CVE-2018-10592 - OpenCVE

Yokogawa STARDOM FCJ controllers R4.02 and prior, FCN-100 controllers R4.02 and prior, FCN-RTU controllers R4.02 and prior, and FCN-500 controllers R4.02 and prior utilize hard-coded credentials that could allow an attacker to gain unauthorized administrative access to the device, which could result in remote code execution.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Yokogawa	Fcn-500 Firmware Fcn-100 Firmware Fcn-rtu Fcn-500 Fcj Firmware Fcn-rtu Firmware Fcn-100 Fcj

Configuration 1 [-]

AND

cpe:2.3:o:yokogawa:fcj_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:yokogawa:fcj:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:yokogawa:fcn-100_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:yokogawa:fcn-100:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:yokogawa:fcn-rtu_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:yokogawa:fcn-rtu:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:yokogawa:fcn-500_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:yokogawa:fcn-500:-:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/104376	Third Party Advisory VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-18-151-03	Third Party Advisory US Government Resource
https://web-material3.yokogawa.com/1/6712/details/YSAR-18-0004-E.pdf	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2018-05-31T00:00:00

Updated: 2018-08-01T09:57:01

Reserved: 2018-05-01T00:00:00

Link: CVE-2018-10592

JSON object: View

NVD Information

Status : Modified

Published: 2018-07-31T17:29:00.233

Modified: 2019-10-09T23:32:51.757

Link: CVE-2018-10592

JSON object: View

Redhat Information

No data.

CWE

CWE-798

{"containers": {"cna": {"affected": [{"product": "STARDOM FCJ Controllers", "vendor": "Yokogawa", "versions": [{"status": "affected", "version": "R4.02 and prior"}]}, {"product": "STARDOM FCN-100 Controllers", "vendor": "Yokogawa", "versions": [{"status": "affected", "version": "R4.02 and prior"}]}, {"product": "STARDOM FCN-RTU Controllers", "vendor": "Yokogawa", "versions": [{"status": "affected", "version": "R4.02 and prior"}]}, {"product": "STARDOM FCN-500 Controllers", "vendor": "Yokogawa", "versions": [{"status": "affected", "version": "R4.02 and prior"}]}], "datePublic": "2018-05-31T00:00:00", "descriptions": [{"lang": "en", "value": "Yokogawa STARDOM FCJ controllers R4.02 and prior, FCN-100 controllers R4.02 and prior, FCN-RTU controllers R4.02 and prior, and FCN-500 controllers R4.02 and prior utilize hard-coded credentials that could allow an attacker to gain unauthorized administrative access to the device, which could result in remote code execution."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "USE OF HARD-CODED CREDENTIALS CWE-798", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-08-01T09:57:01", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://web-material3.yokogawa.com/1/6712/details/YSAR-18-0004-E.pdf"}, {"name": "104376", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/104376"}, {"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-151-03"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2018-05-31T00:00:00", "ID": "CVE-2018-10592", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "STARDOM FCJ Controllers", "version": {"version_data": [{"version_value": "R4.02 and prior"}]}}, {"product_name": "STARDOM FCN-100 Controllers", "version": {"version_data": [{"version_value": "R4.02 and prior"}]}}, {"product_name": "STARDOM FCN-RTU Controllers", "version": {"version_data": [{"version_value": "R4.02 and prior"}]}}, {"product_name": "STARDOM FCN-500 Controllers", "version": {"version_data": [{"version_value": "R4.02 and prior"}]}}]}, "vendor_name": "Yokogawa"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Yokogawa STARDOM FCJ controllers R4.02 and prior, FCN-100 controllers R4.02 and prior, FCN-RTU controllers R4.02 and prior, and FCN-500 controllers R4.02 and prior utilize hard-coded credentials that could allow an attacker to gain unauthorized administrative access to the device, which could result in remote code execution."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "USE OF HARD-CODED CREDENTIALS CWE-798"}]}]}, "references": {"reference_data": [{"name": "https://web-material3.yokogawa.com/1/6712/details/YSAR-18-0004-E.pdf", "refsource": "CONFIRM", "url": "https://web-material3.yokogawa.com/1/6712/details/YSAR-18-0004-E.pdf"}, {"name": "104376", "refsource": "BID", "url": "http://www.securityfocus.com/bid/104376"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-151-03", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-151-03"}]}}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2018-10592", "datePublished": "2018-05-31T00:00:00", "dateReserved": "2018-05-01T00:00:00", "dateUpdated": "2018-08-01T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:yokogawa:fcj_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "AFEF0D4A-1FAD-4935-BB42-2120EEEEA205", "versionEndIncluding": "r4.02", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:yokogawa:fcj:-:*:*:*:*:*:*:*", "matchCriteriaId": "B69DBB88-A5E6-42BA-A7C1-2ADA8CF5349C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:yokogawa:fcn-100_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "AA797459-D1AD-4BD6-9F9B-EECFC2548E31", "versionEndIncluding": "r4.02", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:yokogawa:fcn-100:-:*:*:*:*:*:*:*", "matchCriteriaId": "CB180CFC-1A4F-4DE9-8A3A-A6F50DDDC892", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:yokogawa:fcn-rtu_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "301CCAA4-3B78-4074-887F-BD9571FB0171", "versionEndIncluding": "r4.02", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:yokogawa:fcn-rtu:-:*:*:*:*:*:*:*", "matchCriteriaId": "E636BC2D-506C-4D8D-BD8B-D02776AD3890", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:yokogawa:fcn-500_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "5EB434F5-A970-497E-B5B2-207B9FC6AAAE", "versionEndIncluding": "r4.02", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:yokogawa:fcn-500:-:*:*:*:*:*:*:*", "matchCriteriaId": "500FFA96-0861-4EBC-8768-68A4D4C6ECB3", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Yokogawa STARDOM FCJ controllers R4.02 and prior, FCN-100 controllers R4.02 and prior, FCN-RTU controllers R4.02 and prior, and FCN-500 controllers R4.02 and prior utilize hard-coded credentials that could allow an attacker to gain unauthorized administrative access to the device, which could result in remote code execution."}, {"lang": "es", "value": "Los controladores Yokogawa STARDOM FCJ R4.02 y anteriores, FCN-100 R4.02 y anteriores, FCN-RTU R4.02 y anteriores y FCN-500 y anteriores R4.02 emplean credenciales embebidas que podr\u00edan permitir que un atacante obtenga acceso administrativo no autorizado al dispositivo, lo que podr\u00eda resultar en la ejecuci\u00f3n remota de c\u00f3digo."}], "id": "CVE-2018-10592", "lastModified": "2019-10-09T23:32:51.757", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-07-31T17:29:00.233", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/104376"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-151-03"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Vendor Advisory"], "url": "https://web-material3.yokogawa.com/1/6712/details/YSAR-18-0004-E.pdf"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-798"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}