Details of VAR-201812-0345

ID

VAR-201812-0345

CVE

CVE-2018-13814

TITLE

Siemens SIMATIC Panels and SIMATIC WinCC code injection vulnerability

Trust: 1.2

sources: CNVD: CNVD-2018-25432 // CNNVD: CNNVD-201811-488

DESCRIPTION

A vulnerability has been identified in SIMATIC HMI Comfort Panels 4" - 22" (All versions < V14), SIMATIC HMI Comfort Outdoor Panels 7" & 15" (All versions < V14), SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F (All versions < V14), SIMATIC WinCC Runtime Advanced (All versions < V14), SIMATIC WinCC Runtime Professional (All versions < V14), SIMATIC WinCC (TIA Portal) (All versions < V14), SIMATIC HMI Classic Devices (TP/MP/OP/MP Mobile Panel) (All versions). The integrated web server (port 80/tcp and port 443/tcp) of the affected devices could allow an attacker to inject HTTP headers. An attacker must trick a valid user who is authenticated to the device into clicking on a malicious link to exploit the vulnerability. At the time of advisory publication no public exploitation of this security vulnerability was known. plural SIMATIC The product contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Siemens SIMATIC Panels and SIMATIC WinCC (TIA Portal) are products of Siemens AG, Germany. Siemens SIMATIC Panels is a human interface panel. SIMATIC WinCC is an automated data acquisition and monitoring (SCADA) system. A code injection vulnerability exists in Siemens SIMATIC Panels and SIMATIC WinCC (TIA Portal), which can be exploited by an attacker to inject HTTP headers with malicious links. Multiple Siemens Products are prone to an HTTP header-injection vulnerability because it fails to sufficiently sanitize user input. This may aid in further attacks

Trust: 2.7

sources: NVD: CVE-2018-13814 // JVNDB: JVNDB-2018-014527 // CNVD: CNVD-2018-25432 // BID: 105931 // IVD: 7d80ae62-463f-11e9-b905-000c29342cb1 // VULHUB: VHN-123911

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 7d80ae62-463f-11e9-b905-000c29342cb1 // CNVD: CNVD-2018-25432

