Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2018-8855 (GCVE-0-2018-8855)
Vulnerability from cvelistv5 – Published: 2018-07-24 17:00 – Updated: 2024-09-17 01:10
VLAI
EPSS
Summary
Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP.
Severity
No CVSS data available.
CWE
- CWE-319 - CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03 | x_refsource_MISC |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Echelon | SmartServer 1 |
Affected:
all versions
|
|
| Echelon | SmartServer 2 |
Affected:
all versions prior to release 4.11.007
|
|
| Echelon | i.LON 100 |
Affected:
all versions
|
|
| Echelon | i.LON 600 |
Affected:
all versions
|
Date Public
2018-07-19 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:10:46.267Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SmartServer 1",
"vendor": "Echelon",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"product": "SmartServer 2",
"vendor": "Echelon",
"versions": [
{
"status": "affected",
"version": "all versions prior to release 4.11.007"
}
]
},
{
"product": "i.LON 100",
"vendor": "Echelon",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"product": "i.LON 600",
"vendor": "Echelon",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"datePublic": "2018-07-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-24T16:57:01.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2018-07-19T00:00:00",
"ID": "CVE-2018-8855",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SmartServer 1",
"version": {
"version_data": [
{
"version_value": "all versions"
}
]
}
},
{
"product_name": "SmartServer 2",
"version": {
"version_data": [
{
"version_value": "all versions prior to release 4.11.007"
}
]
}
},
{
"product_name": "i.LON 100",
"version": {
"version_data": [
{
"version_value": "all versions"
}
]
}
},
{
"product_name": "i.LON 600",
"version": {
"version_data": [
{
"version_value": "all versions"
}
]
}
}
]
},
"vendor_name": "Echelon"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2018-8855",
"datePublished": "2018-07-24T17:00:00.000Z",
"dateReserved": "2018-03-20T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:10:42.995Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2018-8855",
"date": "2026-05-25",
"epss": "0.00148",
"percentile": "0.34843"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2018-8855\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2018-07-24T17:29:00.400\",\"lastModified\":\"2024-11-21T04:14:27.677\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP.\"},{\"lang\":\"es\",\"value\":\"Echelon SmartServer 1 en todas las versiones, SmartServer 2 en todas las versiones anteriores a 4.11.007, i.LON 100 en todas las versiones y i.LON 600 en todas las versiones. Los dispositivos permiten las conexiones web sin cifrar por defecto y, adem\u00e1s, pueden recibir actualizaciones de configuraci\u00f3n y firmware a trav\u00e9s de FTP inseguro.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-319\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-319\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:echelon:smartserver_1_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"82A8FFC2-7191-42FE-8F71-77DE83945FFA\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:echelon:smartserver_1:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9D78AEC2-D6E0-42EE-AEF4-5AEBA6B29611\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:echelon:smartserver_2_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.11.007\",\"matchCriteriaId\":\"83547993-8A11-4A60-9CBE-3CD006272A1C\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:echelon:smartserver_2:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"418DEBAC-57D5-4BA8-806B-3DC235F1B625\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:echelon:i.lon_100_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4DC38B32-715F-4ECA-AA60-15BE5EEB0DDE\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:echelon:i.lon_100:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D195E8CF-A5E2-4799-A0EF-189A825BB3AF\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:echelon:i.lon_600_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D1F3F845-E167-48A6-B159-39634D4D5DEB\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:echelon:i.lon_600:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"129D5CFF-EE75-4AED-89B1-DD947359DFFE\"}]}]}],\"references\":[{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}"
}
}
CNVD-2018-18306
Vulnerability from cnvd - Published: 2018-09-10
VLAI
Title
多款Echelon产品信息泄露漏洞(CNVD-2018-18306)
Description
Echelon SmartServer 1等都是美国Echelon公司的产品。Echelon SmartServer 1是一款多功能控制器,它支持楼宇自动化控制和企业能源管理等。i.LON 100是一款网络服务器,它主要用于配置和监控LonWorks设备。
多款Echelon产品中存在信息泄露漏洞,该漏洞源于程序以明文的形式传递敏感信息。攻击者可利用该漏洞用恶意的固件二进制文件和模块替换原有的文件和模块,并在系统上执行代码。
Severity
高
Patch Name
多款Echelon产品信息泄露漏洞(CNVD-2018-18306)的补丁
Patch Description
Echelon SmartServer 1等都是美国Echelon公司的产品。Echelon SmartServer 1是一款多功能控制器,它支持楼宇自动化控制和企业能源管理等。i.LON 100是一款网络服务器,它主要用于配置和监控LonWorks设备。
多款Echelon产品中存在信息泄露漏洞,该漏洞源于程序以明文的形式传递敏感信息。攻击者可利用该漏洞用恶意的固件二进制文件和模块替换原有的文件和模块,并在系统上执行代码。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
厂商已发布了漏洞修复程序,请及时关注更新: https://www.echelon.com/software-downloads?ele=153-0608-01A
Reference
https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03
Impacted products
| Name | ['Echelon SmartServer 1', 'Echelon SmartServer 2 <release 4.11.007', 'Echelon i.LON 100', 'Echelon i.LON 600'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2018-8855"
}
},
"description": "Echelon SmartServer 1\u7b49\u90fd\u662f\u7f8e\u56fdEchelon\u516c\u53f8\u7684\u4ea7\u54c1\u3002Echelon SmartServer 1\u662f\u4e00\u6b3e\u591a\u529f\u80fd\u63a7\u5236\u5668\uff0c\u5b83\u652f\u6301\u697c\u5b87\u81ea\u52a8\u5316\u63a7\u5236\u548c\u4f01\u4e1a\u80fd\u6e90\u7ba1\u7406\u7b49\u3002i.LON 100\u662f\u4e00\u6b3e\u7f51\u7edc\u670d\u52a1\u5668\uff0c\u5b83\u4e3b\u8981\u7528\u4e8e\u914d\u7f6e\u548c\u76d1\u63a7LonWorks\u8bbe\u5907\u3002\r\n\r\n\u591a\u6b3eEchelon\u4ea7\u54c1\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u4ee5\u660e\u6587\u7684\u5f62\u5f0f\u4f20\u9012\u654f\u611f\u4fe1\u606f\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7528\u6076\u610f\u7684\u56fa\u4ef6\u4e8c\u8fdb\u5236\u6587\u4ef6\u548c\u6a21\u5757\u66ff\u6362\u539f\u6709\u7684\u6587\u4ef6\u548c\u6a21\u5757\uff0c\u5e76\u5728\u7cfb\u7edf\u4e0a\u6267\u884c\u4ee3\u7801\u3002",
"discovererName": "unknown",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.echelon.com/software-downloads?ele=153-0608-01A",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2018-18306",
"openTime": "2018-09-10",
"patchDescription": "Echelon SmartServer 1\u7b49\u90fd\u662f\u7f8e\u56fdEchelon\u516c\u53f8\u7684\u4ea7\u54c1\u3002Echelon SmartServer 1\u662f\u4e00\u6b3e\u591a\u529f\u80fd\u63a7\u5236\u5668\uff0c\u5b83\u652f\u6301\u697c\u5b87\u81ea\u52a8\u5316\u63a7\u5236\u548c\u4f01\u4e1a\u80fd\u6e90\u7ba1\u7406\u7b49\u3002i.LON 100\u662f\u4e00\u6b3e\u7f51\u7edc\u670d\u52a1\u5668\uff0c\u5b83\u4e3b\u8981\u7528\u4e8e\u914d\u7f6e\u548c\u76d1\u63a7LonWorks\u8bbe\u5907\u3002\r\n\r\n\u591a\u6b3eEchelon\u4ea7\u54c1\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u4ee5\u660e\u6587\u7684\u5f62\u5f0f\u4f20\u9012\u654f\u611f\u4fe1\u606f\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7528\u6076\u610f\u7684\u56fa\u4ef6\u4e8c\u8fdb\u5236\u6587\u4ef6\u548c\u6a21\u5757\u66ff\u6362\u539f\u6709\u7684\u6587\u4ef6\u548c\u6a21\u5757\uff0c\u5e76\u5728\u7cfb\u7edf\u4e0a\u6267\u884c\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "\u591a\u6b3eEchelon\u4ea7\u54c1\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2018-18306\uff09\u7684\u8865\u4e01",
