ID

VAR-201812-0345


CVE

CVE-2018-13814


TITLE

Siemens SIMATIC Panels and SIMATIC WinCC code injection vulnerability

Trust: 1.2

sources: CNVD: CNVD-2018-25432 // CNNVD: CNNVD-201811-488

DESCRIPTION

A vulnerability has been identified in SIMATIC HMI Comfort Panels 4" - 22" (All versions < V14), SIMATIC HMI Comfort Outdoor Panels 7" & 15" (All versions < V14), SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F (All versions < V14), SIMATIC WinCC Runtime Advanced (All versions < V14), SIMATIC WinCC Runtime Professional (All versions < V14), SIMATIC WinCC (TIA Portal) (All versions < V14), SIMATIC HMI Classic Devices (TP/MP/OP/MP Mobile Panel) (All versions). The integrated web server (port 80/tcp and port 443/tcp) of the affected devices could allow an attacker to inject HTTP headers. An attacker must trick a valid user who is authenticated to the device into clicking on a malicious link to exploit the vulnerability. At the time of advisory publication no public exploitation of this security vulnerability was known. plural SIMATIC The product contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Siemens SIMATIC Panels and SIMATIC WinCC (TIA Portal) are products of Siemens AG, Germany. Siemens SIMATIC Panels is a human interface panel. SIMATIC WinCC is an automated data acquisition and monitoring (SCADA) system. A code injection vulnerability exists in Siemens SIMATIC Panels and SIMATIC WinCC (TIA Portal), which can be exploited by an attacker to inject HTTP headers with malicious links. Multiple Siemens Products are prone to an HTTP header-injection vulnerability because it fails to sufficiently sanitize user input. This may aid in further attacks

Trust: 2.7

sources: NVD: CVE-2018-13814 // JVNDB: JVNDB-2018-014527 // CNVD: CNVD-2018-25432 // BID: 105931 // IVD: 7d80ae62-463f-11e9-b905-000c29342cb1 // VULHUB: VHN-123911

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 7d80ae62-463f-11e9-b905-000c29342cb1 // CNVD: CNVD-2018-25432

AFFECTED PRODUCTS

vendor:siemensmodel:simatic hmi opscope:eqversion:*

Trust: 1.0

vendor:siemensmodel:simatic hmi ktp mobile panels ktp700fscope:ltversion:14.0

Trust: 1.0

vendor:siemensmodel:simatic hmi ktp mobile panels ktp700scope:ltversion:14.0

Trust: 1.0

vendor:siemensmodel:simatic hmi mpscope:eqversion:*

Trust: 1.0

vendor:siemensmodel:simatic hmi tpscope:eqversion:*

Trust: 1.0

vendor:siemensmodel:simatic hmi ktp mobile panels ktp400fscope:ltversion:14.0

Trust: 1.0

vendor:siemensmodel:simatic hmi ktp mobile panels ktp900fscope:ltversion:14.0

Trust: 1.0

vendor:siemensmodel:simatic wincc \scope:ltversion:14.0

Trust: 1.0

vendor:siemensmodel:simatic wincc runtimescope:ltversion:14.0

Trust: 1.0

vendor:siemensmodel:simatic hmi comfort panelsscope:ltversion:14.0

Trust: 1.0

vendor:siemensmodel:simatic hmi ktp mobile panels ktp900scope:ltversion:14.0

Trust: 1.0

vendor:siemensmodel:simatic hmi comfort outdoor panelsscope:ltversion:14.0

Trust: 1.0

vendor:siemensmodel:simatic hmi comfort outdoor panelsscope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic hmi comfort panelsscope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic hmi ktp mobile panels ktp400fscope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic hmi ktp mobile panels ktp700scope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic hmi ktp mobile panels ktp700fscope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic hmi ktp mobile panels ktp900scope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic hmi ktp mobile panels ktp900fscope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic winccscope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic wincc runtime advancedscope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic wincc runtime professionalscope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic hmi comfort panels 4" 22"scope:eqversion:-<14

Trust: 0.6

vendor:siemensmodel:simatic hmi comfort outdoor panels 7\" and 15\"scope:ltversion:14

