Sign-up

ID

VAR-201201-0095


CVE

CVE-2011-5058


TITLE

CoDeSys Control service CmbWebserver.dll Module directory traversal vulnerability

Trust: 0.8

sources: IVD: 83ff60fd-8b4e-482a-8ba9-24fe24eeb132 // CNVD: CNVD-2012-7227

DESCRIPTION

The CmbWebserver.dll module of the Control service in 3S CoDeSys 3.4 SP4 Patch 2 allows remote attackers to create arbitrary directories under the web root by specifying a non-existent directory using \ (backslash) characters in an HTTP GET request. CoDeSys is a hardware-independent IEC 61131-3 development system for programming and creating controller applications on the Windows platform. By sending a specially crafted request to TCP port 8080, a remote attacker can be allowed to create any directory under Webroot. CoDeSys is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: CoDeSys Multiple Vulnerabilities SECUNIA ADVISORY ID: SA47018 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47018/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47018 RELEASE DATE: 2011-12-01 DISCUSS ADVISORY: http://secunia.com/advisories/47018/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47018/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47018 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Luigi Auriemma has discovered multiple vulnerabilities in CoDeSys, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. 1) An integer overflow error in the Gateway service when processing certain requests can be exploited to cause a heap-based buffer overflow via a specially crafted packet sent to TCP port 1217. 2) A boundary error in the Control service when processing web requests can be exploited to cause a stack-based buffer overflow via an overly long URL sent to TCP port 8080. Successful exploitation of vulnerabilities #1 and #2 allows execution of arbitrary code. The vulnerabilities are confirmed in version 3.4 SP4 Patch 2. Other versions may also be affected. SOLUTION: Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma ORIGINAL ADVISORY: http://aluigi.altervista.org/adv/codesys_1-adv.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 3.6

sources: NVD: CVE-2011-5058 // JVNDB: JVNDB-2012-001049 // CNVD: CNVD-2012-7227 // CNVD: CNVD-2012-9240 // BID: 56732 // IVD: 83ff60fd-8b4e-482a-8ba9-24fe24eeb132 // IVD: 7d719330-463f-11e9-82b9-000c29342cb1 // IVD: 3b396c4c-2354-11e6-abef-000c29c66e3d // PACKETSTORM: 107457

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 1.8

sources: IVD: 83ff60fd-8b4e-482a-8ba9-24fe24eeb132 // IVD: 7d719330-463f-11e9-82b9-000c29342cb1 // IVD: 3b396c4c-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2012-7227 // CNVD: CNVD-2012-9240

AFFECTED PRODUCTS

vendor:3ssoftwaremodel:codesysscope:eqversion:3.4

Trust: 1.6

vendor:3s smartmodel:codesysscope:eqversion:3.4 sp4 patch 2

Trust: 0.8

vendor:codesysmodel: - scope:eqversion:3.4

Trust: 0.6

vendor:3s smartmodel:codesysscope:eqversion:2.3.9.32

Trust: 0.6

vendor:3s smartmodel:codesysscope:eqversion:3.5

Trust: 0.6

vendor:3ssoftwaremodel:codesys sp4 patch2scope:eqversion:3.4

Trust: 0.6

vendor:3smodel:codesys sp4 patchscope:eqversion:3.42

Trust: 0.3

vendor:3smodel:codesysscope:eqversion:2.3

Trust: 0.3

vendor:3smodel:codesysscope:neversion:3.5

Trust: 0.3

vendor:3smodel:codesysscope:neversion:2.3.9.32

Trust: 0.3

sources: IVD: 83ff60fd-8b4e-482a-8ba9-24fe24eeb132 // IVD: 7d719330-463f-11e9-82b9-000c29342cb1 // IVD: 3b396c4c-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2012-7227 // CNVD: CNVD-2012-9240 // BID: 56732 // JVNDB: JVNDB-2012-001049 // CNNVD: CNNVD-201201-116 // NVD: CVE-2011-5058

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2011-5058
value: MEDIUM

Trust: 1.0

NVD: CVE-2011-5058
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2012-9240
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201201-116
value: MEDIUM

Trust: 0.6

IVD: 83ff60fd-8b4e-482a-8ba9-24fe24eeb132
value: MEDIUM

Trust: 0.2

IVD: 7d719330-463f-11e9-82b9-000c29342cb1
value: MEDIUM

Trust: 0.2

IVD: 3b396c4c-2354-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2011-5058
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2012-9240
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 83ff60fd-8b4e-482a-8ba9-24fe24eeb132
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

IVD: 7d719330-463f-11e9-82b9-000c29342cb1
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

IVD: 3b396c4c-2354-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

sources: IVD: 83ff60fd-8b4e-482a-8ba9-24fe24eeb132 // IVD: 7d719330-463f-11e9-82b9-000c29342cb1 // IVD: 3b396c4c-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2012-9240 // JVNDB: JVNDB-2012-001049 // CNNVD: CNNVD-201201-116 // NVD: CVE-2011-5058

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.8

sources: JVNDB: JVNDB-2012-001049 // NVD: CVE-2011-5058

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201201-116

TYPE

Permission permission and access control

Trust: 0.6

sources: IVD: 83ff60fd-8b4e-482a-8ba9-24fe24eeb132 // IVD: 7d719330-463f-11e9-82b9-000c29342cb1 // IVD: 3b396c4c-2354-11e6-abef-000c29c66e3d