"products": {
"product": [
"Echelon SmartServer 1",
"Echelon SmartServer 2 \u003crelease 4.11.007",
"Echelon i.LON 100",
"Echelon i.LON 600"
]
},
"referenceLink": "https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03",
"serverity": "\u9ad8",
"submitTime": "2018-07-20",
"title": "\u591a\u6b3eEchelon\u4ea7\u54c1\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2018-18306\uff09"
}
FKIE_CVE-2018-8855
Vulnerability from fkie_nvd - Published: 2018-07-24 17:29 - Updated: 2024-11-21 04:14
Severity
Summary
Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03 | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| echelon | smartserver_1_firmware | - | |
| echelon | smartserver_1 | - | |
| echelon | smartserver_2_firmware | * | |
| echelon | smartserver_2 | - | |
| echelon | i.lon_100_firmware | - | |
| echelon | i.lon_100 | - | |
| echelon | i.lon_600_firmware | - | |
| echelon | i.lon_600 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:echelon:smartserver_1_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "82A8FFC2-7191-42FE-8F71-77DE83945FFA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:echelon:smartserver_1:-:*:*:*:*:*:*:*",
"matchCriteriaId": "9D78AEC2-D6E0-42EE-AEF4-5AEBA6B29611",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:echelon:smartserver_2_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "83547993-8A11-4A60-9CBE-3CD006272A1C",
"versionEndExcluding": "4.11.007",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:echelon:smartserver_2:-:*:*:*:*:*:*:*",
"matchCriteriaId": "418DEBAC-57D5-4BA8-806B-3DC235F1B625",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:echelon:i.lon_100_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC38B32-715F-4ECA-AA60-15BE5EEB0DDE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:echelon:i.lon_100:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D195E8CF-A5E2-4799-A0EF-189A825BB3AF",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:echelon:i.lon_600_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D1F3F845-E167-48A6-B159-39634D4D5DEB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:echelon:i.lon_600:-:*:*:*:*:*:*:*",
"matchCriteriaId": "129D5CFF-EE75-4AED-89B1-DD947359DFFE",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP."
},
{
"lang": "es",
"value": "Echelon SmartServer 1 en todas las versiones, SmartServer 2 en todas las versiones anteriores a 4.11.007, i.LON 100 en todas las versiones y i.LON 600 en todas las versiones. Los dispositivos permiten las conexiones web sin cifrar por defecto y, adem\u00e1s, pueden recibir actualizaciones de configuraci\u00f3n y firmware a trav\u00e9s de FTP inseguro."
}
],
"id": "CVE-2018-8855",
"lastModified": "2024-11-21T04:14:27.677",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-07-24T17:29:00.400",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-319"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-319"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-R959-MQQR-2QRV
Vulnerability from github – Published: 2022-05-13 01:31 – Updated: 2022-05-13 01:31
VLAI
Details
Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP.
