cnvd - cnvd-2019-28111

cnvd-2019-28111

Vulnerability from cnvd

Title: LCDS LAquis SCADA存在未明漏洞（CNVD-2019-28111）

Description:

LCDS LAquis SCADA是巴西LCDS公司的一套SCADA（数据采集与监视控制）系统。该系统主要用于对拥有通信技术的设备进行数据采集和过程控制。

LCDS LAquis SCADA 4.1.0.3870版本中存在安全漏洞，该漏洞源于程序没有进行正确地授权或过滤便接收了用户输入。攻击者可利用该漏洞在系统上执行代码。

Severity: 高

Patch Name: LCDS LAquis SCADA存在未明漏洞（CNVD-2019-28111）的补丁

Patch Description:

LCDS LAquis SCADA是巴西LCDS公司的一套SCADA（数据采集与监视控制）系统。该系统主要用于对拥有通信技术的设备进行数据采集和过程控制。

LCDS LAquis SCADA 4.1.0.3870版本中存在安全漏洞，该漏洞源于程序没有进行正确地授权或过滤便接收了用户输入。攻击者可利用该漏洞在系统上执行代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://laquisscada.com/

Reference: https://ics-cert.us-cert.gov/advisories/ICSA-19-015-01

Impacted products

Name
LCDS LCDS LAquis SCADA 4.1.0.3870

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-18996"
    }
  },
  "description": "LCDS LAquis SCADA\u662f\u5df4\u897fLCDS\u516c\u53f8\u7684\u4e00\u5957SCADA\uff08\u6570\u636e\u91c7\u96c6\u4e0e\u76d1\u89c6\u63a7\u5236\uff09\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u4e3b\u8981\u7528\u4e8e\u5bf9\u62e5\u6709\u901a\u4fe1\u6280\u672f\u7684\u8bbe\u5907\u8fdb\u884c\u6570\u636e\u91c7\u96c6\u548c\u8fc7\u7a0b\u63a7\u5236\u3002\n\nLCDS LAquis SCADA 4.1.0.3870\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u6ca1\u6709\u8fdb\u884c\u6b63\u786e\u5730\u6388\u6743\u6216\u8fc7\u6ee4\u4fbf\u63a5\u6536\u4e86\u7528\u6237\u8f93\u5165\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7cfb\u7edf\u4e0a\u6267\u884c\u4ee3\u7801\u3002",
  "discovererName": "Esteban Ruiz (mr me) working \u3001Zero Day Initiative",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://laquisscada.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-28111",
  "openTime": "2019-08-20",
  "patchDescription": "LCDS LAquis SCADA\u662f\u5df4\u897fLCDS\u516c\u53f8\u7684\u4e00\u5957SCADA\uff08\u6570\u636e\u91c7\u96c6\u4e0e\u76d1\u89c6\u63a7\u5236\uff09\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u4e3b\u8981\u7528\u4e8e\u5bf9\u62e5\u6709\u901a\u4fe1\u6280\u672f\u7684\u8bbe\u5907\u8fdb\u884c\u6570\u636e\u91c7\u96c6\u548c\u8fc7\u7a0b\u63a7\u5236\u3002\r\n\r\nLCDS LAquis SCADA 4.1.0.3870\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u6ca1\u6709\u8fdb\u884c\u6b63\u786e\u5730\u6388\u6743\u6216\u8fc7\u6ee4\u4fbf\u63a5\u6536\u4e86\u7528\u6237\u8f93\u5165\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7cfb\u7edf\u4e0a\u6267\u884c\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "LCDS LAquis SCADA\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2019-28111\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "LCDS LCDS LAquis SCADA 4.1.0.3870"
  },
  "referenceLink": "https://ics-cert.us-cert.gov/advisories/ICSA-19-015-01",
  "serverity": "\u9ad8",
  "submitTime": "2019-01-18",
  "title": "LCDS LAquis SCADA\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2019-28111\uff09"
}

CVE-2018-18996 (GCVE-0-2018-18996)

Vulnerability from cvelistv5

Published

2019-02-05 18:00

Modified

2024-09-16 22:46

Severity ?

CWE

CWE-74 - IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A DOWNSTREAM COMPONENT ('INJECTION')

Summary

LCDS Laquis SCADA prior to version 4.1.0.4150 allows taking in user input without proper authorization or sanitation, which may allow an attacker to execute remote code on the server.

References

▼	URL	Tags
	https://ics-cert.us-cert.gov/advisories/ICSA-19-015-01	x_refsource_MISC
	http://www.securityfocus.com/bid/106634	vdb-entry, x_refsource_BID

Impacted products

	Vendor	Product	Version
	ICS-CERT	LCDS Laquis SCADA	Version: All versions prior to version 4.1.0.4150

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T11:23:08.918Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-015-01"
          },
          {
            "name": "106634",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/106634"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "LCDS Laquis SCADA",
          "vendor": "ICS-CERT",
          "versions": [
            {
              "status": "affected",
              "version": "All versions prior to version 4.1.0.4150"
            }
          ]
        }
      ],
      "datePublic": "2019-01-15T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "LCDS Laquis SCADA prior to version 4.1.0.4150 allows taking in user input without proper authorization or sanitation, which may allow an attacker to execute remote code on the server."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A DOWNSTREAM COMPONENT (\u0027INJECTION\u0027) CWE-74",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-02-06T10:57:02",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-015-01"
        },
        {
          "name": "106634",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/106634"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "DATE_PUBLIC": "2019-01-15T00:00:00",
          "ID": "CVE-2018-18996",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "LCDS Laquis SCADA",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions prior to version 4.1.0.4150"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ICS-CERT"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "LCDS Laquis SCADA prior to version 4.1.0.4150 allows taking in user input without proper authorization or sanitation, which may allow an attacker to execute remote code on the server."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A DOWNSTREAM COMPONENT (\u0027INJECTION\u0027) CWE-74"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-015-01",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-015-01"
            },
            {
              "name": "106634",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/106634"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2018-18996",
    "datePublished": "2019-02-05T18:00:00Z",
    "dateReserved": "2018-11-06T00:00:00",
    "dateUpdated": "2024-09-16T22:46:36.983Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted