ID

VAR-201109-0223


CVE

CVE-2011-3321


TITLE

Siemens SIMATIC WinCC Runtime Loader Buffer Overflow Vulnerability

Trust: 1.6

sources: IVD: 7d7d7a11-463f-11e9-84c1-000c29342cb1 // IVD: a57fd672-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-6876 // CNNVD: CNNVD-201109-224

DESCRIPTION

Heap-based buffer overflow in the Siemens WinCC Runtime Advanced Loader, as used in SIMATIC WinCC flexible Runtime and SIMATIC WinCC (TIA Portal) Runtime Advanced, allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted packet to TCP port 2308. Siemens SIMATIC WinCC flexible and WinCC (TIA Portal) Runtime Advanced is a software package for virtualization. A security vulnerability exists in the implementation of Siemens SIMATIC WinCC, which can be exploited by malicious users to control the affected system. This vulnerability stems from an error in the runtime loader when parsing a received message, causing a heap buffer overflow through a specially crafted message sent to port 2308/TCP. ---------------------------------------------------------------------- The new Secunia Corporate Software Inspector (CSI) 5.0 Integrates with Microsoft WSUS & SCCM and supports Apple Mac OS X. Get a free trial now and qualify for a special discount: http://secunia.com/vulnerability_scanning/corporate/trial/ ---------------------------------------------------------------------- TITLE: Siemens SIMATIC WinCC Runtime Loader Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA46011 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46011/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46011 RELEASE DATE: 2011-09-15 DISCUSS ADVISORY: http://secunia.com/advisories/46011/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46011/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46011 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Siemens SIMATIC WinCC, which can be exploited by malicious people to potentially compromise a vulnerable system. Successful exploitation may allow execution of arbitrary code, but requires that "transfer" mode is enabled (disabled by default). SOLUTION: Disable "transfer" mode or restrict access to port 2308/TCP. PROVIDED AND/OR DISCOVERED BY: Billy Rios and Terry McCorkle via ICS-CERT. ORIGINAL ADVISORY: Siemens: http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=de&objid=29054992&caller=view http://cache.automation.siemens.com/dnl/jI/jI0NDY5AAAA_29054992_FAQ/Siemens_Security_Advisory_SSA-460621_V1_2.pdf ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-11-244-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.7

sources: NVD: CVE-2011-3321 // JVNDB: JVNDB-2011-002270 // CNVD: CNVD-2011-6876 // IVD: 7d7d7a11-463f-11e9-84c1-000c29342cb1 // IVD: a57fd672-2354-11e6-abef-000c29c66e3d // VULHUB: VHN-51266 // PACKETSTORM: 105133

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 1.0

sources: IVD: 7d7d7a11-463f-11e9-84c1-000c29342cb1 // IVD: a57fd672-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-6876

AFFECTED PRODUCTS

vendor:siemensmodel:simatic wincc runtimescope:eqversion: -

Trust: 1.6

vendor:siemensmodel:simatic wincc flexible runtimescope:eqversion:*

Trust: 1.0

vendor:siemensmodel:simatic wincc flexible rumtimescope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic wincc runtime advancedscope: - version: -

Trust: 0.8

vendor:nomodel: - scope: - version: -

Trust: 0.6

vendor:siemensmodel:simatic wincc flexible runtimescope: - version: -

Trust: 0.6

vendor:simatic wincc flexible runtimemodel: - scope:eqversion:*

Trust: 0.4

vendor:simatic wincc runtimemodel: - scope:eqversion: -

Trust: 0.4

sources: IVD: 7d7d7a11-463f-11e9-84c1-000c29342cb1 // IVD: a57fd672-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-6876 // JVNDB: JVNDB-2011-002270 // CNNVD: CNNVD-201109-224 // NVD: CVE-2011-3321

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2011-3321
value: HIGH

Trust: 1.0

NVD: CVE-2011-3321
value: HIGH

Trust: 0.8

CNVD: CNVD-2011-6876
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201109-224
value: CRITICAL

Trust: 0.6

IVD: 7d7d7a11-463f-11e9-84c1-000c29342cb1
value: CRITICAL

Trust: 0.2

IVD: a57fd672-2354-11e6-abef-000c29c66e3d
value: CRITICAL

Trust: 0.2

VULHUB: VHN-51266
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2011-3321
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2011-6876
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 7d7d7a11-463f-11e9-84c1-000c29342cb1
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

IVD: a57fd672-2354-11e6-abef-000c29c66e3d
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-51266
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: 7d7d7a11-463f-11e9-84c1-000c29342cb1 // IVD: a57fd672-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-6876 // VULHUB: VHN-51266 // JVNDB: JVNDB-2011-002270 // CNNVD: CNNVD-201109-224 // NVD: CVE-2011-3321

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.9

sources: VULHUB: VHN-51266 // JVNDB: JVNDB-2011-002270 // NVD: CVE-2011-3321

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201109-224

TYPE

Buffer overflow

Trust: 1.0

sources: IVD: 7d7d7a11-463f-11e9-84c1-000c29342cb1 // IVD: a57fd672-2354-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201109-224

CONFIGURATIONS

sources: JVNDB: JVNDB-2011-002270

PATCH

title:SIEMENS-SSA-460621url:http://cache.automation.siemens.com/dnl/jI/jI0NDY5AAAA_29054992_FAQ/Siemens_Security_Advisory_SSA-460621_V1_2.pdf