Severity
9.8 (Critical)
{
"affected": [],
"aliases": [
"CVE-2018-8855"
],
"database_specific": {
"cwe_ids": [
"CWE-319"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-24T17:29:00Z",
"severity": "CRITICAL"
},
"details": "Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP.",
"id": "GHSA-r959-mqqr-2qrv",
"modified": "2022-05-13T01:31:45Z",
"published": "2022-05-13T01:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8855"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GSD-2018-8855
Vulnerability from gsd - Updated: 2023-12-13 01:22Details
Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2018-8855",
"description": "Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP.",
"id": "GSD-2018-8855"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2018-8855"
],
"details": "Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP.",
"id": "GSD-2018-8855",
"modified": "2023-12-13T01:22:34.779354Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2018-07-19T00:00:00",
"ID": "CVE-2018-8855",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SmartServer 1",
"version": {
"version_data": [
{
"version_value": "all versions"
}
]
}
},
{
"product_name": "SmartServer 2",
"version": {
"version_data": [
{
"version_value": "all versions prior to release 4.11.007"
}
]
}
},
{
"product_name": "i.LON 100",
"version": {
"version_data": [
{
"version_value": "all versions"
}
]
}
},
{
"product_name": "i.LON 600",
"version": {
"version_data": [
{
"version_value": "all versions"
}
]
}
}
]
},
"vendor_name": "Echelon"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:echelon:smartserver_1_firmware:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:echelon:smartserver_1:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:echelon:smartserver_2_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.11.007",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:echelon:smartserver_2:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:echelon:i.lon_100_firmware:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:echelon:i.lon_100:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:echelon:i.lon_600_firmware:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:echelon:i.lon_600:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2018-8855"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-319"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03",
"refsource": "MISC",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2019-10-09T23:42Z",
"publishedDate": "2018-07-24T17:29Z"
}
}
}
ICSA-18-200-03
Vulnerability from csaf_cisa - Published: 2018-07-19 00:00 - Updated: 2018-09-18 00:00Summary
Echelon SmartServer 1, SmartServer 2, SmartServer 3, i.LON 100, i.LON 600 (Update A)
Notes
CISA Disclaimer: This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Legal Notice: All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Risk evaluation: Successful exploitation of these vulnerabilities could allow for remote code execution on the device.
Critical infrastructure sectors: Commercial Facilities, Critical Manufacturing, Information Technology
Countries/areas deployed: Worldwide
Company headquarters location: United States
Recommended Practices: NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
Recommended Practices: NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices: Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.
Recommended Practices: NCCIC also recommends that users take the following measures to protect themselves from social engineering attacks:
Exploitability: No known public exploits specifically target these vulnerabilities.
9.8 (Critical)
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SmartServer 1: all versions
Echelon / SmartServer 1
|
vers:all/* |
Mitigation
Mitigation
Mitigation
Mitigation
Vendor Fix
|
|
|
i.LON 600: all versions
Echelon / i.LON 600
|
vers:all/* |
Mitigation
Mitigation
Mitigation
Mitigation
Vendor Fix
|
|
|
SmartServer 2: all versions prior to release 4.11.007
Echelon / SmartServer 2
|
< 4.11.007 |
Mitigation
Mitigation
Mitigation
Mitigation
Vendor Fix
|
|
|
i.LON 100: all versions
Echelon / i.LON 100
|
vers:all/* |
Mitigation
Mitigation
Mitigation
Mitigation
Vendor Fix
|
9.8 (Critical)
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SmartServer 1: all versions
Echelon / SmartServer 1
|
vers:all/* |
Mitigation
fix
Mitigation
fix
Mitigation
Mitigation
Mitigation
Vendor Fix
|
|
|
i.LON 600: all versions
Echelon / i.LON 600
|
vers:all/* |
Mitigation
fix
Mitigation
fix
Mitigation
Mitigation
Mitigation
Vendor Fix
|
|
|
SmartServer 2: all versions prior to release 4.11.007
Echelon / SmartServer 2
|
< 4.11.007 |
Mitigation
fix
Mitigation
fix
Mitigation
Mitigation
Mitigation
Vendor Fix
|
|
|
i.LON 100: all versions
Echelon / i.LON 100
|
vers:all/* |
Mitigation
fix
Mitigation
fix
Mitigation
Mitigation
Mitigation
Vendor Fix
|
9.8 (Critical)
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SmartServer 1: all versions
Echelon / SmartServer 1
