cbcvebase.
CVE-2018-10603
published 2018-07-31

CVE-2018-10603: Martem TELEM GW6 and GWM devices with firmware 2018.04.18-linux_4-01-601cb47 and prior do not perform authentication of IEC-104 control commands, which may…

PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
3.41%
87.4th percentile
Martem TELEM GW6 and GWM devices with firmware 2018.04.18-linux_4-01-601cb47 and prior do not perform authentication of IEC-104 control commands, which may allow a rogue node a remote control of the industrial process.

Affected

4 ranges
VendorProductVersion rangeFixed in
martemtelem-gw6_firmware<= 2018.04.18-linux_4-01-601cb47
martemtelem-gwm_firmware<= 2018.04.18-linux_4-01-601cb47
martemtelem_gw6
martemtelem_gwm

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for unauthenticated IEC-104 control commands (ASDU type C_SC_NA_1, C_DC_NA_1, etc.) originating from unexpected or untrusted source IP addresses on IEC-104 default port (TCP/2404), as the RTU does not perform authentication of these commands.
  • Alert on IEC-104 connections where new connections to IOAs are created repeatedly without proper closure — this pattern indicates exploitation of the resource exhaustion vector (CVE-2018-10607) and may accompany CVE-2018-10603 abuse.
  • Flag any IEC-104 control traffic to Martem TELEM-GW6/GWM devices running firmware versions prior to 2018.04.18-linux_4-01-601cb47 (NVD) or GW6/GWM versions prior to 2.0.87-4018403-k4 from nodes not listed in the 'other side IP' whitelist field of the RTU configuration.
  • ·The missing authentication vulnerability is configuration-dependent: risk is significantly reduced if the 'other side IP' field is populated in RTU configuration for every TCP/IP channel, restricting IEC-104 control to trusted partners only.
  • ·Firewall must be enabled in RTU configuration AND the 'interface' field of every communication channel must be correctly set — misconfiguration of either negates the firewall protection against unauthenticated IEC-104 commands.
  • ·Not all firmware versions are affected by all four vulnerabilities; detection scope should be scoped to devices confirmed running affected firmware versions.
  • ·No known public exploits exist for this vulnerability at time of advisory publication, reducing but not eliminating detection urgency.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.