CVE Vulnerabilities

CVE-2018-13804

Improper Authentication

Published: Dec 13, 2018 | Modified: Nov 21, 2024
CVSS 3.x
8.1
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
9.3 HIGH
AV:N/AC:M/Au:N/C:C/I:C/A:C
RedHat/V2
RedHat/V3
Ubuntu

A vulnerability has been identified in SIMATIC IT LMS (All versions), SIMATIC IT Production Suite (Versions V7.1 < V7.1 Upd3), SIMATIC IT UA Discrete Manufacturing (Versions < V1.2), SIMATIC IT UA Discrete Manufacturing (Versions V1.2), SIMATIC IT UA Discrete Manufacturing (Versions V1.3), SIMATIC IT UA Discrete Manufacturing (Versions V2.3), SIMATIC IT UA Discrete Manufacturing (Versions V2.4). An attacker with network access to the installation could bypass the application-level authentication. In order to exploit the vulnerability, an attacker must obtain network access to an affected installation and must obtain a valid username to the system. Successful exploitation requires no user privileges and no user interaction. The vulnerability could allow an attacker to compromise confidentiality, integrity and availability of the system. At the time of advisory publication no public exploitation of this vulnerability was known.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name Vendor Start Version End Version
Simatic_it_line_monitoring_system Siemens * *
Simatic_it_production_suite Siemens v7.1 (including) v7.1 (including)
Simatic_it_ua_discrete_manufacturing Siemens * v1.2 (including)
Simatic_it_ua_discrete_manufacturing Siemens v1.3 (including) v1.3 (including)
Simatic_it_ua_discrete_manufacturing Siemens v2.3 (including) v2.3 (including)
Simatic_it_ua_discrete_manufacturing Siemens v2.4 (including) v2.4 (including)

Potential Mitigations

References