Details of VAR-201109-0223

ID

VAR-201109-0223

CVE

CVE-2011-3321

TITLE

Siemens SIMATIC WinCC Runtime Loader Buffer Overflow Vulnerability

Trust: 1.6

sources: IVD: 7d7d7a11-463f-11e9-84c1-000c29342cb1 // IVD: a57fd672-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-6876 // CNNVD: CNNVD-201109-224

DESCRIPTION

Heap-based buffer overflow in the Siemens WinCC Runtime Advanced Loader, as used in SIMATIC WinCC flexible Runtime and SIMATIC WinCC (TIA Portal) Runtime Advanced, allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted packet to TCP port 2308. Siemens SIMATIC WinCC flexible and WinCC (TIA Portal) Runtime Advanced is a software package for virtualization. A security vulnerability exists in the implementation of Siemens SIMATIC WinCC, which can be exploited by malicious users to control the affected system. This vulnerability stems from an error in the runtime loader when parsing a received message, causing a heap buffer overflow through a specially crafted message sent to port 2308/TCP. ---------------------------------------------------------------------- The new Secunia Corporate Software Inspector (CSI) 5.0 Integrates with Microsoft WSUS & SCCM and supports Apple Mac OS X. Get a free trial now and qualify for a special discount: http://secunia.com/vulnerability_scanning/corporate/trial/ ---------------------------------------------------------------------- TITLE: Siemens SIMATIC WinCC Runtime Loader Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA46011 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46011/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46011 RELEASE DATE: 2011-09-15 DISCUSS ADVISORY: http://secunia.com/advisories/46011/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46011/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46011 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Siemens SIMATIC WinCC, which can be exploited by malicious people to potentially compromise a vulnerable system. Successful exploitation may allow execution of arbitrary code, but requires that "transfer" mode is enabled (disabled by default). SOLUTION: Disable "transfer" mode or restrict access to port 2308/TCP. PROVIDED AND/OR DISCOVERED BY: Billy Rios and Terry McCorkle via ICS-CERT. ORIGINAL ADVISORY: Siemens: http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=de&objid=29054992&caller=view http://cache.automation.siemens.com/dnl/jI/jI0NDY5AAAA_29054992_FAQ/Siemens_Security_Advisory_SSA-460621_V1_2.pdf ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-11-244-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.7

sources: NVD: CVE-2011-3321 // JVNDB: JVNDB-2011-002270 // CNVD: CNVD-2011-6876 // IVD: 7d7d7a11-463f-11e9-84c1-000c29342cb1 // IVD: a57fd672-2354-11e6-abef-000c29c66e3d // VULHUB: VHN-51266 // PACKETSTORM: 105133

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 1.0

sources: IVD: 7d7d7a11-463f-11e9-84c1-000c29342cb1 // IVD: a57fd672-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-6876

AFFECTED PRODUCTS

vendor:	siemens	model:	simatic wincc runtime	scope:	eq	version:	-	Trust: 1.6
vendor:	siemens	model:	simatic wincc flexible runtime	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	simatic wincc flexible rumtime	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	simatic wincc runtime advanced	scope:	-	version:	-	Trust: 0.8
vendor:	no	model:	-	scope:	-	version:	-	Trust: 0.6
vendor:	siemens	model:	simatic wincc flexible runtime	scope:	-	version:	-	Trust: 0.6
vendor:	simatic wincc flexible runtime	model:	-	scope:	eq	version:	*	Trust: 0.4
vendor:	simatic wincc runtime	model:	-	scope:	eq	version:	-	Trust: 0.4

sources: IVD: 7d7d7a11-463f-11e9-84c1-000c29342cb1 // IVD: a57fd672-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-6876 // JVNDB: JVNDB-2011-002270 // CNNVD: CNNVD-201109-224 // NVD: CVE-2011-3321

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2011-3321
value:	HIGH
Trust: 1.0
NVD:	CVE-2011-3321
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2011-6876
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201109-224
value:	CRITICAL
Trust: 0.6
IVD:	7d7d7a11-463f-11e9-84c1-000c29342cb1
value:	CRITICAL
Trust: 0.2
IVD:	a57fd672-2354-11e6-abef-000c29c66e3d
value:	CRITICAL
Trust: 0.2
VULHUB:	VHN-51266
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2011-3321
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2011-6876
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	7d7d7a11-463f-11e9-84c1-000c29342cb1
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
IVD:	a57fd672-2354-11e6-abef-000c29c66e3d
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-51266
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: IVD: 7d7d7a11-463f-11e9-84c1-000c29342cb1 // IVD: a57fd672-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-6876 // VULHUB: VHN-51266 // JVNDB: JVNDB-2011-002270 // CNNVD: CNNVD-201109-224 // NVD: CVE-2011-3321

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.9

sources: VULHUB: VHN-51266 // JVNDB: JVNDB-2011-002270 // NVD: CVE-2011-3321

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201109-224

TYPE

Buffer overflow

Trust: 1.0

sources: IVD: 7d7d7a11-463f-11e9-84c1-000c29342cb1 // IVD: a57fd672-2354-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201109-224

