var-201303-0007
Vulnerability from variot
Siemens WinCC (TIA Portal) 11 uses a reversible algorithm for storing HMI web-application passwords in world-readable and world-writable files, which allows local users to obtain sensitive information by leveraging (1) physical access or (2) Sm@rt Server access. The Siemens SIMATIC WinCC TIA Portal covers engineering tools for the entire HMI field, from compact series panels to SCADA systems. There are several vulnerabilities in the Siemens SIMATIC WinCC TIA Portal that can be exploited by malicious users to disclose sensitive information, bypass security restrictions, insert and execute scripts, cause denial of service, and so on. 1. There is an error in processing the HTTP request, which can be exploited to cause the HMI web server to crash. 2. Some of the input in the HMI web application is not properly filtered and can be used to insert arbitrary HTML and script code, or to insert any HTTP header. 3, some URLs are not properly filtered to access certain files, can be used to leak the source code of the panel server-side web application files. To successfully exploit these vulnerabilities, you need to open the web server. Siemens SIMATIC WinCC TIA Portal is prone to multiple security vulnerabilities, including: 1. A security-bypass vulnerability 2. A denial-of-service vulnerability 3. An HTML-injection vulnerability 4. An information-disclosure vulnerability 5. An HTTP-header-injection vulnerability 6. An information-disclosure vulnerability 7. A cross-site scripting vulnerability Attackers can exploit these issues to bypass certain security restrictions, obtain sensitive information and gain unauthorized access, allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, insert arbitrary headers into an HTTP response, or perform a denial-of-service attack. Other attacks may be possible. Siemens SIMATIC WinCC is a set of automatic data acquisition and monitoring (SCADA) system of German Siemens (Siemens). The system provides process monitoring, data acquisition and other functions
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-201303-0007", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "wincc tia portal", "scope": "eq", "trust": 1.6, "vendor": "siemens", "version": "11.0" }, { "model": "simatic wincc", "scope": "eq", "trust": 0.8, "vendor": "siemens", "version": "11" }, { "model": "simatic wincc tia portal", "scope": "eq", "trust": 0.6, "vendor": "siemens", "version": "11.x" }, { "model": null, "scope": "eq", "trust": 0.2, "vendor": "wincc tia portal", "version": "11.0" } ], "sources": [ { "db": "IVD", "id": "0906f0c4-2353-11e6-abef-000c29c66e3d" }, { "db": "CNVD", "id": "CNVD-2013-02166" }, { "db": "JVNDB", "id": "JVNDB-2013-001963" }, { "db": "NVD", "id": "CVE-2011-4515" }, { "db": "CNNVD", "id": "CNNVD-201303-404" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:siemens:wincc_tia_portal:11.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2011-4515" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Gleb Gritsai, Sergey Bobrov, Roman Ilin, Artem Chaykin, Timur Yunusov, and Ilya Karpov from Positive Technologies.", "sources": [ { "db": "BID", "id": "58567" }, { "db": "CNNVD", "id": "CNNVD-201303-404" } ], "trust": 0.9 }, "cve": "CVE-2011-4515", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "author": "NVD", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 3.9, "impactScore": 6.4, "integrityImpact": "PARTIAL", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "trust": 1.0, "userInteractionRequired": false, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "Low", "accessVector": "Local", "authentication": "None", "author": "NVD", "availabilityImpact": "Partial", "baseScore": 4.6, "confidentialityImpact": "Partial", "exploitabilityScore": null, "id": "CVE-2011-4515", "impactScore": null, "integrityImpact": "Partial", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "Medium", "trust": 0.8, "userInteractionRequired": null, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0" }, { "accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "author": "CNVD", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 3.9, "id": "CNVD-2013-02166", "impactScore": 6.4, "integrityImpact": "PARTIAL", "severity": "MEDIUM", "trust": 0.