|
vers:all/* |
Mitigation
fix
Mitigation
Mitigation
Mitigation
Vendor Fix
|
|
|
i.LON 600: all versions
Echelon / i.LON 600
|
vers:all/* |
Mitigation
fix
Mitigation
Mitigation
Mitigation
Vendor Fix
|
|
|
SmartServer 2: all versions prior to release 4.11.007
Echelon / SmartServer 2
|
< 4.11.007 |
Mitigation
fix
Mitigation
Mitigation
Mitigation
Vendor Fix
|
|
|
i.LON 100: all versions
Echelon / i.LON 100
|
vers:all/* |
Mitigation
fix
Mitigation
Mitigation
Mitigation
Vendor Fix
|
9.8 (Critical)
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SmartServer 1: all versions
Echelon / SmartServer 1
|
vers:all/* |
Mitigation
fix
Mitigation
Mitigation
Mitigation
Vendor Fix
|
|
|
i.LON 600: all versions
Echelon / i.LON 600
|
vers:all/* |
Mitigation
fix
Mitigation
Mitigation
Mitigation
Vendor Fix
|
|
|
SmartServer 2: all versions prior to release 4.11.007
Echelon / SmartServer 2
|
< 4.11.007 |
Mitigation
fix
Mitigation
Mitigation
Mitigation
Vendor Fix
|
|
|
i.LON 100: all versions
Echelon / i.LON 100
|
vers:all/* |
Mitigation
fix
Mitigation
Mitigation
Mitigation
Vendor Fix
|
References
11 references
Acknowledgments
Echelon
Daniel Crowley
IBM 's X-Force Red team
{
"document": {
"acknowledgments": [
{
"organization": "Echelon",
"summary": "self-reporting these vulnerabilities to NCCIC"
},
{
"names": [
"Daniel Crowley"
],
"summary": "reporting these vulnerabilities to NCCIC"
},
{
"organization": "IBM \u0027s X-Force Red team",
"summary": "reporting these vulnerabilities to NCCIC"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
"title": "CISA Disclaimer"
},
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "summary",
"text": "Successful exploitation of these vulnerabilities could allow for remote code execution on the device.",
"title": "Risk evaluation"
},
{
"category": "other",
"text": "Commercial Facilities, Critical Manufacturing, Information Technology",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "United States",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "NCCIC also recommends that users take the following measures to protect themselves from social engineering attacks:",
"title": "Recommended Practices"
},
{
"category": "other",
"text": "No known public exploits specifically target these vulnerabilities.",
"title": "Exploitability"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSA-18-200-03 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2018/icsa-18-200-03.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-18-200-03 Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-18-200-03"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-18-200-03"
}
],
"title": "Echelon SmartServer 1, SmartServer 2, SmartServer 3, i.LON 100, i.LON 600 (Update A)",
"tracking": {
"current_release_date": "2018-09-18T00:00:00.000000Z",
"generator": {
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSA-18-200-03",
"initial_release_date": "2018-07-19T00:00:00.000000Z",
"revision_history": [
{
"date": "2018-07-19T00:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "ICSA-18-200-03 Echelon SmartServer 1, SmartServer 2, SmartServer 3, i.LON 100, i.LON 600"
},
{
"date": "2018-09-18T00:00:00.000000Z",
"legacy_version": "A",
"number": "2",
"summary": "ICSA-18-200-03 Echelon SmartServer 1, SmartServer 2, SmartServer 3, i.LON 100, i.LON 600 (Update A)"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "vers:all/*",
"product": {
"name": "SmartServer 1: all versions",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "SmartServer 1"
},
{
"branches": [
{
"category": "product_version",
"name": "vers:all/*",
"product": {
"name": "i.LON 600: all versions",
"product_id": "CSAFPID-0002"
}
}
],
"category": "product_name",
"name": "i.LON 600"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c 4.11.007",
"product": {
"name": "SmartServer 2: all versions prior to release 4.11.007",
"product_id": "CSAFPID-0003"
}
}
],
"category": "product_name",
"name": "SmartServer 2"
},
{
"branches": [
{
"category": "product_version",
"name": "vers:all/*",
"product": {
"name": "i.LON 100: all versions",
"product_id": "CSAFPID-0004"
}
}
],
"category": "product_name",
"name": "i.LON 100"
}
],
"category": "vendor",
"name": "Echelon"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-10627",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"notes": [
{
"category": "summary",
"text": "An attacker can use the SOAP API to retrieve and change sensitive configuration items such as the usernames and passwords for the Web and FTP servers. This vulnerability does not affect the i.LON 600 product.CVE-2018-10627 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10627"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "For CVE-2018-10627, Echelon recommends affected users modify the WebParams.dat file.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "mitigation",
"details": "SmartServer 2 Service Pack 7 is install",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "mitigation",