AFFECTED PRODUCTS

vendor:	siemens	model:	simatic hmi op	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	simatic hmi ktp mobile panels ktp700f	scope:	lt	version:	14.0	Trust: 1.0
vendor:	siemens	model:	simatic hmi ktp mobile panels ktp700	scope:	lt	version:	14.0	Trust: 1.0
vendor:	siemens	model:	simatic hmi mp	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	simatic hmi tp	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	simatic hmi ktp mobile panels ktp400f	scope:	lt	version:	14.0	Trust: 1.0
vendor:	siemens	model:	simatic hmi ktp mobile panels ktp900f	scope:	lt	version:	14.0	Trust: 1.0
vendor:	siemens	model:	simatic wincc \	scope:	lt	version:	14.0	Trust: 1.0
vendor:	siemens	model:	simatic wincc runtime	scope:	lt	version:	14.0	Trust: 1.0
vendor:	siemens	model:	simatic hmi comfort panels	scope:	lt	version:	14.0	Trust: 1.0
vendor:	siemens	model:	simatic hmi ktp mobile panels ktp900	scope:	lt	version:	14.0	Trust: 1.0
vendor:	siemens	model:	simatic hmi comfort outdoor panels	scope:	lt	version:	14.0	Trust: 1.0
vendor:	siemens	model:	simatic hmi comfort outdoor panels	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	simatic hmi comfort panels	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	simatic hmi ktp mobile panels ktp400f	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	simatic hmi ktp mobile panels ktp700	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	simatic hmi ktp mobile panels ktp700f	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	simatic hmi ktp mobile panels ktp900	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	simatic hmi ktp mobile panels ktp900f	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	simatic wincc	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	simatic wincc runtime advanced	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	simatic wincc runtime professional	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	simatic hmi comfort panels 4" 22"	scope:	eq	version:	-<14	Trust: 0.6
vendor:	siemens	model:	simatic hmi comfort outdoor panels 7\" and 15\"	scope:	lt	version:	14	Trust: 0.6
vendor:	siemens	model:	simatic hmi ktp mobile panels	scope:	lt	version:	14	Trust: 0.6
vendor:	siemens	model:	simatic wincc runtime advanced	scope:	lt	version:	14	Trust: 0.6
vendor:	siemens	model:	simatic wincc runtime professional	scope:	lt	version:	14	Trust: 0.6
vendor:	siemens	model:	simatic wincc	scope:	lt	version:	14	Trust: 0.6
vendor:	simatic wincc runtime	model:	-	scope:	eq	version:	*	Trust: 0.4
vendor:	siemens	model:	simatic wincc runtime professional	scope:	eq	version:	13	Trust: 0.3
vendor:	siemens	model:	simatic wincc runtime professional	scope:	eq	version:	0	Trust: 0.3
vendor:	siemens	model:	simatic wincc runtime advanced	scope:	eq	version:	13	Trust: 0.3
vendor:	siemens	model:	simatic wincc runtime advanced	scope:	eq	version:	12	Trust: 0.3
vendor:	siemens	model:	simatic wincc runtime advanced	scope:	eq	version:	0	Trust: 0.3
vendor:	siemens	model:	simatic wincc	scope:	eq	version:	v120	Trust: 0.3
vendor:	siemens	model:	simatic wincc	scope:	eq	version:	v110	Trust: 0.3
vendor:	siemens	model:	simatic wincc	scope:	eq	version:	v13	Trust: 0.3
vendor:	siemens	model:	simatic wincc	scope:	eq	version:	v10	Trust: 0.3
vendor:	siemens	model:	simatic hmi ktp mobile panels	scope:	eq	version:	0	Trust: 0.3
vendor:	siemens	model:	simatic hmi comfort panels	scope:	eq	version:	4	Trust: 0.3
vendor:	siemens	model:	simatic hmi comfort panels	scope:	eq	version:	22	Trust: 0.3
vendor:	siemens	model:	simatic hmi comfort panels	scope:	eq	version:	13	Trust: 0.3
vendor:	siemens	model:	simatic hmi comfort panels	scope:	eq	version:	12	Trust: 0.3
vendor:	siemens	model:	simatic hmi comfort panels	scope:	eq	version:	0	Trust: 0.3
vendor:	siemens	model:	simatic hmi comfort outdoor panels	scope:	eq	version:	0	Trust: 0.3
vendor:	siemens	model:	simatic hmi classic devices	scope:	eq	version:	0	Trust: 0.3
vendor:	siemens	model:	simatic wincc runtime professional	scope:	ne	version:	14	Trust: 0.3
vendor:	siemens	model:	simatic wincc runtime advanced	scope:	ne	version:	v14	Trust: 0.3
vendor:	siemens	model:	simatic wincc	scope:	ne	version:	v14	Trust: 0.3
vendor:	siemens	model:	simatic hmi ktp mobile panels update	scope:	ne	version:	154	Trust: 0.3
vendor:	siemens	model:	simatic hmi comfort panels	scope:	ne	version:	14	Trust: 0.3
vendor:	simatic hmi comfort panels	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	simatic hmi mp	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	simatic hmi op	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	simatic hmi comfort outdoor panels	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	simatic hmi ktp mobile panels ktp400f	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	simatic hmi ktp mobile panels ktp700	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	simatic hmi ktp mobile panels ktp700f	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	simatic hmi ktp mobile panels ktp900	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	simatic hmi ktp mobile panels ktp900f	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	simatic wincc tia portal	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	simatic hmi tp	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 7d80ae62-463f-11e9-b905-000c29342cb1 // CNVD: CNVD-2018-25432 // BID: 105931 // JVNDB: JVNDB-2018-014527 // NVD: CVE-2018-13814

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-13814
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-13814
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2018-25432
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201811-488
value:	HIGH
Trust: 0.6
IVD:	7d80ae62-463f-11e9-b905-000c29342cb1
value:	HIGH
Trust: 0.2
VULHUB:	VHN-123911
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-13814
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-25432
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	7d80ae62-463f-11e9-b905-000c29342cb1
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-123911
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-13814
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: IVD: 7d80ae62-463f-11e9-b905-000c29342cb1 // CNVD: CNVD-2018-25432 // VULHUB: VHN-123911 // JVNDB: JVNDB-2018-014527 // CNNVD: CNNVD-201811-488 // NVD: CVE-2018-13814