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2012-001049

PATCH
title:Top Pageurl:http://www.3s-software.com/
Trust: 0.8
title:CoDeSys Control service CmbWebserver.dll module directory traversal vulnerability patchurl:https://www.cnvd.org.cn/patchInfo/show/25815
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2012-7227 // 
            
            
            
            JVNDB: JVNDB-2012-001049

EXTERNAL IDS
db:NVDid:CVE-2011-5058
Trust: 4.5
db:SECUNIAid:47018
Trust: 2.9
db:ICS CERT ALERTid:ICS-ALERT-11-336-01A
Trust: 2.7
db:CNNVDid:CNNVD-201201-116
Trust: 1.2
db:CNVDid:CNVD-2012-9240
Trust: 1.0
db:CNVDid:CNVD-2012-7227
Trust: 0.8
db:JVNDBid:JVNDB-2012-001049
Trust: 0.8
db:BIDid:56732
Trust: 0.3
db:IVDid:83FF60FD-8B4E-482A-8BA9-24FE24EEB132
Trust: 0.2
db:IVDid:7D719330-463F-11E9-82B9-000C29342CB1
Trust: 0.2
db:IVDid:3B396C4C-2354-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:PACKETSTORMid:107457
Trust: 0.1
sources:
            
            
            IVD: 83ff60fd-8b4e-482a-8ba9-24fe24eeb132 // 
            
            
            
            IVD: 7d719330-463f-11e9-82b9-000c29342cb1 // 
            
            
            
            IVD: 3b396c4c-2354-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2012-7227 // 
            
            
            
            CNVD: CNVD-2012-9240 // 
            
            
            
            BID: 56732 // 
            
            
            
            JVNDB: JVNDB-2012-001049 // 
            
            
            
            PACKETSTORM: 107457 // 
            
            
            
            CNNVD: CNNVD-201201-116 // 
            
            
            
            NVD: CVE-2011-5058

REFERENCES
url:http://www.us-cert.gov/control_systems/pdf/ics-alert-11-336-01a.pdf
Trust: 2.7
url:http://secunia.com/advisories/47018
Trust: 2.2
url:http://aluigi.altervista.org/adv/codesys_1-adv.txt
Trust: 2.0
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/72339
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-5058
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-5058
Trust: 0.8
url:http://secunia.com/advisories/47018http
Trust: 0.6
url:http://www.3s-software.com/
Trust: 0.3
url:http://secunia.com/company/jobs/
Trust: 0.1
url:http://secunia.com/vulnerability_intelligence/
Trust: 0.1
url:http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
Trust: 0.1
url:http://secunia.com/advisories/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/advisories/about_secunia_advisories/
Trust: 0.1
url:http://secunia.com/vulnerability_scanning/personal/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:https://ca.secunia.com/?page=viewadvisory&vuln_id=47018
Trust: 0.1
url:http://secunia.com/advisories/47018/#comments
Trust: 0.1
url:http://secunia.com/advisories/47018/
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2012-7227 // 
            
            
            
            CNVD: CNVD-2012-9240 // 
            
            
            
            BID: 56732 // 
            
            
            
            JVNDB: JVNDB-2012-001049 // 
            
            
            
            PACKETSTORM: 107457 // 
            
            
            
            CNNVD: CNNVD-201201-116 // 
            
            
            
            NVD: CVE-2011-5058

CREDITS
Luigi Auriemma
Trust: 0.3
sources:
            
            
            BID: 56732

SOURCES
db:IVDid:83ff60fd-8b4e-482a-8ba9-24fe24eeb132
db:IVDid:7d719330-463f-11e9-82b9-000c29342cb1
db:IVDid:3b396c4c-2354-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2012-7227
db:CNVDid:CNVD-2012-9240
db:BIDid:56732
db:JVNDBid:JVNDB-2012-001049
db:PACKETSTORMid:107457
db:CNNVDid:CNNVD-201201-116
db:NVDid:CVE-2011-5058

LAST UPDATE DATE
2024-11-23T22:27:38.685000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2012-7227date:2012-12-04T00:00:00
db:CNVDid:CNVD-2012-9240date:2012-01-13T00:00:00
db:BIDid:56732date:2011-11-29T00:00:00
db:JVNDBid:JVNDB-2012-001049date:2012-01-12T00:00:00
db:CNNVDid:CNNVD-201201-116date:2012-01-13T00:00:00
db:NVDid:CVE-2011-5058date:2024-11-21T01:33:31.660

SOURCES RELEASE DATE
db:IVDid:83ff60fd-8b4e-482a-8ba9-24fe24eeb132date:2012-12-04T00:00:00
db:IVDid:7d719330-463f-11e9-82b9-000c29342cb1date:2012-01-13T00:00:00
db:IVDid:3b396c4c-2354-11e6-abef-000c29c66e3ddate:2012-01-13T00:00:00
db:CNVDid:CNVD-2012-7227date:2012-12-04T00:00:00
db:CNVDid:CNVD-2012-9240date:2012-01-13T00:00:00
db:BIDid:56732date:2011-11-29T00:00:00
db:JVNDBid:JVNDB-2012-001049date:2012-01-12T00:00:00
db:PACKETSTORMid:107457date:2011-12-01T04:30:55
db:CNNVDid:CNNVD-201201-116date:2012-01-13T00:00:00
db:NVDid:CVE-2011-5058date:2012-01-10T23:55:00.977