ID

VAR-201812-0344


CVE

CVE-2018-13813


TITLE

plural SIMATIC Open redirect vulnerability in products

Trust: 0.8

sources: JVNDB: JVNDB-2018-014526

DESCRIPTION

A vulnerability has been identified in SIMATIC HMI Comfort Panels 4" - 22" (All versions < V15 Update 4), SIMATIC HMI Comfort Outdoor Panels 7" & 15" (All versions < V15 Update 4), SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F (All versions < V15 Update 4), SIMATIC WinCC Runtime Advanced (All versions < V15 Update 4), SIMATIC WinCC Runtime Professional (All versions < V15 Update 4), SIMATIC WinCC (TIA Portal) (All versions < V15 Update 4), SIMATIC HMI Classic Devices (TP/MP/OP/MP Mobile Panel) (All versions). The webserver of affected HMI devices may allow URL redirections to untrusted websites. An attacker must trick a valid user who is authenticated to the device into clicking on a malicious link to exploit the vulnerability. At the time of advisory publication no public exploitation of this security vulnerability was known. plural SIMATIC The product contains an open redirect vulnerability.Information may be obtained and information may be altered. Siemens SIMATIC HMI Comfort Panels are all Germany's Siemens (Siemens) company HMI software for control and monitoring of machines and equipment. The webserver in several Siemens products has an open redirection vulnerability. Siemens SIMATIC Panels is prone to following security vulnerabilities: 1. An open-redirection vulnerability 2. A directory-traversal vulnerability Remote attackers may use a specially crafted request with directory-traversal sequences ('../') to retrieve arbitrary files from the affected system in the context of the application or by constructing a crafted URI and enticing a user to follow it and when an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site

Trust: 2.7

sources: NVD: CVE-2018-13813 // JVNDB: JVNDB-2018-014526 // CNVD: CNVD-2018-24247 // BID: 105922 // IVD: e30112c1-39ab-11e9-9eae-000c29342cb1 // VULHUB: VHN-123910

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: e30112c1-39ab-11e9-9eae-000c29342cb1 // CNVD: CNVD-2018-24247

AFFECTED PRODUCTS

vendor:siemensmodel:simatic wincc \scope:lteversion:15.0

Trust: 1.0

vendor:siemensmodel:simatic hmi ktp mobile panels ktp900scope:lteversion:15.0

Trust: 1.0

vendor:siemensmodel:simatic hmi comfort panelsscope:lteversion:15.0

Trust: 1.0

vendor:siemensmodel:simatic hmi comfort outdoor panelsscope:lteversion:15.0

Trust: 1.0

vendor:siemensmodel:simatic hmi mpscope:eqversion:*

Trust: 1.0

vendor:siemensmodel:simatic wincc runtimescope:lteversion:15.0

Trust: 1.0

vendor:siemensmodel:simatic hmi ktp mobile panels ktp400fscope:lteversion:15.0

Trust: 1.0

vendor:siemensmodel:simatic hmi ktp mobile panels ktp900fscope:lteversion:15.0

Trust: 1.0

vendor:siemensmodel:simatic hmi ktp mobile panels ktp700fscope:lteversion:15.0

Trust: 1.0

vendor:siemensmodel:simatic hmi opscope:eqversion:*

Trust: 1.0

vendor:siemensmodel:simatic hmi tpscope:eqversion:*

Trust: 1.0

vendor:siemensmodel:simatic hmi ktp mobile panels ktp700scope:lteversion:15.0

Trust: 1.0

vendor:siemensmodel:simatic hmi comfort outdoor panelsscope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic hmi comfort panelsscope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic hmi ktp mobile panels ktp400fscope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic hmi ktp mobile panels ktp700scope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic hmi ktp mobile panels ktp700fscope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic hmi ktp mobile panels ktp900scope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic hmi ktp mobile panels ktp900fscope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic winccscope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic wincc runtime advancedscope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic wincc runtime professionalscope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic hmi classic devicesscope: - version: -

Trust: 0.6

vendor:siemensmodel:simatic hmi comfort outdoor panels 7" & 15" updatescope:ltversion:154

Trust: 0.6

vendor:siemensmodel:simatic hmi comfort panels 4"-22" updatescope:ltversion:154

Trust: 0.6

vendor:siemensmodel:simatic hmi ktp mobile panels updatescope:ltversion:154

Trust: 0.6

vendor:siemensmodel:simatic wincc updatescope:ltversion:154

Trust: 0.6

vendor:siemensmodel:simatic wincc runtime advanced updatescope:ltversion:154

Trust: 0.6

vendor:siemensmodel:simatic wincc runtime professional updatescope:ltversion:154

Trust: 0.6

vendor:simatic wincc runtimemodel: - scope:eqversion:*

Trust: 0.4

vendor:siemensmodel:simatic wincc runtime professionalscope:eqversion:15

Trust: 0.3

vendor:siemensmodel:simatic wincc runtime professional sp1scope:eqversion:14

Trust: 0.3

vendor:siemensmodel:simatic wincc runtime professionalscope:eqversion:14

Trust: 0.3

vendor:siemensmodel:simatic wincc runtime professional sp2scope:eqversion:13

Trust: 0.3

vendor:siemensmodel:simatic wincc runtime professional sp1 upd2scope:eqversion:13