CONFIGURATIONS

sources: JVNDB: JVNDB-2011-002270

PATCH

title:	SIEMENS-SSA-460621	url:	http://cache.automation.siemens.com/dnl/jI/jI0NDY5AAAA_29054992_FAQ/Siemens_Security_Advisory_SSA-460621_V1_2.pdf	Trust: 0.8
title:	シーメンスソリューションパートナー	url:	http://www.automation.siemens.com/automation/jp/ja/solutionpartner/pages/default.aspx	Trust: 0.8
title:	シーメンス・ジャパン株式会社	url:	http://www.siemens.com/entry/jp/ja/	Trust: 0.8
title:	Patch for the Siemens SIMATIC WinCC Runtime Loader Buffer Overflow Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/43377	Trust: 0.6

sources: CNVD: CNVD-2011-6876 // JVNDB: JVNDB-2011-002270

EXTERNAL IDS

db:	NVD	id:	CVE-2011-3321	Trust: 3.5
db:	ICS CERT	id:	ICSA-11-244-01	Trust: 2.6
db:	SECUNIA	id:	46011	Trust: 2.0
db:	SIEMENS	id:	SSA-460621	Trust: 1.8
db:	CNVD	id:	CNVD-2011-6876	Trust: 1.0
db:	CNNVD	id:	CNNVD-201109-224	Trust: 1.0
db:	JVNDB	id:	JVNDB-2011-002270	Trust: 0.8
db:	NSFOCUS	id:	17733	Trust: 0.6
db:	IVD	id:	7D7D7A11-463F-11E9-84C1-000C29342CB1	Trust: 0.2
db:	IVD	id:	A57FD672-2354-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	VULHUB	id:	VHN-51266	Trust: 0.1
db:	PACKETSTORM	id:	105133	Trust: 0.1

sources: IVD: 7d7d7a11-463f-11e9-84c1-000c29342cb1 // IVD: a57fd672-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-6876 // VULHUB: VHN-51266 // JVNDB: JVNDB-2011-002270 // PACKETSTORM: 105133 // CNNVD: CNNVD-201109-224 // NVD: CVE-2011-3321

REFERENCES

url:	http://www.us-cert.gov/control_systems/pdf/icsa-11-244-01.pdf	Trust: 2.6
url:	http://support.automation.siemens.com/ww/view/en/29054992	Trust: 1.7
url:	http://secunia.com/advisories/46011	Trust: 1.7
url:	http://cache.automation.siemens.com/dnl/ji/ji0ndy5aaaa_29054992_faq/siemens_security_advisory_ssa-460621_v1_2.pdf	Trust: 1.2
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/69803	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-3321	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-3321	Trust: 0.8
url:	http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-460621.pdf	Trust: 0.6
url:	http://www.nsfocus.net/vulndb/17733	Trust: 0.6
url:	http://secunia.com/vulnerability_scanning/corporate/trial/	Trust: 0.1
url:	http://secunia.com/vulnerability_intelligence/	Trust: 0.1
url:	http://secunia.com/advisories/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/	Trust: 0.1
url:	http://secunia.com/advisories/about_secunia_advisories/	Trust: 0.1
url:	http://secunia.com/vulnerability_scanning/personal/	Trust: 0.1
url:	http://secunia.com/advisories/46011/#comments	Trust: 0.1
url:	http://support.automation.siemens.com/ww/llisapi.dll?func=cslib.csinfo&lang=de&objid=29054992&caller=view	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	https://ca.secunia.com/?page=viewadvisory&vuln_id=46011	Trust: 0.1
url:	http://secunia.com/advisories/46011/	Trust: 0.1

sources: CNVD: CNVD-2011-6876 // VULHUB: VHN-51266 // JVNDB: JVNDB-2011-002270 // PACKETSTORM: 105133 // CNNVD: CNNVD-201109-224 // NVD: CVE-2011-3321

CREDITS

Secunia

Trust: 0.1

sources: PACKETSTORM: 105133

SOURCES

db:	IVD	id:	7d7d7a11-463f-11e9-84c1-000c29342cb1
db:	IVD	id:	a57fd672-2354-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2011-6876
db:	VULHUB	id:	VHN-51266
db:	JVNDB	id:	JVNDB-2011-002270
db:	PACKETSTORM	id:	105133
db:	CNNVD	id:	CNNVD-201109-224
db:	NVD	id:	CVE-2011-3321

LAST UPDATE DATE

2024-08-14T14:28:15.287000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2011-6876	date:	2016-09-13T00:00:00
db:	VULHUB	id:	VHN-51266	date:	2017-08-29T00:00:00
db:	JVNDB	id:	JVNDB-2011-002270	date:	2011-09-29T00:00:00
db:	CNNVD	id:	CNNVD-201109-224	date:	2011-09-20T00:00:00
db:	NVD	id:	CVE-2011-3321	date:	2017-08-29T01:30:10.020

SOURCES RELEASE DATE

db:	IVD	id:	7d7d7a11-463f-11e9-84c1-000c29342cb1	date:	2014-02-18T00:00:00
db:	IVD	id:	a57fd672-2354-11e6-abef-000c29c66e3d	date:	2014-02-18T00:00:00
db:	CNVD	id:	CNVD-2011-6876	date:	2011-09-14T00:00:00
db:	VULHUB	id:	VHN-51266	date:	2011-09-16T00:00:00
db:	JVNDB	id:	JVNDB-2011-002270	date:	2011-09-29T00:00:00
db:	PACKETSTORM	id:	105133	date:	2011-09-15T06:46:52
db:	CNNVD	id:	CNNVD-201109-224	date:	2011-09-16T00:00:00
db:	NVD	id:	CVE-2011-3321	date:	2011-09-16T12:35:26.450