PROBLEMTYPE DATA

problemtype:	CWE-20	Trust: 1.9
problemtype:	CWE-113	Trust: 1.0

sources: VULHUB: VHN-123911 // JVNDB: JVNDB-2018-014527 // NVD: CVE-2018-13814

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201811-488

TYPE

Input validation error

Trust: 1.1

sources: IVD: 7d80ae62-463f-11e9-b905-000c29342cb1 // BID: 105931 // CNNVD: CNNVD-201811-488

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-014527

PATCH

title:	SSA-944083	url:	https://cert-portal.siemens.com/productcert/pdf/ssa-944083.pdf	Trust: 0.8
title:	Patch for Siemens SIMATIC Panels and SIMATIC WinCC code injection vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/147353	Trust: 0.6
title:	Siemens SIMATIC Panels and SIMATIC WinCC Fixes for code injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86889	Trust: 0.6

sources: CNVD: CNVD-2018-25432 // JVNDB: JVNDB-2018-014527 // CNNVD: CNNVD-201811-488

EXTERNAL IDS

db:	NVD	id:	CVE-2018-13814	Trust: 3.6
db:	ICS CERT	id:	ICSA-18-317-03	Trust: 2.3
db:	BID	id:	105931	Trust: 2.0
db:	SIEMENS	id:	SSA-944083	Trust: 1.7
db:	CNNVD	id:	CNNVD-201811-488	Trust: 0.9
db:	CNVD	id:	CNVD-2018-25432	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-014527	Trust: 0.8
db:	IVD	id:	7D80AE62-463F-11E9-B905-000C29342CB1	Trust: 0.2
db:	SEEBUG	id:	SSVID-98853	Trust: 0.1
db:	VULHUB	id:	VHN-123911	Trust: 0.1

sources: IVD: 7d80ae62-463f-11e9-b905-000c29342cb1 // CNVD: CNVD-2018-25432 // VULHUB: VHN-123911 // BID: 105931 // JVNDB: JVNDB-2018-014527 // CNNVD: CNNVD-201811-488 // NVD: CVE-2018-13814

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-18-317-03	Trust: 2.3
url:	http://www.securityfocus.com/bid/105931	Trust: 1.7
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-944083.pdf	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-13814	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-13814	Trust: 0.8
url:	http://subscriber.communications.siemens.com/	Trust: 0.3

sources: CNVD: CNVD-2018-25432 // VULHUB: VHN-123911 // BID: 105931 // JVNDB: JVNDB-2018-014527 // CNNVD: CNNVD-201811-488 // NVD: CVE-2018-13814

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 105931

SOURCES

db:	IVD	id:	7d80ae62-463f-11e9-b905-000c29342cb1
db:	CNVD	id:	CNVD-2018-25432
db:	VULHUB	id:	VHN-123911
db:	BID	id:	105931
db:	JVNDB	id:	JVNDB-2018-014527
db:	CNNVD	id:	CNNVD-201811-488
db:	NVD	id:	CVE-2018-13814

LAST UPDATE DATE

2024-08-14T14:57:01.106000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-25432	date:	2018-12-14T00:00:00
db:	VULHUB	id:	VHN-123911	date:	2019-10-09T00:00:00
db:	BID	id:	105931	date:	2018-11-13T00:00:00
db:	JVNDB	id:	JVNDB-2018-014527	date:	2019-03-26T00:00:00
db:	CNNVD	id:	CNNVD-201811-488	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-13814	date:	2019-10-09T23:34:33.873

SOURCES RELEASE DATE

db:	IVD	id:	7d80ae62-463f-11e9-b905-000c29342cb1	date:	2018-12-14T00:00:00
db:	CNVD	id:	CNVD-2018-25432	date:	2018-12-14T00:00:00
db:	VULHUB	id:	VHN-123911	date:	2018-12-13T00:00:00
db:	BID	id:	105931	date:	2018-11-13T00:00:00
db:	JVNDB	id:	JVNDB-2018-014527	date:	2019-03-26T00:00:00
db:	CNNVD	id:	CNNVD-201811-488	date:	2018-11-15T00:00:00
db:	NVD	id:	CVE-2018-13814	date:	2018-12-13T16:29:00.350