var-201202-0163
Vulnerability from variot
Directory traversal vulnerability in HmiLoad in the runtime loader in Siemens WinCC flexible 2004, 2005, 2007, and 2008; WinCC V11 (aka TIA portal); the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime, when Transfer Mode is enabled, allows remote attackers to execute, read, create, modify, or delete arbitrary files via a .. (dot dot) in a string. plural Siemens Product runtime loader HmiLoad Is Transfer A directory traversal vulnerability exists when the mode is enabled.By a third party .. ( Dot dot ) Arbitrary files may be executed, read, created, modified, or deleted via strings containing. Miniweb has a security vulnerability that allows an attacker to submit a specially crafted HTTP POST request to allow the server to access any illegal memory area while checking the extension of the requested file. Siemens SIMATIC WinCC is a multi-user system that provides complete monitoring and data acquisition (SCADA) functionality for the industrial sector, from single-user systems to redundant server and remote web client solutions. HmiLoad provides functions that read data and unicode strings with stack-based buffer overflows, allowing an attacker to exploit a vulnerability to execute arbitrary code. HmiLoad has multiple security vulnerabilities that allow an attacker to stop a service or crash a service in multiple ways. A directory traversal vulnerability exists in the HmiLoad server that allows reading, writing, and deleting arbitrary files outside of the specified directory. Siemens SIMATIC is an automation software in a single engineering environment. A security vulnerability exists in the Siemens SIMATIC WinCC HMI web server. When the transfer mode is enabled, the runtime loader listens on the 2308/TCP or 50523/TCP port, but does not verify the submitted string, allowing the attacker to read and write any file in the file system. Attackers can exploit these issues to execute arbitrary code in the context of the affected application, read/write or delete arbitrary files outside of the server root directory, or cause denial-of-service conditions; other attacks may also be possible. (dots) in strings. ----------------------------------------------------------------------
Secunia is hiring!
Find your next job here:
http://secunia.com/company/jobs/
TITLE: Siemens SIMATIC WinCC Flexible HMI Miniweb Two Vulnerabilities
SECUNIA ADVISORY ID: SA46997
VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46997/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46997
RELEASE DATE: 2011-11-30
DISCUSS ADVISORY: http://secunia.com/advisories/46997/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s)
http://secunia.com/advisories/46997/
ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46997
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION: Luigi Auriemma has discovered two vulnerabilities in Siemens SIMATIC WinCC Flexible, which can be exploited by malicious people to disclose potentially sensitive information and cause a DoS (Denial of Service).
1) An input sanitisation error in Miniweb.exe when handling HTTP GET requests can be exploited to download arbitrary files via directory traversal attacks sent in a web request.
2) An input validation error in Miniweb.exe when handling HTTP POST requests can be exploited to crash the process via specially crafted content sent in a web request.
The vulnerabilities are confirmed in version 2008 SP2 Upd13 (K01.03.02.13_01.02.00.01). Other versions may also be affected.
SOLUTION: Restrict access to trusted hosts only.
PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma
ORIGINAL ADVISORY: http://aluigi.altervista.org/adv/winccflex_1-adv.txt
OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/
DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/
EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/
About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Show details on source website
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201202-0163",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "simatic wincc flexible runtime",
"scope": null,
"trust": 3.6,
"vendor": "siemens",
"version": null
},
{
"model": "simatic wincc flexible sp2",
"scope": "eq",
"trust": 3.3,
"vendor": "siemens",
"version": "2008"
},
{
"model": "simatic hmi panels",
"scope": "eq",
"trust": 2.4,
"vendor": "siemens",
"version": "mp"
},
{
"model": "simatic hmi panels",
"scope": "eq",
"trust": 2.4,
"vendor": "siemens",