"details": "All SmartServer and i.LON 600 devices along with any servers using the SmartServer and i.Lon services should be installed behind a firewall or on a VLAN without other devices.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "mitigation",
"details": "Change the username and password during the initial installation of the affected products.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "Disable unencrypted services and secure encrypted services for the SmartServer or i.LON 100.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
}
]
},
{
"cve": "CVE-2018-8859",
"cwe": {
"id": "CWE-288",
"name": "Authentication Bypass Using an Alternate Path or Channel"
},
"notes": [
{
"category": "summary",
"text": "An attacker can bypass the required authentication specified in the security configuration file by including extra characters in the directory name when specifying the directory to be accessed.CVE-2018-8859 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8859"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "For CVE-2018-8859, Echelon recommends affected users install the i.LON 600 and any servers using the i.LON 600 behind a firewall or on a VLAN without other devices. ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
],
"url": "https://www.echelon.com/static/company/security/security-advisories/ESA-20180823-01.pdf"
},
{
"category": "mitigation",
"details": "Echelon recommends that affected users install SmartServer 2 Service Pack 7 (Version 4.11.007), to mitigate CVE-2018-8859, CVE-2018-8851, and CVE-2018-8855",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
],
"url": "https://www.echelon.com/software-downloads?ele=153-0608-01A"
},
{
"category": "mitigation",
"details": "SmartServer 2 Service Pack 7 is install",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "mitigation",
"details": "All SmartServer and i.LON 600 devices along with any servers using the SmartServer and i.Lon services should be installed behind a firewall or on a VLAN without other devices.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "mitigation",
"details": "Change the username and password during the initial installation of the affected products.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "Disable unencrypted services and secure encrypted services for the SmartServer or i.LON 100.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
}
]
},
{
"cve": "CVE-2018-8851",
"cwe": {
"id": "CWE-256",
"name": "Plaintext Storage of a Password"
},
"notes": [
{
"category": "summary",
"text": "The devices store passwords in plaintext, which may allow an attacker with access to the configuration file to log into the SmartServer web user interface.CVE-2018-8851 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8851"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "Echelon recommends that affected users install SmartServer 2 Service Pack 7 (Version 4.11.007), to mitigate CVE-2018-8859, CVE-2018-8851, and CVE-2018-8855",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
],
"url": "https://www.echelon.com/software-downloads?ele=153-0608-01A"
},
{
"category": "mitigation",
"details": "SmartServer 2 Service Pack 7 is install",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "mitigation",
"details": "All SmartServer and i.LON 600 devices along with any servers using the SmartServer and i.Lon services should be installed behind a firewall or on a VLAN without other devices.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "mitigation",
"details": "Change the username and password during the initial installation of the affected products.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "Disable unencrypted services and secure encrypted services for the SmartServer or i.LON 100.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
}
]
},
{
"cve": "CVE-2018-8855",
"cwe": {
"id": "CWE-319",
"name": "Cleartext Transmission of Sensitive Information"
},
"notes": [
{
"category": "summary",
"text": "The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP.CVE-2018-8855 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8855"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "Echelon recommends that affected users install SmartServer 2 Service Pack 7 (Version 4.11.007), to mitigate CVE-2018-8859, CVE-2018-8851, and CVE-2018-8855",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
],
"url": "https://www.echelon.com/software-downloads?ele=153-0608-01A"
},
{
"category": "mitigation",
"details": "SmartServer 2 Service Pack 7 is install",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "mitigation",
"details": "All SmartServer and i.LON 600 devices along with any servers using the SmartServer and i.Lon services should be installed behind a firewall or on a VLAN without other devices.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "mitigation",