Trust: 0.3

vendor:siemensmodel:simatic wincc runtime professional sp updatescope:eqversion:1319

Trust: 0.3

vendor:siemensmodel:simatic wincc runtime professionalscope:eqversion:13

Trust: 0.3

vendor:siemensmodel:simatic wincc runtime advancedscope:eqversion:15

Trust: 0.3

vendor:siemensmodel:simatic wincc runtime advanced sp1 upd2scope:eqversion:13

Trust: 0.3

vendor:siemensmodel:simatic wincc runtime advancedscope:eqversion:13

Trust: 0.3

vendor:siemensmodel:simatic wincc runtime advanced sp1 upd5scope:eqversion:12

Trust: 0.3

vendor:siemensmodel:simatic wincc runtime advancedscope:eqversion:12

Trust: 0.3

vendor:siemensmodel:simatic wincc runtime advancedscope:eqversion:0

Trust: 0.3

vendor:siemensmodel:simatic wincc updatescope:eqversion:v135

Trust: 0.3

vendor:siemensmodel:simatic wincc sp1scope:eqversion:v12

Trust: 0.3

vendor:siemensmodel:simatic winccscope:eqversion:v120

Trust: 0.3

vendor:siemensmodel:simatic winccscope:eqversion:v110

Trust: 0.3

vendor:siemensmodel:simatic winccscope:eqversion:v15

Trust: 0.3

vendor:siemensmodel:simatic wincc updatescope:eqversion:v136

Trust: 0.3

vendor:siemensmodel:simatic wincc sp1scope:eqversion:v13

Trust: 0.3

vendor:siemensmodel:simatic winccscope:eqversion:v13

Trust: 0.3

vendor:siemensmodel:simatic winccscope:eqversion:v10

Trust: 0.3

vendor:siemensmodel:simatic hmi ktp mobile panelsscope:eqversion:0

Trust: 0.3

vendor:siemensmodel:simatic hmi comfort panelsscope:eqversion:4

Trust: 0.3

vendor:siemensmodel:simatic hmi comfort panelsscope:eqversion:22

Trust: 0.3

vendor:siemensmodel:simatic hmi comfort panelsscope:eqversion:15

Trust: 0.3

vendor:siemensmodel:simatic hmi comfort panels sp1 upd2scope:eqversion:13

Trust: 0.3

vendor:siemensmodel:simatic hmi comfort panelsscope:eqversion:13

Trust: 0.3

vendor:siemensmodel:simatic hmi comfort panels sp1 upd5scope:eqversion:12

Trust: 0.3

vendor:siemensmodel:simatic hmi comfort panelsscope:eqversion:12

Trust: 0.3

vendor:siemensmodel:simatic hmi comfort panelsscope:eqversion:0

Trust: 0.3

vendor:siemensmodel:simatic hmi comfort outdoor panelsscope:eqversion:0

Trust: 0.3

vendor:siemensmodel:simatic hmi classic devicesscope:eqversion:0

Trust: 0.3

vendor:siemensmodel:simatic wincc runtime professional updatescope:neversion:154

Trust: 0.3

vendor:siemensmodel:simatic wincc runtime advanced updatescope:neversion:154

Trust: 0.3

vendor:siemensmodel:simatic wincc updatescope:neversion:154

Trust: 0.3

vendor:siemensmodel:simatic hmi ktp mobile panels updatescope:neversion:154

Trust: 0.3

vendor:siemensmodel:simatic hmi comfort panels updatescope:neversion:154

Trust: 0.3

vendor:siemensmodel:simatic hmi comfort outdoor panels updatescope:neversion:154

Trust: 0.3

vendor:simatic hmi comfort panelsmodel: - scope:eqversion:*

Trust: 0.2

vendor:simatic hmi mpmodel: - scope:eqversion:*

Trust: 0.2

vendor:simatic hmi opmodel: - scope:eqversion:*

Trust: 0.2

vendor:simatic hmi comfort outdoor panelsmodel: - scope:eqversion:*

Trust: 0.2

vendor:simatic hmi ktp mobile panels ktp400fmodel: - scope:eqversion:*

Trust: 0.2

vendor:simatic hmi ktp mobile panels ktp700model: - scope:eqversion:*

Trust: 0.2

vendor:simatic hmi ktp mobile panels ktp700fmodel: - scope:eqversion:*

Trust: 0.2

vendor:simatic hmi ktp mobile panels ktp900model: - scope:eqversion:*

Trust: 0.2

vendor:simatic hmi ktp mobile panels ktp900fmodel: - scope:eqversion:*

Trust: 0.2

vendor:simatic wincc tia portalmodel: - scope:eqversion:*

Trust: 0.2

vendor:simatic hmi tpmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: e30112c1-39ab-11e9-9eae-000c29342cb1 // CNVD: CNVD-2018-24247 // BID: 105922 // JVNDB: JVNDB-2018-014526 // NVD: CVE-2018-13813

