Details of VAR-201812-0344

ID

VAR-201812-0344

CVE

CVE-2018-13813

TITLE

plural SIMATIC Open redirect vulnerability in products

Trust: 0.8

sources: JVNDB: JVNDB-2018-014526

DESCRIPTION

A vulnerability has been identified in SIMATIC HMI Comfort Panels 4" - 22" (All versions < V15 Update 4), SIMATIC HMI Comfort Outdoor Panels 7" & 15" (All versions < V15 Update 4), SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F (All versions < V15 Update 4), SIMATIC WinCC Runtime Advanced (All versions < V15 Update 4), SIMATIC WinCC Runtime Professional (All versions < V15 Update 4), SIMATIC WinCC (TIA Portal) (All versions < V15 Update 4), SIMATIC HMI Classic Devices (TP/MP/OP/MP Mobile Panel) (All versions). The webserver of affected HMI devices may allow URL redirections to untrusted websites. An attacker must trick a valid user who is authenticated to the device into clicking on a malicious link to exploit the vulnerability. At the time of advisory publication no public exploitation of this security vulnerability was known. plural SIMATIC The product contains an open redirect vulnerability.Information may be obtained and information may be altered. Siemens SIMATIC HMI Comfort Panels are all Germany's Siemens (Siemens) company HMI software for control and monitoring of machines and equipment. The webserver in several Siemens products has an open redirection vulnerability. Siemens SIMATIC Panels is prone to following security vulnerabilities: 1. An open-redirection vulnerability 2. A directory-traversal vulnerability Remote attackers may use a specially crafted request with directory-traversal sequences ('../') to retrieve arbitrary files from the affected system in the context of the application or by constructing a crafted URI and enticing a user to follow it and when an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site

Trust: 2.7

sources: NVD: CVE-2018-13813 // JVNDB: JVNDB-2018-014526 // CNVD: CNVD-2018-24247 // BID: 105922 // IVD: e30112c1-39ab-11e9-9eae-000c29342cb1 // VULHUB: VHN-123910

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: e30112c1-39ab-11e9-9eae-000c29342cb1 // CNVD: CNVD-2018-24247