"version": "op"
},
{
"model": "simatic hmi panels",
"scope": "eq",
"trust": 2.4,
"vendor": "siemens",
"version": "tp"
},
{
"model": "simatic wincc flexible",
"scope": "eq",
"trust": 1.7,
"vendor": "siemens",
"version": "2008"
},
{
"model": "simatic wincc flexible",
"scope": "eq",
"trust": 1.7,
"vendor": "siemens",
"version": "2007"
},
{
"model": "simatic wincc flexible",
"scope": "eq",
"trust": 1.7,
"vendor": "siemens",
"version": "2005"
},
{
"model": "simatic wincc flexible",
"scope": "eq",
"trust": 1.7,
"vendor": "siemens",
"version": "2004"
},
{
"model": "wincc flexible",
"scope": "eq",
"trust": 1.6,
"vendor": "siemens",
"version": "2008"
},
{
"model": "wincc",
"scope": "eq",
"trust": 1.6,
"vendor": "siemens",
"version": "v11"
},
{
"model": "wincc flexible",
"scope": "eq",
"trust": 1.6,
"vendor": "siemens",
"version": "2007"
},
{
"model": "wincc runtime advanced",
"scope": "eq",
"trust": 1.6,
"vendor": "siemens",
"version": "v11"
},
{
"model": "simatic hmi panels",
"scope": "eq",
"trust": 1.6,
"vendor": "siemens",
"version": "comfort_panels"
},
{
"model": "simatic hmi panels",
"scope": "eq",
"trust": 1.6,
"vendor": "siemens",
"version": "mobile_panels"
},
{
"model": "simatic wincc",
"scope": "eq",
"trust": 1.4,
"vendor": "siemens",
"version": "v11"
},
{
"model": "wincc flexible",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "2005"
},
{
"model": "wincc flexible",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "2004"
},
{
"model": "wincc flexible runtime",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "simatic hmi panels",
"scope": "eq",
"trust": 0.8,
"vendor": "siemens",
"version": "comfort panels"
},
{
"model": "simatic hmi panels",
"scope": "eq",
"trust": 0.8,
"vendor": "siemens",
"version": "mobile panels"
},
{
"model": "simatic wincc flexible rumtime",
"scope": null,
"trust": 0.8,
"vendor": "siemens",
"version": null
},
{
"model": "simatic wincc runtime advanced",
"scope": "eq",
"trust": 0.8,
"vendor": "siemens",
"version": "v11"
},
{
"model": "simatic wincc runtime advanced",
"scope": null,
"trust": 0.6,
"vendor": "siemens",
"version": null
},
{
"model": "simatic hmi panels",
"scope": null,
"trust": 0.6,
"vendor": "siemens",
"version": null
},
{
"model": "simatic wincc",
"scope": null,
"trust": 0.6,
"vendor": "siemens",
"version": null
},
{
"model": "wincc flexible runtime",
"scope": null,
"trust": 0.6,
"vendor": "siemens",
"version": null
},
{
"model": "simatic wincc flexible runtime",
"scope": "eq",
"trust": 0.3,
"vendor": "siemens",
"version": "0"
},
{
"model": "simatic wincc flexible sp1",
"scope": "eq",
"trust": 0.3,
"vendor": "siemens",
"version": "2008"
},
{
"model": "simatic wincc flexible sp1",
"scope": "eq",
"trust": 0.3,
"vendor": "siemens",
"version": "2005"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "wincc flexible",
"version": "2004"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "wincc flexible",
"version": "2005"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "wincc flexible",
"version": "2007"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "wincc flexible",
"version": "2008"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "wincc",
"version": "v11"
},
{
"model": "comfort panels",
"scope": null,
"trust": 0.2,
"vendor": "simatic hmi panels",
"version": null
},
{
"model": "mobile panels",
"scope": null,
"trust": 0.2,
"vendor": "simatic hmi panels",
"version": null
},
{
"model": "mp",
"scope": null,
"trust": 0.2,
"vendor": "simatic hmi panels",
"version": null
},
{
"model": "op",
"scope": null,
"trust": 0.2,
"vendor": "simatic hmi panels",
"version": null
},
{
"model": "tp",
"scope": null,
"trust": 0.2,
"vendor": "simatic hmi panels",
"version": null
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "wincc runtime advanced",
"version": "v11"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "wincc flexible runtime",
"version": "*"
}
],
"sources": [
{
"db": "IVD",
"id": "28b71d12-2354-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-5108"
},
{
"db": "CNVD",
"id": "CNVD-2011-5110"
},
{
"db": "CNVD",
"id": "CNVD-2011-5103"
},
{
"db": "CNVD",
"id": "CNVD-2011-5107"
},
{
"db": "CNVD",
"id": "CNVD-2011-5105"
},
{
"db": "CNVD",
"id": "CNVD-2012-0466"
},
{
"db": "BID",
"id": "50828"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-001318"
},
{
"db": "NVD",
"id": "CVE-2011-4876"
},
{
"db": "CNNVD",
