ID

VAR-190001-0187


TITLE

Control Microsystems ClearSCADA Authentication Security Bypass Vulnerability

Trust: 0.9

sources: BID: 49349 // CNNVD: CNNVD-201108-507

DESCRIPTION

ClearSCADA is an integrated SCADA host platform that includes a rotation training engine, real-time database, web server, alarm processor and reporting software. ClearSCADA has a security authentication bypass vulnerability that allows an attacker to exploit sensitive information or perform unauthorized operations. Control Microsystems ClearSCADA is prone to a security-bypass vulnerability that may allow attackers to perform actions without proper authorization. Versions prior to ClearSCADA 2010 R1.1 are vulnerable. ---------------------------------------------------------------------- The Secunia CSI 5.0 Beta - now available for testing Find out more, take a free test drive, and share your opinion with us: http://secunia.com/blog/242 ---------------------------------------------------------------------- TITLE: Serck SCX ClearSCADA Web Interface Authentication Bypass Vulnerability SECUNIA ADVISORY ID: SA45913 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45913/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45913 RELEASE DATE: 2011-09-06 DISCUSS ADVISORY: http://secunia.com/advisories/45913/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45913/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45913 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Serck SCX, which can be exploited by malicious people to bypass certain security restrictions. For more information: SA45854 The vulnerability is reported in the following products. * Serck SCX version 67 R4.5 * Serck SCX version 68 R3.9 SOLUTION: Update to a fixed version. Contact the vendor for further information. PROVIDED AND/OR DISCOVERED BY: ICS-CERT credits Jeremy Brown. ORIGINAL ADVISORY: ICS-CERT (ICSA-11-173-01): http://www.us-cert.gov/control_systems/pdf/ICSA-11-173-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 1.98

sources: CNVD: CNVD-2011-3420 // CNVD: CNVD-2011-3522 // BID: 49349 // IVD: baff4362-1f89-11e6-abef-000c29c66e3d // IVD: 92665854-1f8a-11e6-abef-000c29c66e3d // PACKETSTORM: 104807 // PACKETSTORM: 104818 // PACKETSTORM: 104808

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 1.6

sources: IVD: baff4362-1f89-11e6-abef-000c29c66e3d // IVD: 92665854-1f8a-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-3420 // CNVD: CNVD-2011-3522

AFFECTED PRODUCTS

vendor:controlmodel:microsystems clearscadascope:eqversion:20050

Trust: 1.1

vendor:controlmodel:microsystems clearscada r1.0scope:eqversion:2010

Trust: 0.9

vendor:controlmodel:microsystems clearscadascope:eqversion:20090

Trust: 0.9

vendor:controlmodel:microsystems clearscadascope:eqversion:20070

Trust: 0.9

vendor:controlmodel:microsystems clearscadascope:eqversion:2005

Trust: 0.8

vendor:controlmodel:microsystems clearscadascope:eqversion:2009

Trust: 0.6

vendor:controlmodel:microsystems clearscadascope:eqversion:2007

Trust: 0.6

vendor:controlmodel:microsystems clearscada r1.4scope:neversion:2010

Trust: 0.3

vendor:controlmodel:microsystems clearscadascope:eqversion:2009*

Trust: 0.2

vendor:controlmodel:microsystems clearscadascope:eqversion:2007*

Trust: 0.2

vendor:controlmodel:microsystems clearscada r1.0scope:eqversion:2010*

Trust: 0.2

vendor:controlmodel:microsystems clearscadascope:eqversion:20090*

Trust: 0.2

vendor:controlmodel:microsystems clearscadascope:eqversion:20070*

Trust: 0.2

sources: IVD: baff4362-1f89-11e6-abef-000c29c66e3d // IVD: 92665854-1f8a-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-3420 // CNVD: CNVD-2011-3522 // BID: 49349

CVSS

SEVERITY

CVSSV2

CVSSV3

IVD: baff4362-1f89-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

IVD: 92665854-1f8a-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

IVD: baff4362-1f89-11e6-abef-000c29c66e3d
severity: NONE
baseScore: NONE
vectorString: NONE
accessVector: NONE
accessComplexity: NONE
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: UNKNOWN

Trust: 0.2

IVD: 92665854-1f8a-11e6-abef-000c29c66e3d
severity: NONE
baseScore: NONE
vectorString: NONE
accessVector: NONE
accessComplexity: NONE
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: UNKNOWN

Trust: 0.2

sources: IVD: baff4362-1f89-11e6-abef-000c29c66e3d // IVD: 92665854-1f8a-11e6-abef-000c29c66e3d

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201108-507

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201108-507

PATCH

title:Control Microsystems ClearSCADA Security Certification bypasses vulnerabilitiesurl:https://www.cnvd.org.cn/patchinfo/show/4950