Trust: 0.6

vendor:siemensmodel:simatic hmi ktp mobile panelsscope:ltversion:14

Trust: 0.6

vendor:siemensmodel:simatic wincc runtime advancedscope:ltversion:14

Trust: 0.6

vendor:siemensmodel:simatic wincc runtime professionalscope:ltversion:14

Trust: 0.6

vendor:siemensmodel:simatic winccscope:ltversion:14

Trust: 0.6

vendor:simatic wincc runtimemodel: - scope:eqversion:*

Trust: 0.4

vendor:siemensmodel:simatic wincc runtime professionalscope:eqversion:13

Trust: 0.3

vendor:siemensmodel:simatic wincc runtime professionalscope:eqversion:0

Trust: 0.3

vendor:siemensmodel:simatic wincc runtime advancedscope:eqversion:13

Trust: 0.3

vendor:siemensmodel:simatic wincc runtime advancedscope:eqversion:12

Trust: 0.3

vendor:siemensmodel:simatic wincc runtime advancedscope:eqversion:0

Trust: 0.3

vendor:siemensmodel:simatic winccscope:eqversion:v120

Trust: 0.3

vendor:siemensmodel:simatic winccscope:eqversion:v110

Trust: 0.3

vendor:siemensmodel:simatic winccscope:eqversion:v13

Trust: 0.3

vendor:siemensmodel:simatic winccscope:eqversion:v10

Trust: 0.3

vendor:siemensmodel:simatic hmi ktp mobile panelsscope:eqversion:0

Trust: 0.3

vendor:siemensmodel:simatic hmi comfort panelsscope:eqversion:4

Trust: 0.3

vendor:siemensmodel:simatic hmi comfort panelsscope:eqversion:22

Trust: 0.3

vendor:siemensmodel:simatic hmi comfort panelsscope:eqversion:13

Trust: 0.3

vendor:siemensmodel:simatic hmi comfort panelsscope:eqversion:12

Trust: 0.3

vendor:siemensmodel:simatic hmi comfort panelsscope:eqversion:0

Trust: 0.3

vendor:siemensmodel:simatic hmi comfort outdoor panelsscope:eqversion:0

Trust: 0.3

vendor:siemensmodel:simatic hmi classic devicesscope:eqversion:0

Trust: 0.3

vendor:siemensmodel:simatic wincc runtime professionalscope:neversion:14

Trust: 0.3

vendor:siemensmodel:simatic wincc runtime advancedscope:neversion:v14

Trust: 0.3

vendor:siemensmodel:simatic winccscope:neversion:v14

Trust: 0.3

vendor:siemensmodel:simatic hmi ktp mobile panels updatescope:neversion:154

Trust: 0.3

vendor:siemensmodel:simatic hmi comfort panelsscope:neversion:14

Trust: 0.3

vendor:simatic hmi comfort panelsmodel: - scope:eqversion:*

Trust: 0.2

vendor:simatic hmi mpmodel: - scope:eqversion:*

Trust: 0.2

vendor:simatic hmi opmodel: - scope:eqversion:*

Trust: 0.2

vendor:simatic hmi comfort outdoor panelsmodel: - scope:eqversion:*

Trust: 0.2

vendor:simatic hmi ktp mobile panels ktp400fmodel: - scope:eqversion:*

Trust: 0.2

vendor:simatic hmi ktp mobile panels ktp700model: - scope:eqversion:*

Trust: 0.2

vendor:simatic hmi ktp mobile panels ktp700fmodel: - scope:eqversion:*

Trust: 0.2

vendor:simatic hmi ktp mobile panels ktp900model: - scope:eqversion:*

Trust: 0.2

vendor:simatic hmi ktp mobile panels ktp900fmodel: - scope:eqversion:*

Trust: 0.2

vendor:simatic wincc tia portalmodel: - scope:eqversion:*

Trust: 0.2

vendor:simatic hmi tpmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 7d80ae62-463f-11e9-b905-000c29342cb1 // CNVD: CNVD-2018-25432 // BID: 105931 // JVNDB: JVNDB-2018-014527 // NVD: CVE-2018-13814

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-13814
value: HIGH

Trust: 1.0

NVD: CVE-2018-13814
value: HIGH

Trust: 0.8

CNVD: CNVD-2018-25432
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201811-488
value: HIGH

Trust: 0.6

IVD: 7d80ae62-463f-11e9-b905-000c29342cb1
value: HIGH

Trust: 0.2

VULHUB: VHN-123911
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-13814
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-25432
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 7d80ae62-463f-11e9-b905-000c29342cb1
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-123911
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-13814
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: IVD: 7d80ae62-463f-11e9-b905-000c29342cb1 // CNVD: CNVD-2018-25432 // VULHUB: VHN-123911 // JVNDB: JVNDB-2018-014527 // CNNVD: CNNVD-201811-488 // NVD: CVE-2018-13814