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0" }, { "accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "author": "IVD", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 3.9, "id": "0906f0c4-2353-11e6-abef-000c29c66e3d", "impactScore": 6.4, "integrityImpact": "PARTIAL", "severity": "MEDIUM", "trust": 0.2, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.9 [IVD]" }, { "accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "author": "VULHUB", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 3.9, "id": "VHN-52460", "impactScore": 6.4, "integrityImpact": "PARTIAL", "severity": "MEDIUM", "trust": 0.1, "vectorString": "AV:L/AC:L/AU:N/C:P/I:P/A:P", "version": "2.0" } ], "cvssV3": [], "severity": [ { "author": "NVD", "id": "CVE-2011-4515", "trust": 1.8, "value": "MEDIUM" }, { "author": "CNVD", "id": "CNVD-2013-02166", "trust": 0.6, "value": "MEDIUM" }, { "author": "CNNVD", "id": "CNNVD-201303-404", "trust": 0.6, "value": "MEDIUM" }, { "author": "IVD", "id": "0906f0c4-2353-11e6-abef-000c29c66e3d", "trust": 0.2, "value": "MEDIUM" }, { "author": "VULHUB", "id": "VHN-52460", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "IVD", "id": "0906f0c4-2353-11e6-abef-000c29c66e3d" }, { "db": "CNVD", "id": "CNVD-2013-02166" }, { "db": "VULHUB", "id": "VHN-52460" }, { "db": "JVNDB", "id": "JVNDB-2013-001963" }, { "db": "NVD", "id": "CVE-2011-4515" }, { "db": "CNNVD", "id": "CNNVD-201303-404" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Siemens WinCC (TIA Portal) 11 uses a reversible algorithm for storing HMI web-application passwords in world-readable and world-writable files, which allows local users to obtain sensitive information by leveraging (1) physical access or (2) Sm@rt Server access. The Siemens SIMATIC WinCC TIA Portal covers engineering tools for the entire HMI field, from compact series panels to SCADA systems. There are several vulnerabilities in the Siemens SIMATIC WinCC TIA Portal that can be exploited by malicious users to disclose sensitive information, bypass security restrictions, insert and execute scripts, cause denial of service, and so on. 1. There is an error in processing the HTTP request, which can be exploited to cause the HMI web server to crash. 2. Some of the input in the HMI web application is not properly filtered and can be used to insert arbitrary HTML and script code, or to insert any HTTP header. 3, some URLs are not properly filtered to access certain files, can be used to leak the source code of the panel server-side web application files. To successfully exploit these vulnerabilities, you need to open the web server. Siemens SIMATIC WinCC TIA Portal is prone to multiple security vulnerabilities, including:\n1. A security-bypass vulnerability\n2. A denial-of-service vulnerability\n3. An HTML-injection vulnerability\n4. An information-disclosure vulnerability\n5. An HTTP-header-injection vulnerability\n6. An information-disclosure vulnerability\n7. A cross-site scripting vulnerability\nAttackers can exploit these issues to bypass certain security restrictions, obtain sensitive information and gain unauthorized access, allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, insert arbitrary headers into an HTTP response, or perform a denial-of-service attack. Other attacks may be possible. Siemens SIMATIC WinCC is a set of automatic data acquisition and monitoring (SCADA) system of German Siemens (Siemens). The system provides process monitoring, data acquisition and other functions", "sources": [ { "db": "NVD", "id": "CVE-2011-4515" }, { "db": "JVNDB", "id": "JVNDB-2013-001963" }, { "db": "CNVD", "id": "CNVD-2013-02166" }, { "db": "BID", "id": "58567" }, { "db": "IVD", "id": "0906f0c4-2353-11e6-abef-000c29c66e3d" }, { "db": "VULHUB", "id": "VHN-52460" } ], "trust": 2.7 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2011-4515", "trust": 3.7 }, { "db": "ICS CERT", "id": "ICSA-13-079-03", "trust": 3.1 }, { "db": "SIEMENS", "id": "SSA-212483", "trust": 1.7 }, { "db": "BID", "id": "58567", "trust": 1.0 }, { "db": "CNNVD", "id": "CNNVD-201303-404", "trust": 0.9 }, { "db": "CNVD", "id": "CNVD-2013-02166", "trust": 0.8 }, { "db": "JVNDB", "id": "JVNDB-2013-001963", "trust": 0.8 }, { "db": "SECUNIA", "id": "52646", "trust": 0.6 }, { "db": "IVD", "id": "0906F0C4-2353-11E6-ABEF-000C29C66E3D", "trust": 0.2 }, { "db": "PACKETSTORM", "id": "120897", "trust": 0.2 }, { "db": "VULHUB", "id": "VHN-52460", "trust": 0.1 } ], "sources": [ { "db": "IVD", "id": "0906f0c4-2353-11e6-abef-000c29c66e3d" }, { "db": "CNVD", "id": "CNVD-2013-02166" }, { "db": "VULHUB", "id": "VHN-52460" }, { "db": "BID", "id": "58567" }, { "db": "JVNDB", "id": "JVNDB-2013-001963" }, { "db": "PACKETSTORM", "id": "120897" }, { "db": "NVD", "id": "CVE-2011-4515" }, { "db": "CNNVD", "id": "CNNVD-201303-404" } ] }, "id": "VAR-201303-0007", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "IVD", "id": "0906f0c4-2353-11e6-abef-000c29c66e3d" }, { "db": "CNVD", "id": "CNVD-2013-02166" }, { "db": "VULHUB", "id": "VHN-52460" } ], "trust": 