AFFECTED PRODUCTS

vendor:	siemens	model:	simatic wincc \	scope:	lte	version:	15.0	Trust: 1.0
vendor:	siemens	model:	simatic hmi ktp mobile panels ktp900	scope:	lte	version:	15.0	Trust: 1.0
vendor:	siemens	model:	simatic hmi comfort panels	scope:	lte	version:	15.0	Trust: 1.0
vendor:	siemens	model:	simatic hmi comfort outdoor panels	scope:	lte	version:	15.0	Trust: 1.0
vendor:	siemens	model:	simatic hmi mp	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	simatic wincc runtime	scope:	lte	version:	15.0	Trust: 1.0
vendor:	siemens	model:	simatic hmi ktp mobile panels ktp400f	scope:	lte	version:	15.0	Trust: 1.0
vendor:	siemens	model:	simatic hmi ktp mobile panels ktp900f	scope:	lte	version:	15.0	Trust: 1.0
vendor:	siemens	model:	simatic hmi ktp mobile panels ktp700f	scope:	lte	version:	15.0	Trust: 1.0
vendor:	siemens	model:	simatic hmi op	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	simatic hmi tp	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	simatic hmi ktp mobile panels ktp700	scope:	lte	version:	15.0	Trust: 1.0
vendor:	siemens	model:	simatic hmi comfort outdoor panels	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	simatic hmi comfort panels	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	simatic hmi ktp mobile panels ktp400f	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	simatic hmi ktp mobile panels ktp700	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	simatic hmi ktp mobile panels ktp700f	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	simatic hmi ktp mobile panels ktp900	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	simatic hmi ktp mobile panels ktp900f	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	simatic wincc	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	simatic wincc runtime advanced	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	simatic wincc runtime professional	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	simatic hmi classic devices	scope:	-	version:	-	Trust: 0.6
vendor:	siemens	model:	simatic hmi comfort outdoor panels 7" & 15" update	scope:	lt	version:	154	Trust: 0.6
vendor:	siemens	model:	simatic hmi comfort panels 4"-22" update	scope:	lt	version:	154	Trust: 0.6
vendor:	siemens	model:	simatic hmi ktp mobile panels update	scope:	lt	version:	154	Trust: 0.6
vendor:	siemens	model:	simatic wincc update	scope:	lt	version:	154	Trust: 0.6
vendor:	siemens	model:	simatic wincc runtime advanced update	scope:	lt	version:	154	Trust: 0.6
vendor:	siemens	model:	simatic wincc runtime professional update	scope:	lt	version:	154	Trust: 0.6
vendor:	simatic wincc runtime	model:	-	scope:	eq	version:	*	Trust: 0.4
vendor:	siemens	model:	simatic wincc runtime professional	scope:	eq	version:	15	Trust: 0.3
vendor:	siemens	model:	simatic wincc runtime professional sp1	scope:	eq	version:	14	Trust: 0.3
vendor:	siemens	model:	simatic wincc runtime professional	scope:	eq	version:	14	Trust: 0.3
vendor:	siemens	model:	simatic wincc runtime professional sp2	scope:	eq	version:	13	Trust: 0.3
vendor:	siemens	model:	simatic wincc runtime professional sp1 upd2	scope:	eq	version:	13	Trust: 0.3
vendor:	siemens	model:	simatic wincc runtime professional sp update	scope:	eq	version:	1319	Trust: 0.3
vendor:	siemens	model:	simatic wincc runtime professional	scope:	eq	version:	13	Trust: 0.3
vendor:	siemens	model:	simatic wincc runtime advanced	scope:	eq	version:	15	Trust: 0.3
vendor:	siemens	model:	simatic wincc runtime advanced sp1 upd2	scope:	eq	version:	13	Trust: 0.3
vendor:	siemens	model:	simatic wincc runtime advanced	scope:	eq	version:	13	Trust: 0.3
vendor:	siemens	model:	simatic wincc runtime advanced sp1 upd5	scope:	eq	version:	12	Trust: 0.3
vendor:	siemens	model:	simatic wincc runtime advanced	scope:	eq	version:	12	Trust: 0.3
vendor:	siemens	model:	simatic wincc runtime advanced	scope:	eq	version:	0	Trust: 0.3
vendor:	siemens	model:	simatic wincc update	scope:	eq	version:	v135	Trust: 0.3
vendor:	siemens	model:	simatic wincc sp1	scope:	eq	version:	v12	Trust: 0.3
vendor:	siemens	model:	simatic wincc	scope:	eq	version:	v120	Trust: 0.3
vendor:	siemens	model:	simatic wincc	scope:	eq	version:	v110	Trust: 0.3
vendor:	siemens	model:	simatic wincc	scope:	eq	version:	v15	Trust: 0.3
vendor:	siemens	model:	simatic wincc update	scope:	eq	version:	v136	Trust: 0.3
vendor:	siemens	model:	simatic wincc sp1	scope:	eq	version:	v13	Trust: 0.3
vendor:	siemens	model:	simatic wincc	scope:	eq	version:	v13	Trust: 0.3
vendor:	siemens	model:	simatic wincc	scope:	eq	version:	v10	Trust: 0.3
vendor:	siemens	model:	simatic hmi ktp mobile panels	scope:	eq	version:	0	Trust: 0.3
vendor:	siemens	model:	simatic hmi comfort panels	scope:	eq	version:	4	Trust: 0.3
vendor:	siemens	model:	simatic hmi comfort panels	scope:	eq	version:	22	Trust: 0.3
vendor:	siemens	model:	simatic hmi comfort panels	scope:	eq	version:	15	Trust: 0.3
vendor:	siemens	model:	simatic hmi comfort panels sp1 upd2	scope:	eq	version:	13	Trust: 0.3
vendor:	siemens	model:	simatic hmi comfort panels	scope:	eq	version:	13	Trust: 0.3
vendor:	siemens	model:	simatic hmi comfort panels sp1 upd5	scope:	eq	version:	12	Trust: 0.3
vendor:	siemens	model:	simatic hmi comfort panels	scope:	eq	version:	12	Trust: 0.3
vendor:	siemens	model:	simatic hmi comfort panels	scope:	eq	version:	0	Trust: 0.3
vendor:	siemens	model:	simatic hmi comfort outdoor panels	scope:	eq	version:	0	Trust: 0.3
vendor:	siemens	model:	simatic hmi classic devices	scope:	eq	version:	0	Trust: 0.3
vendor:	siemens	model:	simatic wincc runtime professional update	scope:	ne	version:	154	Trust: 0.3
vendor:	siemens	model:	simatic wincc runtime advanced update	scope:	ne	version:	154	Trust: 0.3
vendor:	siemens	model:	simatic wincc update	scope:	ne	version:	154	Trust: 0.3
vendor:	siemens	model:	simatic hmi ktp mobile panels update	scope:	ne	version:	154	Trust: 0.3
vendor:	siemens	model:	simatic hmi comfort panels update	scope:	ne	version:	154	Trust: 0.3
vendor:	siemens	model:	simatic hmi comfort outdoor panels update	scope:	ne	version:	154	Trust: 0.3
vendor:	simatic hmi comfort panels	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	simatic hmi mp	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	simatic hmi op	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	simatic hmi comfort outdoor panels	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	simatic hmi ktp mobile panels ktp400f	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	simatic hmi ktp mobile panels ktp700	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	simatic hmi ktp mobile panels ktp700f	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	simatic hmi ktp mobile panels ktp900	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	simatic hmi ktp mobile panels ktp900f	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	simatic wincc tia portal	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	simatic hmi tp	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: e30112c1-39ab-11e9-9eae-000c29342cb1 // CNVD: CNVD-2018-24247 // BID: 105922 // JVNDB: JVNDB-2018-014526 // NVD: CVE-2018-13813