"details": "Change the username and password during the initial installation of the affected products.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "Disable unencrypted services and secure encrypted services for the SmartServer or i.LON 100.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
}
]
}
]
}
VAR-201807-1687
Vulnerability from variot - Updated: 2024-11-23 22:00Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP. Echelon SmartServer and i.LON Contains a cryptographic vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. EchelonSmartServer1 and other products are products of Echelon Corporation of the United States. The EchelonSmartServer1 is a versatile controller that supports building automation control and enterprise energy management. i.LON100 is a web server that is primarily used to configure and monitor LonWorks devices. An information disclosure vulnerability exists in several Echelon products that originated in the program transmitting sensitive information in clear text. An attacker could exploit the vulnerability to replace legacy files and modules with malicious firmware binaries and modules and execute code on the system
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201807-1687",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "smartserver 2",
"scope": "lt",
"trust": 1.8,
"vendor": "echelon",
"version": "4.11.007"
},
{
"model": "i.lon 600",
"scope": "eq",
"trust": 1.6,
"vendor": "echelon",
"version": null
},
{
"model": "i.lon 100",
"scope": "eq",
"trust": 1.6,
"vendor": "echelon",
"version": null
},
{
"model": "smartserver 1",
"scope": "eq",
"trust": 1.6,
"vendor": "echelon",
"version": null
},
{
"model": "i.lon 100",
"scope": null,
"trust": 0.8,
"vendor": "echelon",
"version": null
},
{
"model": "i.lon 600",
"scope": null,
"trust": 0.8,
"vendor": "echelon",
"version": null
},
{
"model": "smartserver 1",
"scope": null,
"trust": 0.8,
"vendor": "echelon",
"version": null
},
{
"model": "smartserver",
"scope": "eq",
"trust": 0.6,
"vendor": "echelon",
"version": "1"
},
{
"model": "smartserver \u003crelease",
"scope": "eq",
"trust": 0.6,
"vendor": "echelon",
"version": "24.11.007"
},
{
"model": "i.lon",
"scope": "eq",
"trust": 0.6,
"vendor": "echelon",
"version": "100"
},
{
"model": "i.lon",
"scope": "eq",
"trust": 0.6,
"vendor": "echelon",
"version": "600"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "smartserver 1",
"version": null
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "smartserver 2",
"version": "*"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "i lon 100",
"version": null
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "i lon 600",
"version": null
}
],
"sources": [
{
"db": "IVD",
"id": "e2f998b0-39ab-11e9-90f9-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-18306"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-008466"
},
{
"db": "CNNVD",
"id": "CNNVD-201807-1794"
},
{
"db": "NVD",
"id": "CVE-2018-8855"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:echelon:i.lon_100_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:echelon:i.lon_600_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:echelon:smartserver_1_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:echelon:smartserver_2_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-008466"
}
]
},
"cve": "CVE-2018-8855",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2018-8855",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2018-18306",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "e2f998b0-39ab-11e9-90f9-000c29342cb1",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.2,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.9 [IVD]"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-138887",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2018-8855",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2018-8855",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "CVE-2018-8855",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNVD",
"id": "CNVD-2018-18306",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201807-1794",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "IVD",
"id": "e2f998b0-39ab-11e9-90f9-000c29342cb1",
"trust": 0.2,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-138887",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "e2f998b0-39ab-11e9-90f9-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-18306"
},
{
"db": "VULHUB",
"id": "VHN-138887"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-008466"
},
{
"db": "CNNVD",
"id": "CNNVD-201807-1794"
},
{
"db": "NVD",
"id": "CVE-2018-8855"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP. Echelon SmartServer and i.LON Contains a cryptographic vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. EchelonSmartServer1 and other products are products of Echelon Corporation of the United States. The EchelonSmartServer1 is a versatile controller that supports building automation control and enterprise energy management. i.LON100 is a web server that is primarily used to configure and monitor LonWorks devices. An information disclosure vulnerability exists in several Echelon products that originated in the program transmitting sensitive information in clear text. An attacker could exploit the vulnerability to replace legacy files and modules with malicious firmware binaries and modules and execute code on the system",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-8855"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-008466"