Trust: 0.6

sources: CNVD: CNVD-2011-3420

EXTERNAL IDS

db:BIDid:49349

Trust: 1.5

db:CNVDid:CNVD-2011-3522

Trust: 0.8

db:CNVDid:CNVD-2011-3420

Trust: 0.8

db:SECUNIAid:45854

Trust: 0.8

db:ICS CERTid:ICSA-11-173-01

Trust: 0.6

db:CNNVDid:CNNVD-201108-507

Trust: 0.6

db:IVDid:BAFF4362-1F89-11E6-ABEF-000C29C66E3D

Trust: 0.2

db:IVDid:92665854-1F8A-11E6-ABEF-000C29C66E3D

Trust: 0.2

db:SECUNIAid:45912

Trust: 0.2

db:SECUNIAid:45913

Trust: 0.2

db:PACKETSTORMid:104807

Trust: 0.1

db:PACKETSTORMid:104818

Trust: 0.1

db:PACKETSTORMid:104808

Trust: 0.1

sources: IVD: baff4362-1f89-11e6-abef-000c29c66e3d // IVD: 92665854-1f8a-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-3420 // CNVD: CNVD-2011-3522 // BID: 49349 // PACKETSTORM: 104807 // PACKETSTORM: 104818 // PACKETSTORM: 104808 // CNNVD: CNNVD-201108-507

REFERENCES

url:http://secunia.com/advisories/45854/

Trust: 0.7

url:http://www.securityfocus.com/bid/49349/info

Trust: 0.6

url:http://www.us-cert.gov/control_systems/pdf/icsa-11-173-01.pdf

Trust: 0.6

url:http://www.securityfocus.com/bid/49349

Trust: 0.6

url:http://www.clearscada.com/index.cfm

Trust: 0.3

url:http://secunia.com/vulnerability_intelligence/

Trust: 0.3

url:http://secunia.com/blog/242

Trust: 0.3

url:http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

Trust: 0.3

url:http://secunia.com/advisories/secunia_security_advisories/

Trust: 0.3

url:http://secunia.com/vulnerability_scanning/personal/

Trust: 0.3

url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Trust: 0.3

url:http://secunia.com/advisories/about_secunia_advisories/

Trust: 0.3

url:http://secunia.com/advisories/45912/

Trust: 0.1

url:https://ca.secunia.com/?page=viewadvisory&vuln_id=45912

Trust: 0.1

url:http://secunia.com/advisories/45912/#comments

Trust: 0.1

url:https://ca.secunia.com/?page=viewadvisory&vuln_id=45854

Trust: 0.1

url:http://secunia.com/advisories/45854/#comments

Trust: 0.1

url:http://secunia.com/advisories/45913/

Trust: 0.1

url:https://ca.secunia.com/?page=viewadvisory&vuln_id=45913

Trust: 0.1

url:http://secunia.com/advisories/45913/#comments

Trust: 0.1

sources: CNVD: CNVD-2011-3420 // CNVD: CNVD-2011-3522 // BID: 49349 // PACKETSTORM: 104807 // PACKETSTORM: 104818 // PACKETSTORM: 104808 // CNNVD: CNNVD-201108-507

CREDITS

Jeremy Brown

Trust: 0.9

sources: BID: 49349 // CNNVD: CNNVD-201108-507

SOURCES

db:IVDid:baff4362-1f89-11e6-abef-000c29c66e3d
db:IVDid:92665854-1f8a-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2011-3420
db:CNVDid:CNVD-2011-3522
db:BIDid:49349
db:PACKETSTORMid:104807
db:PACKETSTORMid:104818
db:PACKETSTORMid:104808
db:CNNVDid:CNNVD-201108-507

LAST UPDATE DATE

2022-05-17T22:52:22.029000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2011-3420date:2011-08-31T00:00:00
db:CNVDid:CNVD-2011-3522date:2011-09-06T00:00:00
db:BIDid:49349date:2011-08-29T00:00:00
db:CNNVDid:CNNVD-201108-507date:2011-08-31T00:00:00

SOURCES RELEASE DATE

db:IVDid:baff4362-1f89-11e6-abef-000c29c66e3ddate:2011-09-06T00:00:00
db:IVDid:92665854-1f8a-11e6-abef-000c29c66e3ddate:2011-08-31T00:00:00
db:CNVDid:CNVD-2011-3420date:2011-08-31T00:00:00
db:CNVDid:CNVD-2011-3522date:2011-09-06T00:00:00
db:BIDid:49349date:2011-08-29T00:00:00
db:PACKETSTORMid:104807date:2011-09-06T04:49:06
db:PACKETSTORMid:104818date:2011-09-06T04:49:39
db:PACKETSTORMid:104808date:2011-09-06T04:49:09
db:CNNVDid:CNNVD-201108-507date:1900-01-01T00:00:00