"id": "CNNVD-201202-091"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:siemens:wincc_flexible:2004:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:wincc_flexible:2008:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:wincc_flexible:2005:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:wincc_flexible:2007:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:siemens:wincc:v11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:siemens:simatic_hmi_panels:tp:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:simatic_hmi_panels:op:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:simatic_hmi_panels:mobile_panels:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:simatic_hmi_panels:mp:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:simatic_hmi_panels:comfort_panels:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:siemens:wincc_runtime_advanced:v11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:siemens:wincc_flexible_runtime:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2011-4876"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Luigi Auriemma",
"sources": [
{
"db": "BID",
"id": "50828"
},
{
"db": "CNNVD",
"id": "CNNVD-201111-480"
}
],
"trust": 0.9
},
"cve": "CVE-2011-4876",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 9.3,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2011-4876",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "28b71d12-2354-11e6-abef-000c29c66e3d",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.2,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.9 [IVD]"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "VHN-52821",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2011-4876",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201202-091",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "IVD",
"id": "28b71d12-2354-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-52821",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "28b71d12-2354-11e6-abef-000c29c66e3d"
},
{
"db": "VULHUB",
"id": "VHN-52821"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-001318"
},
{
"db": "NVD",
"id": "CVE-2011-4876"
},
{
"db": "CNNVD",
"id": "CNNVD-201202-091"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Directory traversal vulnerability in HmiLoad in the runtime loader in Siemens WinCC flexible 2004, 2005, 2007, and 2008; WinCC V11 (aka TIA portal); the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime, when Transfer Mode is enabled, allows remote attackers to execute, read, create, modify, or delete arbitrary files via a .. (dot dot) in a string. plural Siemens Product runtime loader HmiLoad Is Transfer A directory traversal vulnerability exists when the mode is enabled.By a third party .. ( Dot dot ) Arbitrary files may be executed, read, created, modified, or deleted via strings containing. Miniweb has a security vulnerability that allows an attacker to submit a specially crafted HTTP POST request to allow the server to access any illegal memory area while checking the extension of the requested file. Siemens SIMATIC WinCC is a multi-user system that provides complete monitoring and data acquisition (SCADA) functionality for the industrial sector, from single-user systems to redundant server and remote web client solutions. HmiLoad provides functions that read data and unicode strings with stack-based buffer overflows, allowing an attacker to exploit a vulnerability to execute arbitrary code. HmiLoad has multiple security vulnerabilities that allow an attacker to stop a service or crash a service in multiple ways. A directory traversal vulnerability exists in the HmiLoad server that allows reading, writing, and deleting arbitrary files outside of the specified directory. Siemens SIMATIC is an automation software in a single engineering environment. A security vulnerability exists in the Siemens SIMATIC WinCC HMI web server. When the transfer mode is enabled, the runtime loader listens on the 2308/TCP or 50523/TCP port, but does not verify the submitted string, allowing the attacker to read and write any file in the file system. \nAttackers can exploit these issues to execute arbitrary code in the context of the affected application, read/write or delete arbitrary files outside of the server root directory, or cause denial-of-service conditions; other attacks may also be possible. (dots) in strings. ----------------------------------------------------------------------\n\nSecunia is hiring!