Trust: 0.8

title:シーメンスソリューションパートナー url:http://www.automation.siemens.com/automation/jp/ja/solutionpartner/pages/default.aspx

Trust: 0.8

title:シーメンス・ジャパン株式会社url:http://www.siemens.com/entry/jp/ja/

Trust: 0.8

title:Patch for the Siemens SIMATIC WinCC Runtime Loader Buffer Overflow Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/43377

Trust: 0.6

sources: CNVD: CNVD-2011-6876 // JVNDB: JVNDB-2011-002270

EXTERNAL IDS

db:NVDid:CVE-2011-3321

Trust: 3.5

db:ICS CERTid:ICSA-11-244-01

Trust: 2.6

db:SECUNIAid:46011

Trust: 2.0

db:SIEMENSid:SSA-460621

Trust: 1.8

db:CNVDid:CNVD-2011-6876

Trust: 1.0

db:CNNVDid:CNNVD-201109-224

Trust: 1.0

db:JVNDBid:JVNDB-2011-002270

Trust: 0.8

db:NSFOCUSid:17733

Trust: 0.6

db:IVDid:7D7D7A11-463F-11E9-84C1-000C29342CB1

Trust: 0.2

db:IVDid:A57FD672-2354-11E6-ABEF-000C29C66E3D

Trust: 0.2

db:VULHUBid:VHN-51266

Trust: 0.1

db:PACKETSTORMid:105133

Trust: 0.1

sources: IVD: 7d7d7a11-463f-11e9-84c1-000c29342cb1 // IVD: a57fd672-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-6876 // VULHUB: VHN-51266 // JVNDB: JVNDB-2011-002270 // PACKETSTORM: 105133 // CNNVD: CNNVD-201109-224 // NVD: CVE-2011-3321

REFERENCES

url:http://www.us-cert.gov/control_systems/pdf/icsa-11-244-01.pdf

Trust: 2.6

url:http://support.automation.siemens.com/ww/view/en/29054992

Trust: 1.7

url:http://secunia.com/advisories/46011

Trust: 1.7

url:http://cache.automation.siemens.com/dnl/ji/ji0ndy5aaaa_29054992_faq/siemens_security_advisory_ssa-460621_v1_2.pdf

Trust: 1.2

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/69803

Trust: 1.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-3321

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-3321

Trust: 0.8

url:http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-460621.pdf

Trust: 0.6

url:http://www.nsfocus.net/vulndb/17733

Trust: 0.6

url:http://secunia.com/vulnerability_scanning/corporate/trial/

Trust: 0.1

url:http://secunia.com/vulnerability_intelligence/

Trust: 0.1

url:http://secunia.com/advisories/secunia_security_advisories/

Trust: 0.1

url:http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

Trust: 0.1

url:http://secunia.com/advisories/about_secunia_advisories/

Trust: 0.1

url:http://secunia.com/vulnerability_scanning/personal/

Trust: 0.1

url:http://secunia.com/advisories/46011/#comments

Trust: 0.1

url:http://support.automation.siemens.com/ww/llisapi.dll?func=cslib.csinfo&lang=de&objid=29054992&caller=view

Trust: 0.1

url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Trust: 0.1

url:https://ca.secunia.com/?page=viewadvisory&vuln_id=46011

Trust: 0.1

url:http://secunia.com/advisories/46011/

Trust: 0.1

sources: CNVD: CNVD-2011-6876 // VULHUB: VHN-51266 // JVNDB: JVNDB-2011-002270 // PACKETSTORM: 105133 // CNNVD: CNNVD-201109-224 // NVD: CVE-2011-3321

CREDITS

Secunia

Trust: 0.1

sources: PACKETSTORM: 105133

SOURCES

db:IVDid:7d7d7a11-463f-11e9-84c1-000c29342cb1
db:IVDid:a57fd672-2354-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2011-6876
db:VULHUBid:VHN-51266
db:JVNDBid:JVNDB-2011-002270
db:PACKETSTORMid:105133
db:CNNVDid:CNNVD-201109-224
db:NVDid:CVE-2011-3321

LAST UPDATE DATE

2024-08-14T14:28:15.287000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2011-6876date:2016-09-13T00:00:00
db:VULHUBid:VHN-51266date:2017-08-29T00:00:00
db:JVNDBid:JVNDB-2011-002270date:2011-09-29T00:00:00
db:CNNVDid:CNNVD-201109-224date:2011-09-20T00:00:00
db:NVDid:CVE-2011-3321date:2017-08-29T01:30:10.020

SOURCES RELEASE DATE

db:IVDid:7d7d7a11-463f-11e9-84c1-000c29342cb1date:2014-02-18T00:00:00
db:IVDid:a57fd672-2354-11e6-abef-000c29c66e3ddate:2014-02-18T00:00:00
db:CNVDid:CNVD-2011-6876date:2011-09-14T00:00:00
db:VULHUBid:VHN-51266date:2011-09-16T00:00:00
db:JVNDBid:JVNDB-2011-002270date:2011-09-29T00:00:00
db:PACKETSTORMid:105133date:2011-09-15T06:46:52
db:CNNVDid:CNNVD-201109-224date:2011-09-16T00:00:00
db:NVDid:CVE-2011-3321date:2011-09-16T12:35:26.450