ID

VAR-201007-0198


CVE

CVE-2010-2772


TITLE

Siemens SIMATIC WinCC Default Password Security Bypass Vulnerability

Trust: 1.3

sources: IVD: 7d70cfdf-463f-11e9-ad83-000c29342cb1 // IVD: 407e95f0-1fb3-11e6-abef-000c29c66e3d // CNVD: CNVD-2010-1369 // BID: 41753

DESCRIPTION

Siemens Simatic WinCC and PCS 7 SCADA system uses a hard-coded password, which allows local users to access a back-end database and gain privileges, as demonstrated in the wild in July 2010 by the Stuxnet worm, a different vulnerability than CVE-2010-2568. Siemens SIMATIC WinCC is a multi-user system that provides complete monitoring and data acquisition (SCADA) functionality for the industrial sector, from single-user systems to redundant server and remote web client solutions. The Siemens SIMATIC WinCC data uses the built-in user name and password and does not inform the user that it needs to be modified. An attacker can use this information to read database data or inject code into a database. Siemens SIMATIC WinCC is affected by a vulnerability that allows attackers to bypass security. Successfully exploiting this issue may lead to further attacks. ---------------------------------------------------------------------- "From 2007 to 2009 vulnerabilities in a typical end-user PC almost doubled from about 220 to 420." Non-Microsoft software to blame for increase in vulnerabilities affecting typical Windows end-users, read more: http://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf ---------------------------------------------------------------------- TITLE: Siemens SIMATIC WinCC Undocumented Database User Account SECUNIA ADVISORY ID: SA40682 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/40682/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=40682 RELEASE DATE: 2010-07-24 DISCUSS ADVISORY: http://secunia.com/advisories/40682/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/40682/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=40682 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A security issue has been reported in Siemens SIMATIC WinCC, which can be exploited by malicious people to gain unauthorised access. SOLUTION: Restrict network access to the database to trusted users only. PROVIDED AND/OR DISCOVERED BY: Discovered in the wild. ORIGINAL ADVISORY: http://www.wilderssecurity.com/showpost.php?p=1712134&postcount=22 http://www.f-secure.com/weblog/archives/00001987.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 3.24

sources: NVD: CVE-2010-2772 // JVNDB: JVNDB-2010-001829 // CNVD: CNVD-2010-1369 // BID: 41753 // IVD: 06a89dde-2356-11e6-abef-000c29c66e3d // IVD: 7d70cfdf-463f-11e9-ad83-000c29342cb1 // IVD: 407e95f0-1fb3-11e6-abef-000c29c66e3d // VULHUB: VHN-45377 // VULMON: CVE-2010-2772 // PACKETSTORM: 92130

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 1.2

sources: IVD: 06a89dde-2356-11e6-abef-000c29c66e3d // IVD: 7d70cfdf-463f-11e9-ad83-000c29342cb1 // IVD: 407e95f0-1fb3-11e6-abef-000c29c66e3d // CNVD: CNVD-2010-1369

AFFECTED PRODUCTS

vendor:siemensmodel:simatic winccscope:eqversion:6.2

Trust: 2.5

vendor:siemensmodel:simatic pcs 7scope:eqversion:6.0

Trust: 1.6

vendor:siemensmodel:simatic pcs 7scope:eqversion:6.1

Trust: 1.6

vendor:siemensmodel:simatic pcs 7scope:eqversion:7.1

Trust: 1.6

vendor:siemensmodel:simatic winccscope:eqversion:7.0

Trust: 1.6

vendor:siemensmodel:simatic pcs 7scope:eqversion:7.0

Trust: 1.6

vendor:simatic pcs 7model: - scope:eqversion:7.0

Trust: 1.2

vendor:simatic pcs 7model: - scope:eqversion:7.1

Trust: 1.2

vendor:シーメンスmodel:simatic winccscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:simatic pcs 7scope: - version: -