},
{
"db": "CNVD",
"id": "CNVD-2018-18306"
},
{
"db": "IVD",
"id": "e2f998b0-39ab-11e9-90f9-000c29342cb1"
},
{
"db": "VULHUB",
"id": "VHN-138887"
}
],
"trust": 2.43
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-8855",
"trust": 3.3
},
{
"db": "ICS CERT",
"id": "ICSA-18-200-03",
"trust": 3.1
},
{
"db": "CNNVD",
"id": "CNNVD-201807-1794",
"trust": 0.9
},
{
"db": "CNVD",
"id": "CNVD-2018-18306",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2018-008466",
"trust": 0.8
},
{
"db": "IVD",
"id": "E2F998B0-39AB-11E9-90F9-000C29342CB1",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-138887",
"trust": 0.1
}
],
"sources": [
{
"db": "IVD",
"id": "e2f998b0-39ab-11e9-90f9-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-18306"
},
{
"db": "VULHUB",
"id": "VHN-138887"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-008466"
},
{
"db": "CNNVD",
"id": "CNNVD-201807-1794"
},
{
"db": "NVD",
"id": "CVE-2018-8855"
}
]
},
"id": "VAR-201807-1687",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "e2f998b0-39ab-11e9-90f9-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-18306"
},
{
"db": "VULHUB",
"id": "VHN-138887"
}
],
"trust": 1.73333335
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS",
"Network device"
],
"sub_category": null,
"trust": 0.6
},
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.2
}
],
"sources": [
{
"db": "IVD",
"id": "e2f998b0-39ab-11e9-90f9-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-18306"
}
]
},
"last_update_date": "2024-11-23T22:00:27.827000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://www.echelon.com/"
},
{
"title": "Patches for multiple Echelon Product Information Disclosure Vulnerabilities (CNVD-2018-18306)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/139839"
},
{
"title": "Multiple Echelon Product security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=82588"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-18306"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-008466"
},
{
"db": "CNNVD",
"id": "CNNVD-201807-1794"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-319",
"trust": 1.1
},
{
"problemtype": "CWE-310",
"trust": 0.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-138887"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-008466"
},
{
"db": "NVD",
"id": "CVE-2018-8855"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.1,
"url": "https://ics-cert.us-cert.gov/advisories/icsa-18-200-03"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-8855"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-8855"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-18306"
},
{
"db": "VULHUB",
"id": "VHN-138887"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-008466"
},
{
"db": "CNNVD",
"id": "CNNVD-201807-1794"
},
{
"db": "NVD",
"id": "CVE-2018-8855"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "e2f998b0-39ab-11e9-90f9-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-18306"
},
{
"db": "VULHUB",
"id": "VHN-138887"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-008466"
},
{
"db": "CNNVD",
"id": "CNNVD-201807-1794"
},
{
"db": "NVD",
"id": "CVE-2018-8855"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-09-11T00:00:00",
"db": "IVD",
"id": "e2f998b0-39ab-11e9-90f9-000c29342cb1"
},
{
"date": "2018-09-10T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-18306"
},
{
"date": "2018-07-24T00:00:00",
"db": "VULHUB",
"id": "VHN-138887"
},
{
"date": "2018-10-18T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-008466"
},
{
"date": "2018-07-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201807-1794"
},
{
"date": "2018-07-24T17:29:00.400000",
"db": "NVD",
"id": "CVE-2018-8855"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-09-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-18306"
},
{
"date": "2019-10-09T00:00:00",
"db": "VULHUB",
"id": "VHN-138887"
},
{
"date": "2018-10-18T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-008466"
},
{
"date": "2019-10-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201807-1794"
},
{
"date": "2024-11-21T04:14:27.677000",
"db": "NVD",
"id": "CVE-2018-8855"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201807-1794"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Echelon SmartServer and i.LON Vulnerabilities related to cryptography",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-008466"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "encryption problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201807-1794"
}
],
"trust": 0.6
}
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…