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-13813
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-13813
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2018-24247
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201811-483
value:	HIGH
Trust: 0.6
IVD:	e30112c1-39ab-11e9-9eae-000c29342cb1
value:	HIGH
Trust: 0.2
VULHUB:	VHN-123910
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-13813
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-24247
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:C/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	COMPLETE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e30112c1-39ab-11e9-9eae-000c29342cb1
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:C/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	COMPLETE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-123910
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-13813
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	5.2
version:	3.0
Trust: 1.8

sources: IVD: e30112c1-39ab-11e9-9eae-000c29342cb1 // CNVD: CNVD-2018-24247 // VULHUB: VHN-123910 // JVNDB: JVNDB-2018-014526 // CNNVD: CNNVD-201811-483 // NVD: CVE-2018-13813

PROBLEMTYPE DATA

problemtype:

CWE-601

Trust: 1.9

sources: VULHUB: VHN-123910 // JVNDB: JVNDB-2018-014526 // NVD: CVE-2018-13813

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201811-483

TYPE

Input validation error

Trust: 1.1

sources: IVD: e30112c1-39ab-11e9-9eae-000c29342cb1 // BID: 105922 // CNNVD: CNNVD-201811-483

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-014526

PATCH

title:	SSA-233109	url:	https://cert-portal.siemens.com/productcert/pdf/ssa-233109.pdf	Trust: 0.8
title:	Patch for Multiple Siemens products open redirection vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/176377	Trust: 0.6
title:	Multiple Siemens Product security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86884	Trust: 0.6

sources: CNVD: CNVD-2018-24247 // JVNDB: JVNDB-2018-014526 // CNNVD: CNNVD-201811-483

EXTERNAL IDS

db:	NVD	id:	CVE-2018-13813	Trust: 3.6
db:	SIEMENS	id:	SSA-233109	Trust: 2.3
db:	ICS CERT	id:	ICSA-18-317-08	Trust: 2.3
db:	BID	id:	105922	Trust: 2.0
db:	CNNVD	id:	CNNVD-201811-483	Trust: 0.9
db:	CNVD	id:	CNVD-2018-24247	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-014526	Trust: 0.8
db:	IVD	id:	E30112C1-39AB-11E9-9EAE-000C29342CB1	Trust: 0.2
db:	VULHUB	id:	VHN-123910	Trust: 0.1

sources: IVD: e30112c1-39ab-11e9-9eae-000c29342cb1 // CNVD: CNVD-2018-24247 // VULHUB: VHN-123910 // BID: 105922 // JVNDB: JVNDB-2018-014526 // CNNVD: CNNVD-201811-483 // NVD: CVE-2018-13813

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-233109.pdf	Trust: 2.3
url:	https://ics-cert.us-cert.gov/advisories/icsa-18-317-08	Trust: 2.3
url:	http://www.securityfocus.com/bid/105922	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-13813	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-13813	Trust: 0.8
url:	http://subscriber.communications.siemens.com/	Trust: 0.3

sources: CNVD: CNVD-2018-24247 // VULHUB: VHN-123910 // BID: 105922 // JVNDB: JVNDB-2018-014526 // CNNVD: CNNVD-201811-483 // NVD: CVE-2018-13813

CREDITS

Hosni Tounsi from Carthage Red Team

Trust: 0.3

sources: BID: 105922

SOURCES

db:	IVD	id:	e30112c1-39ab-11e9-9eae-000c29342cb1
db:	CNVD	id:	CNVD-2018-24247
db:	VULHUB	id:	VHN-123910
db:	BID	id:	105922
db:	JVNDB	id:	JVNDB-2018-014526
db:	CNNVD	id:	CNNVD-201811-483
db:	NVD	id:	CVE-2018-13813

LAST UPDATE DATE

2024-08-14T15:12:58.652000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-24247	date:	2019-08-22T00:00:00
db:	VULHUB	id:	VHN-123910	date:	2019-10-09T00:00:00
db:	BID	id:	105922	date:	2018-11-14T00:00:00
db:	JVNDB	id:	JVNDB-2018-014526	date:	2019-03-26T00:00:00
db:	CNNVD	id:	CNNVD-201811-483	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-13813	date:	2019-10-09T23:34:33.607

SOURCES RELEASE DATE

db:	IVD	id:	e30112c1-39ab-11e9-9eae-000c29342cb1	date:	2018-11-29T00:00:00
db:	CNVD	id:	CNVD-2018-24247	date:	2018-11-29T00:00:00
db:	VULHUB	id:	VHN-123910	date:	2018-12-13T00:00:00
db:	BID	id:	105922	date:	2018-11-14T00:00:00
db:	JVNDB	id:	JVNDB-2018-014526	date:	2019-03-26T00:00:00
db:	CNNVD	id:	CNNVD-201811-483	date:	2018-11-15T00:00:00
db:	NVD	id:	CVE-2018-13813	date:	2018-12-13T16:29:00.320