\n\nFind your next job here:\n\nhttp://secunia.com/company/jobs/\n\n----------------------------------------------------------------------\n\nTITLE:\nSiemens SIMATIC WinCC Flexible HMI Miniweb Two Vulnerabilities\n\nSECUNIA ADVISORY ID:\nSA46997\n\nVERIFY ADVISORY:\nSecunia.com\nhttp://secunia.com/advisories/46997/\nCustomer Area (Credentials Required)\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=46997\n\nRELEASE DATE:\n2011-11-30\n\nDISCUSS ADVISORY:\nhttp://secunia.com/advisories/46997/#comments\n\nAVAILABLE ON SITE AND IN CUSTOMER AREA:\n * Last Update\n * Popularity\n * Comments\n * Criticality Level\n * Impact\n * Where\n * Solution Status\n * Operating System / Software\n * CVE Reference(s)\n\nhttp://secunia.com/advisories/46997/\n\nONLY AVAILABLE IN CUSTOMER AREA:\n * Authentication Level\n * Report Reliability\n * Secunia PoC\n * Secunia Analysis\n * Systems Affected\n * Approve Distribution\n * Remediation Status\n * Secunia CVSS Score\n * CVSS\n\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=46997\n\nONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:\n * AUTOMATED SCANNING\n\nhttp://secunia.com/vulnerability_scanning/personal/\nhttp://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/\n\nDESCRIPTION:\nLuigi Auriemma has discovered two vulnerabilities in Siemens SIMATIC\nWinCC Flexible, which can be exploited by malicious people to\ndisclose potentially sensitive information and cause a DoS (Denial of\nService). \n\n1) An input sanitisation error in Miniweb.exe when handling HTTP GET\nrequests can be exploited to download arbitrary files via directory\ntraversal attacks sent in a web request. \n\n2) An input validation error in Miniweb.exe when handling HTTP POST\nrequests can be exploited to crash the process via specially crafted\ncontent sent in a web request. \n\nThe vulnerabilities are confirmed in version 2008 SP2 Upd13\n(K01.03.02.13_01.02.00.01). Other versions may also be affected. \n\nSOLUTION:\nRestrict access to trusted hosts only. \n\nPROVIDED AND/OR DISCOVERED BY:\nLuigi Auriemma\n\nORIGINAL ADVISORY:\nhttp://aluigi.altervista.org/adv/winccflex_1-adv.txt\n\nOTHER REFERENCES:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\nDEEP LINKS:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\nEXTENDED DESCRIPTION:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\nEXTENDED SOLUTION:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\nEXPLOIT:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\nprivate users keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2011-4876"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-001318"
},
{
"db": "CNVD",
"id": "CNVD-2011-5108"
},
{
"db": "CNVD",
"id": "CNVD-2011-5110"
},
{
"db": "CNVD",
"id": "CNVD-2011-5103"
},
{
"db": "CNVD",
"id": "CNVD-2011-5107"
},
{
"db": "CNVD",
"id": "CNVD-2011-5105"
},
{
"db": "CNVD",
"id": "CNVD-2012-0466"
},
{
"db": "BID",
"id": "50828"
},
{
"db": "IVD",
"id": "28b71d12-2354-11e6-abef-000c29c66e3d"
},
{
"db": "VULHUB",
"id": "VHN-52821"
},
{
"db": "PACKETSTORM",
"id": "107419"
}
],
"trust": 5.49
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-52821",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-52821"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "50828",
"trust": 3.9
},
{
"db": "NVD",
"id": "CVE-2011-4876",
"trust": 3.6
},
{
"db": "ICS CERT",
"id": "ICSA-12-030-01",
"trust": 3.4
},
{
"db": "SIEMENS",
"id": "SSA-345442",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "46997",
"trust": 1.2
},
{
"db": "ICS CERT ALERT",
"id": "ICS-ALERT-11-332-02A",
"trust": 1.1
},
{
"db": "ICS CERT ALERT",
"id": "ICS-ALERT-11-332-02",
"trust": 1.1
},
{
"db": "OSVDB",
"id": "77381",
"trust": 1.1
},
{
"db": "EXPLOIT-DB",
"id": "18166",
"trust": 1.1
},
{
"db": "CNNVD",
"id": "CNNVD-201202-091",
"trust": 0.9
},
{
"db": "CNVD",
"id": "CNVD-2012-0466",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2012-001318",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2011-5108",
"trust": 0.6
},
{
"db": "CNVD",
"id": "CNVD-2011-5110",
"trust": 0.6
},
{
"db": "CNVD",
"id": "CNVD-2011-5103",
"trust": 0.6
},
{
"db": "CNVD",
"id": "CNVD-2011-5107",
"trust": 0.6
},
{
"db": "CNVD",
"id": "CNVD-2011-5105",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201111-480",
"trust": 0.6
},
{
"db": "ICS CERT",
"id": "ICSA-12-030-01A",
"trust": 0.3
},
{
"db": "IVD",
"id": "28B71D12-2354-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-52821",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "107419",
"trust": 0.1
}
],
"sources": [
{
"db": "IVD",
"id": "28b71d12-2354-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-5108"
