Vulnerability-Lookup

CNVD-2018-18306

Vulnerability from cnvd - Published: 2018-09-10

Title

多款Echelon产品信息泄露漏洞（CNVD-2018-18306）

Description

Echelon SmartServer 1等都是美国Echelon公司的产品。Echelon SmartServer 1是一款多功能控制器，它支持楼宇自动化控制和企业能源管理等。i.LON 100是一款网络服务器，它主要用于配置和监控LonWorks设备。多款Echelon产品中存在信息泄露漏洞，该漏洞源于程序以明文的形式传递敏感信息。攻击者可利用该漏洞用恶意的固件二进制文件和模块替换原有的文件和模块，并在系统上执行代码。

Severity

高

Patch Name

多款Echelon产品信息泄露漏洞（CNVD-2018-18306）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.echelon.com/software-downloads?ele=153-0608-01A

Reference

https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03

Impacted products

Name
['Echelon SmartServer 1', 'Echelon SmartServer 2 <release 4.11.007', 'Echelon i.LON 100', 'Echelon i.LON 600']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-8855"
    }
  },
  "description": "Echelon SmartServer 1\u7b49\u90fd\u662f\u7f8e\u56fdEchelon\u516c\u53f8\u7684\u4ea7\u54c1\u3002Echelon SmartServer 1\u662f\u4e00\u6b3e\u591a\u529f\u80fd\u63a7\u5236\u5668\uff0c\u5b83\u652f\u6301\u697c\u5b87\u81ea\u52a8\u5316\u63a7\u5236\u548c\u4f01\u4e1a\u80fd\u6e90\u7ba1\u7406\u7b49\u3002i.LON 100\u662f\u4e00\u6b3e\u7f51\u7edc\u670d\u52a1\u5668\uff0c\u5b83\u4e3b\u8981\u7528\u4e8e\u914d\u7f6e\u548c\u76d1\u63a7LonWorks\u8bbe\u5907\u3002\r\n\r\n\u591a\u6b3eEchelon\u4ea7\u54c1\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u4ee5\u660e\u6587\u7684\u5f62\u5f0f\u4f20\u9012\u654f\u611f\u4fe1\u606f\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7528\u6076\u610f\u7684\u56fa\u4ef6\u4e8c\u8fdb\u5236\u6587\u4ef6\u548c\u6a21\u5757\u66ff\u6362\u539f\u6709\u7684\u6587\u4ef6\u548c\u6a21\u5757\uff0c\u5e76\u5728\u7cfb\u7edf\u4e0a\u6267\u884c\u4ee3\u7801\u3002",
  "discovererName": "unknown",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.echelon.com/software-downloads?ele=153-0608-01A",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-18306",
  "openTime": "2018-09-10",
  "patchDescription": "Echelon SmartServer 1\u7b49\u90fd\u662f\u7f8e\u56fdEchelon\u516c\u53f8\u7684\u4ea7\u54c1\u3002Echelon SmartServer 1\u662f\u4e00\u6b3e\u591a\u529f\u80fd\u63a7\u5236\u5668\uff0c\u5b83\u652f\u6301\u697c\u5b87\u81ea\u52a8\u5316\u63a7\u5236\u548c\u4f01\u4e1a\u80fd\u6e90\u7ba1\u7406\u7b49\u3002i.LON 100\u662f\u4e00\u6b3e\u7f51\u7edc\u670d\u52a1\u5668\uff0c\u5b83\u4e3b\u8981\u7528\u4e8e\u914d\u7f6e\u548c\u76d1\u63a7LonWorks\u8bbe\u5907\u3002\r\n\r\n\u591a\u6b3eEchelon\u4ea7\u54c1\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u4ee5\u660e\u6587\u7684\u5f62\u5f0f\u4f20\u9012\u654f\u611f\u4fe1\u606f\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7528\u6076\u610f\u7684\u56fa\u4ef6\u4e8c\u8fdb\u5236\u6587\u4ef6\u548c\u6a21\u5757\u66ff\u6362\u539f\u6709\u7684\u6587\u4ef6\u548c\u6a21\u5757\uff0c\u5e76\u5728\u7cfb\u7edf\u4e0a\u6267\u884c\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "\u591a\u6b3eEchelon\u4ea7\u54c1\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2018-18306\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Echelon SmartServer 1",
      "Echelon SmartServer 2 \u003crelease 4.11.007",
      "Echelon i.LON 100",
      "Echelon i.LON 600"
    ]
  },
  "referenceLink": "https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03",
  "serverity": "\u9ad8",
  "submitTime": "2018-07-20",
  "title": "\u591a\u6b3eEchelon\u4ea7\u54c1\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2018-18306\uff09"
}

CVE-2018-8855 (GCVE-0-2018-8855)

Vulnerability from cvelistv5 – Published: 2018-07-24 17:00 – Updated: 2024-09-17 01:10

Summary

Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP.

Severity ?

No CVSS data available.

CWE

CWE-319 - CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

Assigner

icscert

References

URL

Tags

https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03

x_refsource_MISC

Impacted products

Vendor

Product

Version

Echelon

SmartServer 1

Affected: all versions

Echelon	SmartServer 2	Affected: all versions prior to release 4.11.007
Echelon	i.LON 100	Affected: all versions
Echelon	i.LON 600	Affected: all versions

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T07:10:46.267Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SmartServer 1",
          "vendor": "Echelon",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "product": "SmartServer 2",
          "vendor": "Echelon",
          "versions": [
            {
              "status": "affected",
              "version": "all versions prior to release 4.11.007"
            }
          ]
        },
        {
          "product": "i.LON 100",
          "vendor": "Echelon",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "product": "i.LON 600",
          "vendor": "Echelon",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        }
      ],
      "datePublic": "2018-07-19T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-319",
              "description": "CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-07-24T16:57:01",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "DATE_PUBLIC": "2018-07-19T00:00:00",
          "ID": "CVE-2018-8855",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "SmartServer 1",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "all versions"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "SmartServer 2",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "all versions prior to release 4.11.007"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "i.LON 100",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "all versions"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "i.LON 600",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "all versions"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Echelon"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2018-8855",
    "datePublished": "2018-07-24T17:00:00Z",
    "dateReserved": "2018-03-20T00:00:00",
    "dateUpdated": "2024-09-17T01:10:42.995Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2018-18306

CVE-2018-8855 (GCVE-0-2018-8855)

Tags

Sightings

Nomenclature