CVE-2018-10627

Published Jul 24, 2018

Last updated 5 years ago

CVSS critical 9.8

Overview

Description: Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. An attacker can use the SOAP API to retrieve and change sensitive configuration items such as the usernames and passwords for the Web and FTP servers. This vulnerability does not affect the i.LON 600 product.
Source: ics-cert@hq.dhs.gov
NVD status: Modified

Risk scores

CVSS 3.0

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

CVSS 2.0

Type: Primary
Base score: 6.4
Impact score: 4.9
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:P/I:P/A:N

Weaknesses

nvd@nist.gov: CWE-200
ics-cert@hq.dhs.gov: CWE-200

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:echelon:smartserver_1_firmware:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "096B893D-BCDF-4788-81F4-301FE9E074F3"
          }
        ],
        "operator": "OR"
      },
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:h:echelon:smartserver_1:-:*:*:*:*:*:*:*",
            "vulnerable": false,
            "matchCriteriaId": "9D78AEC2-D6E0-42EE-AEF4-5AEBA6B29611"
          }
        ],
        "operator": "OR"
      }
    ],
    "operator": "AND"
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:echelon:smartserver_2_firmware:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "83547993-8A11-4A60-9CBE-3CD006272A1C",
            "versionEndExcluding": "4.11.007"
          }
        ],
        "operator": "OR"
      },
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:h:echelon:smartserver_2:-:*:*:*:*:*:*:*",
            "vulnerable": false,
            "matchCriteriaId": "418DEBAC-57D5-4BA8-806B-3DC235F1B625"
          }
        ],
        "operator": "OR"
      }
    ],
    "operator": "AND"
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:echelon:i.lon_100_firmware:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "124BE3F4-8E5F-46F7-9545-6D4E31B5A275"
          }
        ],
        "operator": "OR"
      },
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:h:echelon:i.lon_100:-:*:*:*:*:*:*:*",
            "vulnerable": false,
            "matchCriteriaId": "D195E8CF-A5E2-4799-A0EF-189A825BB3AF"
          }
        ],
        "operator": "OR"
      }
    ],
    "operator": "AND"
  }
]

Overview

Risk scores

CVSS 3.0

CVSS 2.0

Weaknesses

Social media

Configurations

References