-284-02	Trust: 3.3
db:	BID	id:	105717	Trust: 1.9
db:	CNVD	id:	CNVD-2018-21168	Trust: 0.8
db:	CNNVD	id:	CNNVD-201810-666	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-010889	Trust: 0.8
db:	IVD	id:	E2FD9050-39AB-11E9-9B21-000C29342CB1	Trust: 0.2
db:	PACKETSTORM	id:	151260	Trust: 0.1

sources: IVD: e2fd9050-39ab-11e9-9b21-000c29342cb1 // CNVD: CNVD-2018-21168 // BID: 105717 // JVNDB: JVNDB-2018-010889 // PACKETSTORM: 151260 // CNNVD: CNNVD-201810-666 // NVD: CVE-2018-17892

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-18-284-02	Trust: 3.3
url:	http://www.securityfocus.com/bid/105717	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17892	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17892	Trust: 0.8
url:	http://www.nuuo.com/	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17888	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17890	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17936	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17934	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17894	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-18982	Trust: 0.1

sources: CNVD: CNVD-2018-21168 // BID: 105717 // JVNDB: JVNDB-2018-010889 // PACKETSTORM: 151260 // CNNVD: CNNVD-201810-666 // NVD: CVE-2018-17892

CREDITS

Pedro Ribeiro

Trust: 0.4

sources: BID: 105717 // PACKETSTORM: 151260

SOURCES

db:	IVD	id:	e2fd9050-39ab-11e9-9b21-000c29342cb1
db:	CNVD	id:	CNVD-2018-21168
db:	BID	id:	105717
db:	JVNDB	id:	JVNDB-2018-010889
db:	PACKETSTORM	id:	151260
db:	CNNVD	id:	CNNVD-201810-666
db:	NVD	id:	CVE-2018-17892

LAST UPDATE DATE

2024-11-23T22:30:12.948000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-21168	date:	2018-10-18T00:00:00
db:	BID	id:	105717	date:	2018-10-11T00:00:00
db:	JVNDB	id:	JVNDB-2018-010889	date:	2018-12-27T00:00:00
db:	CNNVD	id:	CNNVD-201810-666	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-17892	date:	2024-11-21T03:55:09.143

SOURCES RELEASE DATE

db:	IVD	id:	e2fd9050-39ab-11e9-9b21-000c29342cb1	date:	2018-10-18T00:00:00
db:	CNVD	id:	CNVD-2018-21168	date:	2018-10-16T00:00:00
db:	BID	id:	105717	date:	2018-10-11T00:00:00
db:	JVNDB	id:	JVNDB-2018-010889	date:	2018-12-27T00:00:00
db:	PACKETSTORM	id:	151260	date:	2019-01-21T23:02:22
db:	CNNVD	id:	CNNVD-201810-666	date:	2018-10-15T00:00:00
db:	NVD	id:	CVE-2018-17892	date:	2018-10-12T14:29:00.520