Remote Code Execution Vulnerability in Siemens DIGSI 4 and EN100 Ethernet Modules
CVE-2018-4840

7.5HIGH

Key Information:

Vendor
Siemens
Status
Digsi 4
En100 Ethernet Module Dnp3 Variant
En100 Ethernet Module Iec 104 Variant
En100 Ethernet Module Iec 61850 Variant
Vendor
CVE Published:
8 March 2018

Summary

A vulnerability exists in Siemens DIGSI 4 and various EN100 Ethernet modules that enables an unauthenticated remote attacker to upload modified device configurations. This can result in overwriting access authorization passwords, potentially compromising the integrity and security of the devices involved. The affected modules include several variants such as DNP3, IEC 104, IEC 61850, Modbus TCP, and PROFINET IO, making it imperative for users to apply the necessary updates to mitigate risks.

Affected Version(s)

DIGSI 4 All versions < V4.92

EN100 Ethernet module DNP3 variant All versions < V1.05.00

EN100 Ethernet module IEC 104 variant All versions

References

https://cert-portal.siemens.com/productcert/pdf/ssa-20330...
x_refsource_CONFIRM

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.