cnvd - cnvd-2017-22830

CNVD-2017-22830

Vulnerability from cnvd - Published: 2017-08-25

Title

Schneider Electric Ampla MES弱密码漏洞

Description

Ampla Manufacturing Execution System (MES) 是法国施耐德电气（Schneider Electric）公司的一款用于生产车间、生产工厂进行现场生产管理的制造执行系统。 Schneider Electric Ampla MES存在弱密码漏洞，Ampla MES提供配置用户及其权限的功能。当Ampla MES用户配置为使用简单安全性时，攻击者可利用漏洞扭转用户的密码。

Severity

中

Patch Name

Schneider Electric Ampla MES弱密码漏洞的补丁

Patch Description

Formal description

用户可参考如下厂商提供的安全公告获取补丁以修复该漏洞： http://shoppingkiosk.schneider-electric.com/doc_info.aspx?DocRef=Ampla2016R1Software&isdvd=False&df=12&gid=411131

Reference

http://www.securityfocus.com/bid/99469 https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05

Impacted products

Name
Schneider Electric Ampla MES <=6.4

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "99469"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-9635"
    }
  },
  "description": "Ampla Manufacturing Execution System (MES) \u662f\u6cd5\u56fd\u65bd\u8010\u5fb7\u7535\u6c14\uff08Schneider Electric\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u7528\u4e8e\u751f\u4ea7\u8f66\u95f4\u3001\u751f\u4ea7\u5de5\u5382\u8fdb\u884c\u73b0\u573a\u751f\u4ea7\u7ba1\u7406\u7684\u5236\u9020\u6267\u884c\u7cfb\u7edf\u3002\r\n\r\nSchneider Electric Ampla MES\u5b58\u5728\u5f31\u5bc6\u7801\u6f0f\u6d1e\uff0cAmpla MES\u63d0\u4f9b\u914d\u7f6e\u7528\u6237\u53ca\u5176\u6743\u9650\u7684\u529f\u80fd\u3002\u5f53Ampla MES\u7528\u6237\u914d\u7f6e\u4e3a\u4f7f\u7528\u7b80\u5355\u5b89\u5168\u6027\u65f6\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u626d\u8f6c\u7528\u6237\u7684\u5bc6\u7801\u3002",
  "discovererName": "Ilya Karpov",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u53d6\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttp://shoppingkiosk.schneider-electric.com/doc_info.aspx?DocRef=Ampla2016R1Software\u0026isdvd=False\u0026df=12\u0026gid=411131",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-22830",
  "openTime": "2017-08-25",
  "patchDescription": "Ampla Manufacturing Execution System (MES) \u662f\u6cd5\u56fd\u65bd\u8010\u5fb7\u7535\u6c14\uff08Schneider Electric\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u7528\u4e8e\u751f\u4ea7\u8f66\u95f4\u3001\u751f\u4ea7\u5de5\u5382\u8fdb\u884c\u73b0\u573a\u751f\u4ea7\u7ba1\u7406\u7684\u5236\u9020\u6267\u884c\u7cfb\u7edf\u3002\r\n\r\nSchneider Electric Ampla MES\u5b58\u5728\u5f31\u5bc6\u7801\u6f0f\u6d1e\uff0cAmpla MES\u63d0\u4f9b\u914d\u7f6e\u7528\u6237\u53ca\u5176\u6743\u9650\u7684\u529f\u80fd\u3002\u5f53Ampla MES\u7528\u6237\u914d\u7f6e\u4e3a\u4f7f\u7528\u7b80\u5355\u5b89\u5168\u6027\u65f6\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u626d\u8f6c\u7528\u6237\u7684\u5bc6\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Schneider Electric Ampla MES\u5f31\u5bc6\u7801\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Schneider Electric Ampla MES \u003c=6.4"
  },
  "referenceLink": "http://www.securityfocus.com/bid/99469\r\nhttps://ics-cert.us-cert.gov/advisories/ICSA-17-187-05",
  "serverity": "\u4e2d",
  "submitTime": "2017-07-11",
  "title": "Schneider Electric Ampla MES\u5f31\u5bc6\u7801\u6f0f\u6d1e"
}

CVE-2017-9635 (GCVE-0-2017-9635)

Vulnerability from cvelistv5 – Published: 2018-05-18 13:00 – Updated: 2024-09-17 03:28

Summary

Schneider Electric Ampla MES 6.4 provides capability to configure users and their privileges. When Ampla MES users are configured to use Simple Security, a weakness in the password hashing algorithm could be exploited to reverse the user's password. Schneider Electric recommends that users of Ampla MES versions 6.4 and prior should upgrade to Ampla MES version 6.5 as soon as possible.

Severity ?

No CVSS data available.

CWE

CWE-326 - Inadequate encryption strength CWE-326

Assigner

icscert

References

URL

Tags

	https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05	x_refsource_MISC
	http://software.schneider-electric.com/pdf/securi…	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/99469	vdb-entryx_refsource_BID

Impacted products

	Vendor	Product	Version
	Schneider Electric SE	Ampla MES	Affected: versions 6.4 and prior

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T17:11:02.328Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000118/"
          },
          {
            "name": "99469",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/99469"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Ampla MES",
          "vendor": "Schneider Electric SE",
          "versions": [
            {
              "status": "affected",
              "version": "versions 6.4 and prior"
            }
          ]
        }
      ],
      "datePublic": "2017-06-30T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Schneider Electric Ampla MES 6.4 provides capability to configure users and their privileges. When Ampla MES users are configured to use Simple Security, a weakness in the password hashing algorithm could be exploited to reverse the user\u0027s password. Schneider Electric recommends that users of Ampla MES versions 6.4 and prior should upgrade to Ampla MES version 6.5 as soon as possible."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-326",
              "description": "Inadequate encryption strength CWE-326",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-05-19T09:57:01",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000118/"
        },
        {
          "name": "99469",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/99469"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "DATE_PUBLIC": "2017-06-30T00:00:00",
          "ID": "CVE-2017-9635",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Ampla MES",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "versions 6.4 and prior"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Schneider Electric SE"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Schneider Electric Ampla MES 6.4 provides capability to configure users and their privileges. When Ampla MES users are configured to use Simple Security, a weakness in the password hashing algorithm could be exploited to reverse the user\u0027s password. Schneider Electric recommends that users of Ampla MES versions 6.4 and prior should upgrade to Ampla MES version 6.5 as soon as possible."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Inadequate encryption strength CWE-326"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05"
            },
            {
              "name": "http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000118/",
              "refsource": "CONFIRM",
              "url": "http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000118/"
            },
            {
              "name": "99469",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/99469"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2017-9635",
    "datePublished": "2018-05-18T13:00:00Z",
    "dateReserved": "2017-06-14T00:00:00",
    "dateUpdated": "2024-09-17T03:28:56.779Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-22830

CVE-2017-9635 (GCVE-0-2017-9635)

Tags

Sightings

Nomenclature