1.4994691150000001 }, "iot_taxonomy": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "category": [ "ICS" ], "sub_category": null, "trust": 0.8 } ], "sources": [ { "db": "IVD", "id": "0906f0c4-2353-11e6-abef-000c29c66e3d" }, { "db": "CNVD", "id": "CNVD-2013-02166" } ] }, "last_update_date": "2023-12-18T12:21:48.159000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "Top Page", "trust": 0.8, "url": "http://www.siemens.com/entry/cc/en/" }, { "title": "SSA-212483: Vulnerabilities in WinCC (TIA Portal) V11", "trust": 0.8, "url": "http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-212483.pdf" }, { "title": "\u30b7\u30fc\u30e1\u30f3\u30b9\u30bd\u30ea\u30e5\u30fc\u30b7\u30e7\u30f3\u30d1\u30fc\u30c8\u30ca\u30fc", "trust": 0.8, "url": "http://www.automation.siemens.com/automation/jp/ja/solutionpartner/pages/default.aspx" }, { "title": "\u30b7\u30fc\u30e1\u30f3\u30b9\u30fb\u30b8\u30e3\u30d1\u30f3\u682a\u5f0f\u4f1a\u793e", "trust": 0.8, "url": "http://www.siemens.com/answers/jp/ja/" }, { "title": "Siemens SIMATIC WinCC TIA Portal has patches for multiple vulnerabilities", "trust": 0.6, "url": "https://www.cnvd.org.cn/patchinfo/show/33006" } ], "sources": [ { "db": "CNVD", "id": "CNVD-2013-02166" }, { "db": "JVNDB", "id": "JVNDB-2013-001963" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-255", "trust": 1.1 }, { "problemtype": "CWE-310", "trust": 0.8 } ], "sources": [ { "db": "VULHUB", "id": "VHN-52460" }, { "db": "JVNDB", "id": "JVNDB-2013-001963" }, { "db": "NVD", "id": "CVE-2011-4515" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 3.1, "url": "http://ics-cert.us-cert.gov/pdf/icsa-13-079-03.pdf" }, { "trust": 1.7, "url": "http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-212483.pdf" }, { "trust": 0.8, "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-4515" }, { "trust": 0.8, "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-4515" }, { "trust": 0.6, "url": "http://secunia.com/advisories/52646" }, { "trust": 0.3, "url": "http://subscriber.communications.siemens.com/" }, { "trust": 0.3, "url": "http://aunz.siemens.com/newscentre/productreleases/pages/iac_pr_simaticwinccv62.aspx" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2011-4515" } ], "sources": [ { "db": "CNVD", "id": "CNVD-2013-02166" }, { "db": "VULHUB", "id": "VHN-52460" }, { "db": "BID", "id": "58567" }, { "db": "JVNDB", "id": "JVNDB-2013-001963" }, { "db": "PACKETSTORM", "id": "120897" }, { "db": "NVD", "id": "CVE-2011-4515" }, { "db": "CNNVD", "id": "CNNVD-201303-404" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "IVD", "id": "0906f0c4-2353-11e6-abef-000c29c66e3d" }, { "db": "CNVD", "id": "CNVD-2013-02166" }, { "db": "VULHUB", "id": "VHN-52460" }, { "db": "BID", "id": "58567" }, { "db": "JVNDB", "id": "JVNDB-2013-001963" }, { "db": "PACKETSTORM", "id": "120897" }, { "db": "NVD", "id": "CVE-2011-4515" }, { "db": "CNNVD", "id": "CNNVD-201303-404" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2013-03-26T00:00:00", "db": "IVD", "id": "0906f0c4-2353-11e6-abef-000c29c66e3d" }, { "date": "2013-03-26T00:00:00", "db": "CNVD", "id": "CNVD-2013-02166" }, { "date": "2013-03-21T00:00:00", "db": "VULHUB", "id": "VHN-52460" }, { "date": "2013-03-15T00:00:00", "db": "BID", "id": "58567" }, { "date": "2013-03-25T00:00:00", "db": "JVNDB", "id": "JVNDB-2013-001963" }, { "date": "2013-03-21T15:00:32", "db": "PACKETSTORM", "id": "120897" }, { "date": "2013-03-21T14:55:01.423000", "db": "NVD", "id": "CVE-2011-4515" }, { "date": "2013-03-20T00:00:00", "db": "CNNVD", "id": "CNNVD-201303-404" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2013-03-26T00:00:00", "db": "CNVD", "id": "CNVD-2013-02166" }, { "date": "2013-05-31T00:00:00", "db": "VULHUB", "id": "VHN-52460" }, { "date": "2013-03-15T00:00:00", "db": "BID", "id": "58567" }, { "date": "2013-03-25T00:00:00", "db": "JVNDB", "id": "JVNDB-2013-001963" }, { "date": "2013-05-31T04:00:00", "db": "NVD", "id": "CVE-2011-4515" }, { "date": "2013-03-22T00:00:00", "db": "CNNVD", "id": "CNNVD-201303-404" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "local", "sources": [ { "db": "CNNVD", "id": "CNNVD-201303-404" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Siemens WinCC Vulnerability in which important information is obtained", "sources": [ { "db": "JVNDB", "id": "JVNDB-2013-001963" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Trust management", "sources": [ { "db": "IVD", "id": "0906f0c4-2353-11e6-abef-000c29c66e3d" }, { "db": "CNNVD", "id": "CNNVD-201303-404" } ], "trust": 0.8 } }
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.