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-13813
value: HIGH

Trust: 1.0

NVD: CVE-2018-13813
value: HIGH

Trust: 0.8

CNVD: CNVD-2018-24247
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201811-483
value: HIGH

Trust: 0.6

IVD: e30112c1-39ab-11e9-9eae-000c29342cb1
value: HIGH

Trust: 0.2

VULHUB: VHN-123910
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-13813
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-24247
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:C/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: e30112c1-39ab-11e9-9eae-000c29342cb1
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:C/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-123910
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-13813
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 5.2
version: 3.0

Trust: 1.8

sources: IVD: e30112c1-39ab-11e9-9eae-000c29342cb1 // CNVD: CNVD-2018-24247 // VULHUB: VHN-123910 // JVNDB: JVNDB-2018-014526 // CNNVD: CNNVD-201811-483 // NVD: CVE-2018-13813

PROBLEMTYPE DATA

problemtype:CWE-601

Trust: 1.9

sources: VULHUB: VHN-123910 // JVNDB: JVNDB-2018-014526 // NVD: CVE-2018-13813

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201811-483

TYPE

Input validation error

Trust: 1.1

sources: IVD: e30112c1-39ab-11e9-9eae-000c29342cb1 // BID: 105922 // CNNVD: CNNVD-201811-483

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-014526

PATCH

title:SSA-233109url:https://cert-portal.siemens.com/productcert/pdf/ssa-233109.pdf

Trust: 0.8

title:Patch for Multiple Siemens products open redirection vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/176377

Trust: 0.6

title:Multiple Siemens Product security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86884

Trust: 0.6

sources: CNVD: CNVD-2018-24247 // JVNDB: JVNDB-2018-014526 // CNNVD: CNNVD-201811-483

EXTERNAL IDS

db:NVDid:CVE-2018-13813

Trust: 3.6

db:SIEMENSid:SSA-233109

Trust: 2.3

db:ICS CERTid:ICSA-18-317-08

Trust: 2.3

db:BIDid:105922

Trust: 2.0

db:CNNVDid:CNNVD-201811-483

Trust: 0.9

db:CNVDid:CNVD-2018-24247

Trust: 0.8

db:JVNDBid:JVNDB-2018-014526

Trust: 0.8

db:IVDid:E30112C1-39AB-11E9-9EAE-000C29342CB1

Trust: 0.2

db:VULHUBid:VHN-123910

Trust: 0.1

sources: IVD: e30112c1-39ab-11e9-9eae-000c29342cb1 // CNVD: CNVD-2018-24247 // VULHUB: VHN-123910 // BID: 105922 // JVNDB: JVNDB-2018-014526 // CNNVD: CNNVD-201811-483 // NVD: CVE-2018-13813

REFERENCES

url:https://cert-portal.siemens.com/productcert/pdf/ssa-233109.pdf

Trust: 2.3

url:https://ics-cert.us-cert.gov/advisories/icsa-18-317-08

Trust: 2.3

url:http://www.securityfocus.com/bid/105922

Trust: 1.7

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-13813

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2018-13813

Trust: 0.8

url:http://subscriber.communications.siemens.com/

Trust: 0.3

sources: CNVD: CNVD-2018-24247 // VULHUB: VHN-123910 // BID: 105922 // JVNDB: JVNDB-2018-014526 // CNNVD: CNNVD-201811-483 // NVD: CVE-2018-13813

CREDITS

Hosni Tounsi from Carthage Red Team

Trust: 0.3

sources: BID: 105922

SOURCES

db:IVDid:e30112c1-39ab-11e9-9eae-000c29342cb1
db:CNVDid:CNVD-2018-24247
db:VULHUBid:VHN-123910
db:BIDid:105922
db:JVNDBid:JVNDB-2018-014526
db:CNNVDid:CNNVD-201811-483
db:NVDid:CVE-2018-13813

LAST UPDATE DATE

2024-08-14T15:12:58.652000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2018-24247date:2019-08-22T00:00:00
db:VULHUBid:VHN-123910date:2019-10-09T00:00:00
db:BIDid:105922date:2018-11-14T00:00:00
db:JVNDBid:JVNDB-2018-014526date:2019-03-26T00:00:00
db:CNNVDid:CNNVD-201811-483date:2019-10-17T00:00:00
db:NVDid:CVE-2018-13813date:2019-10-09T23:34:33.607

SOURCES RELEASE DATE

db:IVDid:e30112c1-39ab-11e9-9eae-000c29342cb1date:2018-11-29T00:00:00
db:CNVDid:CNVD-2018-24247date:2018-11-29T00:00:00
db:VULHUBid:VHN-123910date:2018-12-13T00:00:00
db:BIDid:105922date:2018-11-14T00:00:00
db:JVNDBid:JVNDB-2018-014526date:2019-03-26T00:00:00
db:CNNVDid:CNNVD-201811-483date:2018-11-15T00:00:00
db:NVDid:CVE-2018-13813date:2018-12-13T16:29:00.320