Details of VAR-201810-0481

ID

VAR-201810-0481

CVE

CVE-2018-17894

TITLE

NUUO CMS Vulnerabilities related to the use of hard-coded credentials

Trust: 0.8

sources: JVNDB: JVNDB-2018-010890

DESCRIPTION

NUUO CMS all versions 3.1 and prior, The application creates default accounts that have hard-coded passwords, which could allow an attacker to gain privileged access. NUUO CMS Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NUUO CMS is a central software management platform from NUUO. The platform is used to centrally manage NVR (DVR), IP cameras and other devices, and provides user management and alarm management. An attacker could exploit the vulnerability to gain elevated privileges. NUUO CMS is prone to multiple remote code-execution and security-bypass vulnerabilities. Failed exploit attempts may result in a denial-of-service condition. NUUO CMS 3.1 and prior are vulnerable

Trust: 2.61

sources: NVD: CVE-2018-17894 // JVNDB: JVNDB-2018-010890 // CNVD: CNVD-2018-21169 // BID: 105717 // IVD: e2fd904f-39ab-11e9-b5ff-000c29342cb1

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: e2fd904f-39ab-11e9-b5ff-000c29342cb1 // CNVD: CNVD-2018-21169

AFFECTED PRODUCTS

vendor:	nuuo	model:	cms	scope:	lte	version:	3.1	Trust: 1.8
vendor:	nuuo	model:	cms	scope:	eq	version:	3.1	Trust: 0.9
vendor:	nuuo	model:	cms	scope:	lte	version:	<=3.1	Trust: 0.6
vendor:	nuuo	model:	cms	scope:	eq	version:	3.0	Trust: 0.3
vendor:	nuuo	model:	cms	scope:	eq	version:	2.9	Trust: 0.3
vendor:	nuuo	model:	cms	scope:	eq	version:	2.6	Trust: 0.3
vendor:	nuuo	model:	cms	scope:	eq	version:	1.3.1	Trust: 0.3
vendor:	nuuo	model:	cms	scope:	eq	version:	2.0	Trust: 0.3
vendor:	nuuo	model:	cms	scope:	ne	version:	3.3.0.18	Trust: 0.3
vendor:	nuuo cms	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: e2fd904f-39ab-11e9-b5ff-000c29342cb1 // CNVD: CNVD-2018-21169 // BID: 105717 // JVNDB: JVNDB-2018-010890 // CNNVD: CNNVD-201810-667 // NVD: CVE-2018-17894

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-17894
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2018-17894
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2018-21169
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201810-667
value:	CRITICAL
Trust: 0.6
IVD:	e2fd904f-39ab-11e9-b5ff-000c29342cb1
value:	CRITICAL
Trust: 0.2

nvd@nist.gov:	CVE-2018-17894
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-21169
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e2fd904f-39ab-11e9-b5ff-000c29342cb1
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2018-17894
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: IVD: e2fd904f-39ab-11e9-b5ff-000c29342cb1 // CNVD: CNVD-2018-21169 // JVNDB: JVNDB-2018-010890 // CNNVD: CNNVD-201810-667 // NVD: CVE-2018-17894

PROBLEMTYPE DATA

problemtype:

CWE-798

Trust: 1.8

sources: JVNDB: JVNDB-2018-010890 // NVD: CVE-2018-17894

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 151260 // CNNVD: CNNVD-201810-667

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201810-667

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-010890

PATCH

title:	Central Management System	url:	https://www.nuuo.com/ProductNode.php?node=3	Trust: 0.8
title:	NUUO CMS privilege escalation vulnerability patch	url:	https://www.cnvd.org.cn/patchInfo/show/142383	Trust: 0.6
title:	NUUO CMS Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=85785	Trust: 0.6

sources: CNVD: CNVD-2018-21169 // JVNDB: JVNDB-2018-010890 // CNNVD: CNNVD-201810-667

EXTERNAL IDS

db:	NVD	id:	CVE-2018-17894	Trust: 3.6
db:	ICS CERT	id:	ICSA-18-284-02	Trust: 3.3
db:	BID	id:	105717	Trust: 1.9
db:	CNVD	id:	CNVD-2018-21169	Trust: 0.8
db:	CNNVD	id:	CNNVD-201810-667	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-010890	Trust: 0.8
db:	IVD	id:	E2FD904F-39AB-11E9-B5FF-000C29342CB1	Trust: 0.2
db:	PACKETSTORM	id:	151260	Trust: 0.1

sources: IVD: e2fd904f-39ab-11e9-b5ff-000c29342cb1 // CNVD: CNVD-2018-21169 // BID: 105717 // JVNDB: JVNDB-2018-010890 // PACKETSTORM: 151260 // CNNVD: CNNVD-201810-667 // NVD: CVE-2018-17894

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-18-284-02	Trust: 3.3
url:	http://www.securityfocus.com/bid/105717	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17894	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17894	Trust: 0.8
url:	http://www.nuuo.com/	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17888	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17890	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17892	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17936	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17934	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-18982	Trust: 0.1

sources: CNVD: CNVD-2018-21169 // BID: 105717 // JVNDB: JVNDB-2018-010890 // PACKETSTORM: 151260 // CNNVD: CNNVD-201810-667 // NVD: CVE-2018-17894

CREDITS

Pedro Ribeiro

Trust: 0.4

sources: BID: 105717 // PACKETSTORM: 151260

SOURCES

db:	IVD	id:	e2fd904f-39ab-11e9-b5ff-000c29342cb1
db:	CNVD	id:	CNVD-2018-21169
db:	BID	id:	105717
db:	JVNDB	id:	JVNDB-2018-010890
db:	PACKETSTORM	id:	151260
db:	CNNVD	id:	CNNVD-201810-667
db:	NVD	id:	CVE-2018-17894

LAST UPDATE DATE

2024-11-23T22:30:16.712000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-21169	date:	2018-10-18T00:00:00
db:	BID	id:	105717	date:	2018-10-11T00:00:00
db:	JVNDB	id:	JVNDB-2018-010890	date:	2018-12-27T00:00:00
db:	CNNVD	id:	CNNVD-201810-667	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-17894	date:	2024-11-21T03:55:09.397

SOURCES RELEASE DATE

db:	IVD	id:	e2fd904f-39ab-11e9-b5ff-000c29342cb1	date:	2018-10-18T00:00:00
db:	CNVD	id:	CNVD-2018-21169	date:	2018-10-16T00:00:00
db:	BID	id:	105717	date:	2018-10-11T00:00:00
db:	JVNDB	id:	JVNDB-2018-010890	date:	2018-12-27T00:00:00
db:	PACKETSTORM	id:	151260	date:	2019-01-21T23:02:22
db:	CNNVD	id:	CNNVD-201810-667	date:	2018-10-15T00:00:00
db:	NVD	id:	CVE-2018-17894	date:	2018-10-12T14:29:00.677