},
{
"db": "CNVD",
"id": "CNVD-2011-5110"
},
{
"db": "CNVD",
"id": "CNVD-2011-5103"
},
{
"db": "CNVD",
"id": "CNVD-2011-5107"
},
{
"db": "CNVD",
"id": "CNVD-2011-5105"
},
{
"db": "CNVD",
"id": "CNVD-2012-0466"
},
{
"db": "VULHUB",
"id": "VHN-52821"
},
{
"db": "BID",
"id": "50828"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-001318"
},
{
"db": "PACKETSTORM",
"id": "107419"
},
{
"db": "NVD",
"id": "CVE-2011-4876"
},
{
"db": "CNNVD",
"id": "CNNVD-201111-480"
},
{
"db": "CNNVD",
"id": "CNNVD-201202-091"
}
]
},
"id": "VAR-201202-0163",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "28b71d12-2354-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-5108"
},
{
"db": "CNVD",
"id": "CNVD-2011-5110"
},
{
"db": "CNVD",
"id": "CNVD-2011-5103"
},
{
"db": "CNVD",
"id": "CNVD-2011-5107"
},
{
"db": "CNVD",
"id": "CNVD-2011-5105"
},
{
"db": "CNVD",
"id": "CNVD-2012-0466"
},
{
"db": "VULHUB",
"id": "VHN-52821"
}
],
"trust": 4.553665231428571
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 3.8
}
],
"sources": [
{
"db": "IVD",
"id": "28b71d12-2354-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-5108"
},
{
"db": "CNVD",
"id": "CNVD-2011-5110"
},
{
"db": "CNVD",
"id": "CNVD-2011-5103"
},
{
"db": "CNVD",
"id": "CNVD-2011-5107"
},
{
"db": "CNVD",
"id": "CNVD-2011-5105"
},
{
"db": "CNVD",
"id": "CNVD-2012-0466"
}
]
},
"last_update_date": "2023-12-18T12:22:07.865000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SSA-345442",
"trust": 0.8,
"url": "http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345442.pdf"
},
{
"title": "\u30bd\u30ea\u30e5\u30fc\u30b7\u30e7\u30f3\u30d1\u30fc\u30c8\u30ca\u30fc",
"trust": 0.8,
"url": "http://www.automation.siemens.com/automation/jp/ja/solutionpartner/pages/default.aspx"
},
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.siemens.com/entry/jp/ja/"
},
{
"title": "Patch for Siemens SIMATIC WinCC Flexible Runtime \u0027HmiLoad.exe\u0027 file download vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/72694"
},
{
"title": "Siemens SIMATIC WinCC Flexible Runtime \u0027HmiLoad.exe\u0027 memory access vulnerability patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/72697"
},
{
"title": "Siemens SIMATIC WinCC Flexible Runtime \u0027HmiLoad.exe\u0027 Buffer Overflow Vulnerability Patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/72705"
},
{
"title": "Siemens SIMATIC WinCC Flexible Runtime \u0027HmiLoad.exe\u0027 service crash vulnerability patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/72689"
},
{
"title": "Patch for Siemens SIMATIC WinCC HMI Directory Traversal Vulnerability (CNVD-2012-0466)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/9072"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-5108"
},
{
"db": "CNVD",
"id": "CNVD-2011-5110"
},
{
"db": "CNVD",
"id": "CNVD-2011-5103"
},
{
"db": "CNVD",
"id": "CNVD-2011-5107"
},
{
"db": "CNVD",
"id": "CNVD-2012-0466"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-001318"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-22",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-52821"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-001318"
},
{
"db": "NVD",
"id": "CVE-2011-4876"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 4.0,
"url": "http://aluigi.altervista.org/adv/winccflex_1-adv.txt"
},
{
"trust": 3.4,
"url": "http://www.us-cert.gov/control_systems/pdf/icsa-12-030-01.pdf"
},
{
"trust": 1.7,
"url": "http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345442.pdf"
},
{
"trust": 1.1,
"url": "http://www.exploit-db.com/exploits/18166"
},
{
"trust": 1.1,
"url": "http://aluigi.org/adv/winccflex_1-adv.txt"
},
{
"trust": 1.1,
"url": "http://www.us-cert.gov/control_systems/pdf/ics-alert-11-332-02.pdf"
},
{
"trust": 1.1,
"url": "http://www.us-cert.gov/control_systems/pdf/ics-alert-11-332-02a.pdf"
},
{
"trust": 1.1,
"url": "http://www.osvdb.org/77381"
},
{
"trust": 1.1,
"url": "http://secunia.com/advisories/46997"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71450"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-4876"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-4876"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/bid/50828"
},
{
"trust": 0.3,
"url": "http://www.automation.siemens.com/mcms/human-machine-interface/en/visualization-software/wincc-flexible/wincc-flexible-runtime/pages/default.aspx"
},
{
"trust": 0.3,
"url": "http://www.us-cert.gov/control_systems/pdf/icsa-12-030-01a.pdf"
},
{
"trust": 0.1,
