CVE-2018-13804

Name of the Vulnerable Software and Affected Versions SIMATIC IT LMS versions all SIMATIC IT Production Suite versions prior to V7.1 Upd3 SIMATIC IT UA Discrete Manufacturing versions prior to V1.2 SIMATIC IT UA Discrete Manufacturing version V1.2 SIMATIC IT UA Discrete Manufacturing version V1.3 SIMATIC IT UA Discrete Manufacturing version V2.3 SIMATIC IT UA Discrete Manufacturing version V2.4

Description The issue is related to weaknesses in the authentication mechanisms of the software. An attacker with network access could bypass application-level authentication. To exploit this, an attacker must have network access to the installation and a valid username, but no user privileges or interaction are required. This could compromise the confidentiality, integrity, and availability of the system. There are no known public exploitations of this issue at the time of reporting.

Recommendations For SIMATIC IT LMS, update to a version that addresses the authentication mechanism weaknesses. For SIMATIC IT Production Suite versions prior to V7.1 Upd3, update to V7.1 Upd3 or later. For SIMATIC IT UA Discrete Manufacturing versions prior to V1.2, update to V1.2 or later. For SIMATIC IT UA Discrete Manufacturing version V1.2, consider disabling vulnerable authentication functions until a patch is available. For SIMATIC IT UA Discrete Manufacturing version V1.3, restrict access to vulnerable modules to minimize exploitation risk. For SIMATIC IT UA Discrete Manufacturing version V2.3, avoid using vulnerable parameters in affected API endpoints until the issue is resolved. For SIMATIC IT UA Discrete Manufacturing version V2.4, apply configuration changes to enhance authentication security.