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

problemtype:CWE-113

Trust: 1.0

sources: VULHUB: VHN-123911 // JVNDB: JVNDB-2018-014527 // NVD: CVE-2018-13814

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201811-488

TYPE

Input validation error

Trust: 1.1

sources: IVD: 7d80ae62-463f-11e9-b905-000c29342cb1 // BID: 105931 // CNNVD: CNNVD-201811-488

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-014527

PATCH

title:SSA-944083url:https://cert-portal.siemens.com/productcert/pdf/ssa-944083.pdf

Trust: 0.8

title:Patch for Siemens SIMATIC Panels and SIMATIC WinCC code injection vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/147353

Trust: 0.6

title:Siemens SIMATIC Panels and SIMATIC WinCC Fixes for code injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86889

Trust: 0.6

sources: CNVD: CNVD-2018-25432 // JVNDB: JVNDB-2018-014527 // CNNVD: CNNVD-201811-488

EXTERNAL IDS

db:NVDid:CVE-2018-13814

Trust: 3.6

db:ICS CERTid:ICSA-18-317-03

Trust: 2.3

db:BIDid:105931

Trust: 2.0

db:SIEMENSid:SSA-944083

Trust: 1.7

db:CNNVDid:CNNVD-201811-488

Trust: 0.9

db:CNVDid:CNVD-2018-25432

Trust: 0.8

db:JVNDBid:JVNDB-2018-014527

Trust: 0.8

db:IVDid:7D80AE62-463F-11E9-B905-000C29342CB1

Trust: 0.2

db:SEEBUGid:SSVID-98853

Trust: 0.1

db:VULHUBid:VHN-123911

Trust: 0.1

sources: IVD: 7d80ae62-463f-11e9-b905-000c29342cb1 // CNVD: CNVD-2018-25432 // VULHUB: VHN-123911 // BID: 105931 // JVNDB: JVNDB-2018-014527 // CNNVD: CNNVD-201811-488 // NVD: CVE-2018-13814

REFERENCES

url:https://ics-cert.us-cert.gov/advisories/icsa-18-317-03

Trust: 2.3

url:http://www.securityfocus.com/bid/105931

Trust: 1.7

url:https://cert-portal.siemens.com/productcert/pdf/ssa-944083.pdf

Trust: 1.7

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-13814

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2018-13814

Trust: 0.8

url:http://subscriber.communications.siemens.com/

Trust: 0.3

sources: CNVD: CNVD-2018-25432 // VULHUB: VHN-123911 // BID: 105931 // JVNDB: JVNDB-2018-014527 // CNNVD: CNNVD-201811-488 // NVD: CVE-2018-13814

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 105931

SOURCES

db:IVDid:7d80ae62-463f-11e9-b905-000c29342cb1
db:CNVDid:CNVD-2018-25432
db:VULHUBid:VHN-123911
db:BIDid:105931
db:JVNDBid:JVNDB-2018-014527
db:CNNVDid:CNNVD-201811-488
db:NVDid:CVE-2018-13814

LAST UPDATE DATE

2024-08-14T14:57:01.106000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2018-25432date:2018-12-14T00:00:00
db:VULHUBid:VHN-123911date:2019-10-09T00:00:00
db:BIDid:105931date:2018-11-13T00:00:00
db:JVNDBid:JVNDB-2018-014527date:2019-03-26T00:00:00
db:CNNVDid:CNNVD-201811-488date:2019-10-17T00:00:00
db:NVDid:CVE-2018-13814date:2019-10-09T23:34:33.873

SOURCES RELEASE DATE

db:IVDid:7d80ae62-463f-11e9-b905-000c29342cb1date:2018-12-14T00:00:00
db:CNVDid:CNVD-2018-25432date:2018-12-14T00:00:00
db:VULHUBid:VHN-123911date:2018-12-13T00:00:00
db:BIDid:105931date:2018-11-13T00:00:00
db:JVNDBid:JVNDB-2018-014527date:2019-03-26T00:00:00
db:CNNVDid:CNNVD-201811-488date:2018-11-15T00:00:00
db:NVDid:CVE-2018-13814date:2018-12-13T16:29:00.350