Trust: 0.8

vendor:simatic winccmodel: - scope:eqversion:*

Trust: 0.6

vendor:simatic winccmodel: - scope:eqversion:6.2

Trust: 0.6

vendor:simatic winccmodel: - scope:eqversion:7.0

Trust: 0.6

vendor:simatic pcs 7model: - scope:eqversion:*

Trust: 0.6

vendor:simatic pcs 7model: - scope:eqversion:6.0

Trust: 0.6

vendor:simatic pcs 7model: - scope:eqversion:6.1

Trust: 0.6

vendor:siemensmodel:simatic winccscope: - version: -

Trust: 0.6

vendor:siemensmodel:simatic pcs 7scope: - version: -

Trust: 0.6

vendor:siemensmodel:simatic winccscope:eqversion:0

Trust: 0.3

sources: IVD: 06a89dde-2356-11e6-abef-000c29c66e3d // IVD: 7d70cfdf-463f-11e9-ad83-000c29342cb1 // IVD: 407e95f0-1fb3-11e6-abef-000c29c66e3d // CNVD: CNVD-2010-1369 // BID: 41753 // JVNDB: JVNDB-2010-001829 // CNNVD: CNNVD-201007-241 // NVD: CVE-2010-2772

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2010-2772
value: HIGH

Trust: 1.0

NVD: CVE-2010-2772
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201007-241
value: MEDIUM

Trust: 0.6

IVD: 06a89dde-2356-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

IVD: 7d70cfdf-463f-11e9-ad83-000c29342cb1
value: MEDIUM

Trust: 0.2

IVD: 407e95f0-1fb3-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

VULHUB: VHN-45377
value: MEDIUM

Trust: 0.1

VULMON: CVE-2010-2772
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2010-2772
severity: MEDIUM
baseScore: 6.9
vectorString: AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

IVD: 06a89dde-2356-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 6.9
vectorString: AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

IVD: 7d70cfdf-463f-11e9-ad83-000c29342cb1
severity: MEDIUM
baseScore: 6.9
vectorString: AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

IVD: 407e95f0-1fb3-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 6.9
vectorString: AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-45377
severity: MEDIUM
baseScore: 6.9
vectorString: AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2010-2772
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2010-2772
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: 06a89dde-2356-11e6-abef-000c29c66e3d // IVD: 7d70cfdf-463f-11e9-ad83-000c29342cb1 // IVD: 407e95f0-1fb3-11e6-abef-000c29c66e3d // VULHUB: VHN-45377 // VULMON: CVE-2010-2772 // JVNDB: JVNDB-2010-001829 // CNNVD: CNNVD-201007-241 // NVD: CVE-2010-2772

PROBLEMTYPE DATA

problemtype:CWE-798

Trust: 1.0

problemtype:Use hard-coded credentials (CWE-798) [NVD evaluation ]

Trust: 0.8

problemtype:CWE-255

Trust: 0.1

sources: VULHUB: VHN-45377 // JVNDB: JVNDB-2010-001829 // NVD: CVE-2010-2772

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201007-241

TYPE

Trust management

Trust: 1.2

sources: IVD: 06a89dde-2356-11e6-abef-000c29c66e3d // IVD: 7d70cfdf-463f-11e9-ad83-000c29342cb1 // IVD: 407e95f0-1fb3-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201007-241

PATCH

title:Product Supporturl:http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&aktprim=0&siteid=cseus&lang=en&siteid=cseus&groupid=4000003&groupid=4000003&groupid=4000003&extranet=standard&viewreg=WW&nodeid0=10805583

Trust: 0.8

title:Siemens SIMATIC WinCC default password security bypass vulnerability patchurl:https://www.cnvd.org.cn/patchInfo/show/81338

Trust: 0.6

title:win32-stuxneturl:https://github.com/uraninite/win32-stuxnet

Trust: 0.1

title:welivesecurityurl:https://www.welivesecurity.com/2016/06/07/infrastructure-attacks-next-generation/

Trust: 0.1

title:Threatposturl:https://threatpost.com/kelihos-update-includes-new-tld-and-usb-infection-capabilities-121112/77299/

Trust: 0.1

sources: CNVD: CNVD-2010-1369 // VULMON: CVE-2010-2772 // JVNDB: JVNDB-2010-001829

