Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-13813

A vulnerability has been identified in SIMATIC HMI Comfort Panels 4" - 22" (All versions < V15 Update 4), SIMATIC HMI Comfort Outdoor Panels 7" & 15" (All versions < V15 Update 4), SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F (All versions < V15 Update 4), SIMATIC WinCC Runtime Advanced (All versions < V15 Update 4), SIMATIC WinCC Runtime Professional (All versions < V15 Update 4), SIMATIC WinCC (TIA Portal) (All versions < V15 Update 4), SIMATIC HMI Classic Devices (TP/MP/OP/MP Mobile Panel) (All versions). The webserver of affected HMI devices may allow URL redirections to untrusted websites. An attacker must trick a valid user who is authenticated to the device into clicking on a malicious link to exploit the vulnerability. At the time of advisory publication no public exploitation of this security vulnerability was known.

Published

2018-12-13T16:29:00.320

Last Modified

2024-11-21T03:48:07.380

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 8.1 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

4.9

Weaknesses

Type: Secondary
CWE-601
Type: Primary
CWE-601

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	siemens	simatic_hmi_comfort_panels_firmware	≤ 15.0	Yes
Hardware	siemens	simatic_hmi_comfort_panels	-	No
Operating System	siemens	simatic_hmi_comfort_outdoor_panels_firmware	≤ 15.0	Yes
Hardware	siemens	simatic_hmi_comfort_outdoor_panels	-	No
Operating System	siemens	simatic_hmi_ktp_mobile_panels_ktp400f_firmware	≤ 15.0	Yes
Hardware	siemens	simatic_hmi_ktp_mobile_panels_ktp400f	-	No
Operating System	siemens	simatic_hmi_ktp_mobile_panels_ktp700_firmware	≤ 15.0	Yes
Hardware	siemens	simatic_hmi_ktp_mobile_panels_ktp700	-	No
Operating System	siemens	simatic_hmi_ktp_mobile_panels_ktp700f_firmware	≤ 15.0	Yes
Hardware	siemens	simatic_hmi_ktp_mobile_panels_ktp700f	-	No
Operating System	siemens	simatic_hmi_ktp_mobile_panels_ktp900_firmware	≤ 15.0	Yes
Hardware	siemens	simatic_hmi_ktp_mobile_panels_ktp900	-	No
Operating System	siemens	simatic_hmi_ktp_mobile_panels_ktp900f_firmware	≤ 15.0	Yes
Hardware	siemens	simatic_hmi_ktp_mobile_panels_ktp900f	-	No
Application	siemens	simatic_wincc_\(tia_portal\)	≤ 15.0	Yes
Application	siemens	simatic_wincc_runtime	≤ 15.0	Yes
Application	siemens	simatic_wincc_runtime	≤ 15.0	Yes
Operating System	siemens	simatic_hmi_tp_firmware	*	Yes
Hardware	siemens	simatic_hmi_tp	-	No
Operating System	siemens	simatic_hmi_mp_firmware	*	Yes
Hardware	siemens	simatic_hmi_mp	-	No
Operating System	siemens	simatic_hmi_op_firmware	*	Yes
Hardware	siemens	simatic_hmi_op	-	No

References

http://www.securityfocus.com/bid/105922 Third Party Advisory, VDB Entry ([email protected])
https://cert-portal.siemens.com/productcert/pdf/ssa-233109.pdf Vendor Advisory ([email protected])
http://www.securityfocus.com/bid/105922 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://cert-portal.siemens.com/productcert/pdf/ssa-233109.pdf Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)