"url": "http://secunia.com/company/jobs/"
},
{
"trust": 0.1,
"url": "http://secunia.com/vulnerability_intelligence/"
},
{
"trust": 0.1,
"url": "http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/vulnerability_scanning/personal/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/46997/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "https://ca.secunia.com/?page=viewadvisory\u0026vuln_id=46997"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/46997/#comments"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/about_secunia_advisories/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-5108"
},
{
"db": "CNVD",
"id": "CNVD-2011-5110"
},
{
"db": "CNVD",
"id": "CNVD-2011-5103"
},
{
"db": "CNVD",
"id": "CNVD-2011-5107"
},
{
"db": "CNVD",
"id": "CNVD-2011-5105"
},
{
"db": "CNVD",
"id": "CNVD-2012-0466"
},
{
"db": "VULHUB",
"id": "VHN-52821"
},
{
"db": "BID",
"id": "50828"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-001318"
},
{
"db": "PACKETSTORM",
"id": "107419"
},
{
"db": "NVD",
"id": "CVE-2011-4876"
},
{
"db": "CNNVD",
"id": "CNNVD-201111-480"
},
{
"db": "CNNVD",
"id": "CNNVD-201202-091"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "28b71d12-2354-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-5108"
},
{
"db": "CNVD",
"id": "CNVD-2011-5110"
},
{
"db": "CNVD",
"id": "CNVD-2011-5103"
},
{
"db": "CNVD",
"id": "CNVD-2011-5107"
},
{
"db": "CNVD",
"id": "CNVD-2011-5105"
},
{
"db": "CNVD",
"id": "CNVD-2012-0466"
},
{
"db": "VULHUB",
"id": "VHN-52821"
},
{
"db": "BID",
"id": "50828"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-001318"
},
{
"db": "PACKETSTORM",
"id": "107419"
},
{
"db": "NVD",
"id": "CVE-2011-4876"
},
{
"db": "CNNVD",
"id": "CNNVD-201111-480"
},
{
"db": "CNNVD",
"id": "CNNVD-201202-091"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2012-02-07T00:00:00",
"db": "IVD",
"id": "28b71d12-2354-11e6-abef-000c29c66e3d"
},
{
"date": "2011-12-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-5108"
},
{
"date": "2011-12-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-5110"
},
{
"date": "2011-12-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-5103"
},
{
"date": "2011-12-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-5107"
},
{
"date": "2011-12-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-5105"
},
{
"date": "2012-02-07T00:00:00",
"db": "CNVD",
"id": "CNVD-2012-0466"
},
{
"date": "2012-02-03T00:00:00",
"db": "VULHUB",
"id": "VHN-52821"
},
{
"date": "2011-11-28T00:00:00",
"db": "BID",
"id": "50828"
},
{
"date": "2012-02-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2012-001318"
},
{
"date": "2011-11-30T03:40:12",
"db": "PACKETSTORM",
"id": "107419"
},
{
"date": "2012-02-03T20:55:01.937000",
"db": "NVD",
"id": "CVE-2011-4876"
},
{
"date": "1900-01-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201111-480"
},
{
"date": "2012-02-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201202-091"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-03-15T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-5108"
},
{
"date": "2016-03-15T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-5110"
},
{
"date": "2016-03-15T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-5103"
},
{
"date": "2016-03-15T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-5107"
},
{
"date": "2011-12-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-5105"
},
{
"date": "2012-02-07T00:00:00",
"db": "CNVD",
"id": "CNVD-2012-0466"
},
{
"date": "2017-08-29T00:00:00",
"db": "VULHUB",
"id": "VHN-52821"
},
{
"date": "2012-04-18T21:20:00",
"db": "BID",
"id": "50828"
},
{
"date": "2012-02-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2012-001318"
},
{
"date": "2017-08-29T01:30:37.210000",
"db": "NVD",
"id": "CVE-2011-4876"
},
{
"date": "2011-11-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201111-480"
},
{
"date": "2012-02-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201202-091"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201111-480"
},
{
"db": "CNNVD",
"id": "CNNVD-201202-091"
}
],
"trust": 1.2
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural Siemens Product HmiLoad Vulnerable to directory traversal",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2012-001318"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Path traversal",
"sources": [
{
"db": "IVD",
"id": "28b71d12-2354-11e6-abef-000c29c66e3d"
},
{
"db": "CNNVD",
"id": "CNNVD-201202-091"
}
],
"trust": 0.8
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.