EXTERNAL IDS

db:NVDid:CVE-2010-2772

Trust: 4.3

db:BIDid:41753

Trust: 2.9

db:SECUNIAid:40682

Trust: 2.1

db:ICS CERTid:ICSA-12-205-01

Trust: 2.0

db:VUPENid:ADV-2010-1893

Trust: 1.9

db:CNNVDid:CNNVD-201007-241

Trust: 1.3

db:CNVDid:CNVD-2010-1369

Trust: 1.0

db:XFid:60587

Trust: 0.8

db:JVNDBid:JVNDB-2010-001829

Trust: 0.8

db:IVDid:06A89DDE-2356-11E6-ABEF-000C29C66E3D

Trust: 0.2

db:IVDid:7D70CFDF-463F-11E9-AD83-000C29342CB1

Trust: 0.2

db:IVDid:407E95F0-1FB3-11E6-ABEF-000C29C66E3D

Trust: 0.2

db:VULHUBid:VHN-45377

Trust: 0.1

db:VUPENid:2010/1893

Trust: 0.1

db:VULMONid:CVE-2010-2772

Trust: 0.1

db:PACKETSTORMid:92130

Trust: 0.1

sources: IVD: 06a89dde-2356-11e6-abef-000c29c66e3d // IVD: 7d70cfdf-463f-11e9-ad83-000c29342cb1 // IVD: 407e95f0-1fb3-11e6-abef-000c29c66e3d // CNVD: CNVD-2010-1369 // VULHUB: VHN-45377 // VULMON: CVE-2010-2772 // BID: 41753 // JVNDB: JVNDB-2010-001829 // PACKETSTORM: 92130 // CNNVD: CNNVD-201007-241 // NVD: CVE-2010-2772

REFERENCES

url:http://www.securityfocus.com/bid/41753

Trust: 2.0

url:http://ics-cert.us-cert.gov/advisories/icsa-12-205-01

Trust: 2.0

url:http://secunia.com/advisories/40682

Trust: 2.0

url:http://www.vupen.com/english/advisories/2010/1893

Trust: 2.0

url:http://www.sea.siemens.com/us/news/industrial/pages/wincc_update.aspx

Trust: 1.8

url:http://infoworld.com/d/security-central/new-weaponized-virus-targets-industrial-secrets-725

Trust: 1.8

url:http://infoworld.com/d/security-central/siemens-warns-users-dont-change-passwords-after-worm-attack-915?sourcefssr

Trust: 1.8

url:http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/

Trust: 1.8

url:http://www.wired.com/threatlevel/2010/07/siemens-scada/

Trust: 1.8

url:http://www.automation.siemens.com/forum/guests/postshow.aspx?postid=16127&16127&language=en&pageindex=1

Trust: 1.7

url:http://support.automation.siemens.com/ww/llisapi.dll?func=cslib.csinfo&lang=en&objid=43876783&caller=viewhttp://support.automation.siemens.com/ww/llisapi.dll?func=cslib.csinfo&lang=en&objid=43876783&c

Trust: 1.4

url:http://www.f-secure.com/weblog/archives/00001987.html

Trust: 1.3

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/60587

Trust: 1.2

url:http://www.wilderssecurity.com/showpost.php?p=1712134&postcount=22

Trust: 1.2

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-2772

Trust: 0.8

url:http://xforce.iss.net/xforce/xfdb/60587

Trust: 0.8

url:http://it.slashdot.org/comments.pl?sid=1721020

Trust: 0.6

url:http://it.slashdot.org/comments.pl?sid=1721020&cid=32920758

Trust: 0.3

url:http://aunz.siemens.com/newscentre/productreleases/pages/iac_pr_simaticwinccv62.aspx

Trust: 0.3

url:https://www.automation.siemens.com/forum/guests/postshow.aspx?postid=16127&language=en&pageindex=2

Trust: 0.3

url:http://support.automation.siemens.com/ww/llisapi.dll?func=cslib.csinfo&lang=en&objid=43876783&caller=viewhttp://support.automation.siemens.com/ww/llisapi.dll?func=cslib.csinfo&lang=en&objid=43876783&c

