Details of VAR-190001-0187

ID

VAR-190001-0187

TITLE

Control Microsystems ClearSCADA Authentication Security Bypass Vulnerability

Trust: 0.9

sources: BID: 49349 // CNNVD: CNNVD-201108-507

DESCRIPTION

ClearSCADA is an integrated SCADA host platform that includes a rotation training engine, real-time database, web server, alarm processor and reporting software. ClearSCADA has a security authentication bypass vulnerability that allows an attacker to exploit sensitive information or perform unauthorized operations. Control Microsystems ClearSCADA is prone to a security-bypass vulnerability that may allow attackers to perform actions without proper authorization. Versions prior to ClearSCADA 2010 R1.1 are vulnerable. ---------------------------------------------------------------------- The Secunia CSI 5.0 Beta - now available for testing Find out more, take a free test drive, and share your opinion with us: http://secunia.com/blog/242 ---------------------------------------------------------------------- TITLE: Serck SCX ClearSCADA Web Interface Authentication Bypass Vulnerability SECUNIA ADVISORY ID: SA45913 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45913/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45913 RELEASE DATE: 2011-09-06 DISCUSS ADVISORY: http://secunia.com/advisories/45913/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45913/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45913 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Serck SCX, which can be exploited by malicious people to bypass certain security restrictions. For more information: SA45854 The vulnerability is reported in the following products. * Serck SCX version 67 R4.5 * Serck SCX version 68 R3.9 SOLUTION: Update to a fixed version. Contact the vendor for further information. PROVIDED AND/OR DISCOVERED BY: ICS-CERT credits Jeremy Brown. ORIGINAL ADVISORY: ICS-CERT (ICSA-11-173-01): http://www.us-cert.gov/control_systems/pdf/ICSA-11-173-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 1.98

sources: CNVD: CNVD-2011-3420 // CNVD: CNVD-2011-3522 // BID: 49349 // IVD: baff4362-1f89-11e6-abef-000c29c66e3d // IVD: 92665854-1f8a-11e6-abef-000c29c66e3d // PACKETSTORM: 104807 // PACKETSTORM: 104818 // PACKETSTORM: 104808

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 1.6

sources: IVD: baff4362-1f89-11e6-abef-000c29c66e3d // IVD: 92665854-1f8a-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-3420 // CNVD: CNVD-2011-3522

AFFECTED PRODUCTS

vendor:	control	model:	microsystems clearscada	scope:	eq	version:	20050	Trust: 1.1
vendor:	control	model:	microsystems clearscada r1.0	scope:	eq	version:	2010	Trust: 0.9
vendor:	control	model:	microsystems clearscada	scope:	eq	version:	20090	Trust: 0.9
vendor:	control	model:	microsystems clearscada	scope:	eq	version:	20070	Trust: 0.9
vendor:	control	model:	microsystems clearscada	scope:	eq	version:	2005	Trust: 0.8
vendor:	control	model:	microsystems clearscada	scope:	eq	version:	2009	Trust: 0.6
vendor:	control	model:	microsystems clearscada	scope:	eq	version:	2007	Trust: 0.6
vendor:	control	model:	microsystems clearscada r1.4	scope:	ne	version:	2010	Trust: 0.3
vendor:	control	model:	microsystems clearscada	scope:	eq	version:	2009*	Trust: 0.2
vendor:	control	model:	microsystems clearscada	scope:	eq	version:	2007*	Trust: 0.2
vendor:	control	model:	microsystems clearscada r1.0	scope:	eq	version:	2010*	Trust: 0.2
vendor:	control	model:	microsystems clearscada	scope:	eq	version:	20090*	Trust: 0.2
vendor:	control	model:	microsystems clearscada	scope:	eq	version:	20070*	Trust: 0.2

sources: IVD: baff4362-1f89-11e6-abef-000c29c66e3d // IVD: 92665854-1f8a-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-3420 // CNVD: CNVD-2011-3522 // BID: 49349

CVSS

SEVERITY

CVSSV2

CVSSV3

IVD:	baff4362-1f89-11e6-abef-000c29c66e3d
value:	MEDIUM
Trust: 0.2
IVD:	92665854-1f8a-11e6-abef-000c29c66e3d
value:	MEDIUM
Trust: 0.2

IVD:	baff4362-1f89-11e6-abef-000c29c66e3d
severity:	NONE
baseScore:	NONE
vectorString:	NONE
accessVector:	NONE
accessComplexity:	NONE
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	UNKNOWN
Trust: 0.2
IVD:	92665854-1f8a-11e6-abef-000c29c66e3d
severity:	NONE
baseScore:	NONE
vectorString:	NONE
accessVector:	NONE
accessComplexity:	NONE
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	UNKNOWN
Trust: 0.2

sources: IVD: baff4362-1f89-11e6-abef-000c29c66e3d // IVD: 92665854-1f8a-11e6-abef-000c29c66e3d

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201108-507

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201108-507

PATCH

title:

Control Microsystems ClearSCADA Security Certification bypasses vulnerabilities

url:

https://www.cnvd.org.cn/patchinfo/show/4950

Trust: 0.6

sources: CNVD: CNVD-2011-3420

EXTERNAL IDS

db:	BID	id:	49349	Trust: 1.5
db:	CNVD	id:	CNVD-2011-3522	Trust: 0.8
db:	CNVD	id:	CNVD-2011-3420	Trust: 0.8
db:	SECUNIA	id:	45854	Trust: 0.8
db:	ICS CERT	id:	ICSA-11-173-01	Trust: 0.6
db:	CNNVD	id:	CNNVD-201108-507	Trust: 0.6
db:	IVD	id:	BAFF4362-1F89-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	IVD	id:	92665854-1F8A-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	SECUNIA	id:	45912	Trust: 0.2
db:	SECUNIA	id:	45913	Trust: 0.2
db:	PACKETSTORM	id:	104807	Trust: 0.1
db:	PACKETSTORM	id:	104818	Trust: 0.1
db:	PACKETSTORM	id:	104808	Trust: 0.1

sources: IVD: baff4362-1f89-11e6-abef-000c29c66e3d // IVD: 92665854-1f8a-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-3420 // CNVD: CNVD-2011-3522 // BID: 49349 // PACKETSTORM: 104807 // PACKETSTORM: 104818 // PACKETSTORM: 104808 // CNNVD: CNNVD-201108-507

REFERENCES

url:	http://secunia.com/advisories/45854/	Trust: 0.7
url:	http://www.securityfocus.com/bid/49349/info	Trust: 0.6
url:	http://www.us-cert.gov/control_systems/pdf/icsa-11-173-01.pdf	Trust: 0.6
url:	http://www.securityfocus.com/bid/49349	Trust: 0.6
url:	http://www.clearscada.com/index.cfm	Trust: 0.3
url:	http://secunia.com/vulnerability_intelligence/	Trust: 0.3
url:	http://secunia.com/blog/242	Trust: 0.3
url:	http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/	Trust: 0.3
url:	http://secunia.com/advisories/secunia_security_advisories/	Trust: 0.3
url:	http://secunia.com/vulnerability_scanning/personal/	Trust: 0.3
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.3
url:	http://secunia.com/advisories/about_secunia_advisories/	Trust: 0.3
url:	http://secunia.com/advisories/45912/	Trust: 0.1
url:	https://ca.secunia.com/?page=viewadvisory&vuln_id=45912	Trust: 0.1
url:	http://secunia.com/advisories/45912/#comments	Trust: 0.1
url:	https://ca.secunia.com/?page=viewadvisory&vuln_id=45854	Trust: 0.1
url:	http://secunia.com/advisories/45854/#comments	Trust: 0.1
url:	http://secunia.com/advisories/45913/	Trust: 0.1
url:	https://ca.secunia.com/?page=viewadvisory&vuln_id=45913	Trust: 0.1
url:	http://secunia.com/advisories/45913/#comments	Trust: 0.1

sources: CNVD: CNVD-2011-3420 // CNVD: CNVD-2011-3522 // BID: 49349 // PACKETSTORM: 104807 // PACKETSTORM: 104818 // PACKETSTORM: 104808 // CNNVD: CNNVD-201108-507

CREDITS

Jeremy Brown

Trust: 0.9

sources: BID: 49349 // CNNVD: CNNVD-201108-507

SOURCES

db:	IVD	id:	baff4362-1f89-11e6-abef-000c29c66e3d
db:	IVD	id:	92665854-1f8a-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2011-3420
db:	CNVD	id:	CNVD-2011-3522
db:	BID	id:	49349
db:	PACKETSTORM	id:	104807
db:	PACKETSTORM	id:	104818
db:	PACKETSTORM	id:	104808
db:	CNNVD	id:	CNNVD-201108-507

LAST UPDATE DATE

2022-05-17T22:52:22.029000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2011-3420	date:	2011-08-31T00:00:00
db:	CNVD	id:	CNVD-2011-3522	date:	2011-09-06T00:00:00
db:	BID	id:	49349	date:	2011-08-29T00:00:00
db:	CNNVD	id:	CNNVD-201108-507	date:	2011-08-31T00:00:00

SOURCES RELEASE DATE

db:	IVD	id:	baff4362-1f89-11e6-abef-000c29c66e3d	date:	2011-09-06T00:00:00
db:	IVD	id:	92665854-1f8a-11e6-abef-000c29c66e3d	date:	2011-08-31T00:00:00
db:	CNVD	id:	CNVD-2011-3420	date:	2011-08-31T00:00:00
db:	CNVD	id:	CNVD-2011-3522	date:	2011-09-06T00:00:00
db:	BID	id:	49349	date:	2011-08-29T00:00:00
db:	PACKETSTORM	id:	104807	date:	2011-09-06T04:49:06
db:	PACKETSTORM	id:	104818	date:	2011-09-06T04:49:39
db:	PACKETSTORM	id:	104808	date:	2011-09-06T04:49:09
db:	CNNVD	id:	CNNVD-201108-507	date:	1900-01-01T00:00:00