Trust: 0.1

url:http://www.automation.siemens.com/forum/guests/postshow.aspx?postid=16127&16127&language=en&pageindex=1

Trust: 0.1

url:http://www.wilderssecurity.com/showpost.php?p=1712134&postcount=22

Trust: 0.1

url:https://cwe.mitre.org/data/definitions/255.html

Trust: 0.1

url:https://github.com/uraninite/win32-stuxnet

Trust: 0.1

url:http://tools.cisco.com/security/center/viewalert.x?alertid=20969

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://threatpost.com/kelihos-update-includes-new-tld-and-usb-infection-capabilities-121112/77299/

Trust: 0.1

url:https://ca.secunia.com/?page=viewadvisory&vuln_id=40682

Trust: 0.1

url:http://secunia.com/products/corporate/evm/

Trust: 0.1

url:http://secunia.com/advisories/secunia_security_advisories/

Trust: 0.1

url:http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

Trust: 0.1

url:http://secunia.com/advisories/40682/#comments

Trust: 0.1

url:http://secunia.com/vulnerability_scanning/personal/

Trust: 0.1

url:http://secunia.com/advisories/40682/

Trust: 0.1

url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Trust: 0.1

url:http://secunia.com/gfx/pdf/secunia_half_year_report_2010.pdf

Trust: 0.1

url:http://secunia.com/advisories/about_secunia_advisories/

Trust: 0.1

sources: CNVD: CNVD-2010-1369 // VULHUB: VHN-45377 // VULMON: CVE-2010-2772 // BID: 41753 // JVNDB: JVNDB-2010-001829 // PACKETSTORM: 92130 // CNNVD: CNNVD-201007-241 // NVD: CVE-2010-2772

CREDITS

Siemens

Trust: 0.3

sources: BID: 41753

SOURCES

db:IVDid:06a89dde-2356-11e6-abef-000c29c66e3d
db:IVDid:7d70cfdf-463f-11e9-ad83-000c29342cb1
db:IVDid:407e95f0-1fb3-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2010-1369
db:VULHUBid:VHN-45377
db:VULMONid:CVE-2010-2772
db:BIDid:41753
db:JVNDBid:JVNDB-2010-001829
db:PACKETSTORMid:92130
db:CNNVDid:CNNVD-201007-241
db:NVDid:CVE-2010-2772

LAST UPDATE DATE

2024-08-14T14:21:44.737000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2010-1369date:2016-09-13T00:00:00
db:VULHUBid:VHN-45377date:2017-08-17T00:00:00
db:VULMONid:CVE-2010-2772date:2017-08-17T00:00:00
db:BIDid:41753date:2015-03-19T09:27:00
db:JVNDBid:JVNDB-2010-001829date:2024-03-01T04:05:00
db:CNNVDid:CNNVD-201007-241date:2010-07-23T00:00:00
db:NVDid:CVE-2010-2772date:2024-02-13T16:44:42.830

SOURCES RELEASE DATE

db:IVDid:06a89dde-2356-11e6-abef-000c29c66e3ddate:2010-07-23T00:00:00
db:IVDid:7d70cfdf-463f-11e9-ad83-000c29342cb1date:2010-07-18T00:00:00
db:IVDid:407e95f0-1fb3-11e6-abef-000c29c66e3ddate:2010-07-18T00:00:00
db:CNVDid:CNVD-2010-1369date:2010-07-18T00:00:00
db:VULHUBid:VHN-45377date:2010-07-22T00:00:00
db:VULMONid:CVE-2010-2772date:2010-07-22T00:00:00
db:BIDid:41753date:2010-07-16T00:00:00
db:JVNDBid:JVNDB-2010-001829date:2010-08-16T00:00:00
db:PACKETSTORMid:92130date:2010-07-26T12:08:47
db:CNNVDid:CNNVD-201007-241date:2010-07-23T00:00:00
db:NVDid:CVE-2010-2772date:2010-07-22T05:43:58.250