Details of VAR-201202-0043

ID

VAR-201202-0043

CVE

CVE-2011-4508

TITLE

plural Siemens Product HMI Web Vulnerability that prevents authentication on the server

Trust: 0.8

sources: JVNDB: JVNDB-2012-001310

DESCRIPTION

The HMI web server in Siemens WinCC flexible 2004, 2005, 2007, and 2008 before SP3; WinCC V11 (aka TIA portal) before SP2 Update 1; the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime generates predictable authentication tokens for cookies, which makes it easier for remote attackers to bypass authentication via a crafted cookie. plural Siemens Product HMI Web The server Cookie There is a vulnerability that prevents authentication because it generates a predictable authentication token.Skillfully crafted by a third party Cookie Authentication may be bypassed. Siemens SIMATIC WinCC is a multi-user system that provides complete monitoring and data acquisition (SCADA) functionality for the industrial sector, from single-user systems to redundant server and remote web client solutions. Multiple Siemens SIMATIC products have security vulnerabilities, and the insecure generation of authentication tokens (session COOKIE guesses) allows an attacker to bypass authentication checks and increase privileges without a username and password. An attacker can exploit these issues to bypass intended security restrictions and gain access to the affected application. Successfully exploiting these issues may lead to further attacks. The Siemens SIMATIC HMI product family is used as the human-machine interface between the corresponding PLC and the operator

Trust: 2.7

sources: NVD: CVE-2011-4508 // JVNDB: JVNDB-2012-001310 // CNVD: CNVD-2011-5448 // BID: 51177 // IVD: 28828750-2354-11e6-abef-000c29c66e3d // VULHUB: VHN-52453

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 28828750-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5448

AFFECTED PRODUCTS

vendor:	siemens	model:	simatic hmi panels	scope:	eq	version:	mp	Trust: 2.4
vendor:	siemens	model:	simatic hmi panels	scope:	eq	version:	op	Trust: 2.4
vendor:	siemens	model:	simatic hmi panels	scope:	eq	version:	tp	Trust: 2.4
vendor:	siemens	model:	simatic wincc flexible	scope:	eq	version:	2007	Trust: 1.7
vendor:	siemens	model:	simatic wincc flexible	scope:	eq	version:	2005	Trust: 1.7
vendor:	siemens	model:	simatic wincc flexible	scope:	eq	version:	2004	Trust: 1.7
vendor:	siemens	model:	simatic hmi panels	scope:	eq	version:	comfort_panels	Trust: 1.6
vendor:	siemens	model:	wincc runtime advanced	scope:	eq	version:	v11	Trust: 1.6
vendor:	siemens	model:	wincc	scope:	eq	version:	v11	Trust: 1.6
vendor:	siemens	model:	simatic hmi panels	scope:	eq	version:	mobile_panels	Trust: 1.6
vendor:	siemens	model:	wincc flexible	scope:	eq	version:	2005	Trust: 1.0
vendor:	siemens	model:	wincc	scope:	lte	version:	v11	Trust: 1.0
vendor:	siemens	model:	wincc flexible	scope:	eq	version:	2007	Trust: 1.0
vendor:	siemens	model:	wincc flexible runtime	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	wincc flexible	scope:	eq	version:	2004	Trust: 1.0
vendor:	siemens	model:	wincc flexible	scope:	eq	version:	2008	Trust: 1.0
vendor:	siemens	model:	simatic wincc flexible	scope:	eq	version:	2008	Trust: 0.9
vendor:	siemens	model:	simatic wincc flexible sp1	scope:	eq	version:	2008	Trust: 0.9
vendor:	siemens	model:	simatic wincc flexible sp2	scope:	eq	version:	2008	Trust: 0.9
vendor:	siemens	model:	simatic wincc flexible sp1	scope:	eq	version:	2005	Trust: 0.9
vendor:	siemens	model:	simatic wincc flexible runtime	scope:	eq	version:	0	Trust: 0.9
vendor:	siemens	model:	simatic hmi panels	scope:	eq	version:	0	Trust: 0.9
vendor:	siemens	model:	simatic wincc sp2	scope:	eq	version:	v11	Trust: 0.9
vendor:	siemens	model:	simatic wincc sp1	scope:	eq	version:	v11	Trust: 0.9
vendor:	siemens	model:	simatic wincc	scope:	eq	version:	v11	Trust: 0.9
vendor:	siemens	model:	simatic wincc	scope:	eq	version:	0	Trust: 0.9
vendor:	siemens	model:	simatic hmi panels	scope:	eq	version:	comfort panels	Trust: 0.8
vendor:	siemens	model:	simatic hmi panels	scope:	eq	version:	mobile panels	Trust: 0.8
vendor:	siemens	model:	simatic wincc	scope:	lt	version:	v11 sp2 update 1	Trust: 0.8
vendor:	siemens	model:	simatic wincc flexible	scope:	lt	version:	2008 sp3	Trust: 0.8
vendor:	siemens	model:	simatic wincc flexible rumtime	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	simatic wincc runtime advanced	scope:	eq	version:	v11	Trust: 0.8
vendor:	wincc flexible	model:	-	scope:	eq	version:	2008	Trust: 0.6
vendor:	siemens	model:	wincc flexible runtime	scope:	-	version:	-	Trust: 0.6
vendor:	wincc	model:	-	scope:	eq	version:	v11	Trust: 0.4
vendor:	wincc flexible	model:	-	scope:	eq	version:	2004	Trust: 0.2
vendor:	wincc flexible	model:	-	scope:	eq	version:	2005	Trust: 0.2
vendor:	wincc flexible	model:	-	scope:	eq	version:	2007	Trust: 0.2
vendor:	wincc	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	simatic hmi panels	model:	comfort panels	scope:	-	version:	-	Trust: 0.2
vendor:	simatic hmi panels	model:	mobile panels	scope:	-	version:	-	Trust: 0.2
vendor:	simatic hmi panels	model:	mp	scope:	-	version:	-	Trust: 0.2
vendor:	simatic hmi panels	model:	op	scope:	-	version:	-	Trust: 0.2
vendor:	simatic hmi panels	model:	tp	scope:	-	version:	-	Trust: 0.2
vendor:	wincc runtime advanced	model:	-	scope:	eq	version:	v11	Trust: 0.2
vendor:	wincc flexible runtime	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 28828750-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5448 // BID: 51177 // JVNDB: JVNDB-2012-001310 // CNNVD: CNNVD-201112-422 // NVD: CVE-2011-4508

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2011-4508
value:	HIGH
Trust: 1.0
NVD:	CVE-2011-4508
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201112-422
value:	CRITICAL
Trust: 0.6
IVD:	28828750-2354-11e6-abef-000c29c66e3d
value:	CRITICAL
Trust: 0.2
VULHUB:	VHN-52453
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2011-4508
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	CVE-2011-4508
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
IVD:	28828750-2354-11e6-abef-000c29c66e3d
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-52453
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: IVD: 28828750-2354-11e6-abef-000c29c66e3d // VULHUB: VHN-52453 // JVNDB: JVNDB-2012-001310 // CNNVD: CNNVD-201112-422 // NVD: CVE-2011-4508

PROBLEMTYPE DATA

problemtype:

CWE-287

Trust: 1.9

sources: VULHUB: VHN-52453 // JVNDB: JVNDB-2012-001310 // NVD: CVE-2011-4508

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201112-422

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201112-422

CONFIGURATIONS

sources: JVNDB: JVNDB-2012-001310

PATCH

title:	SSA-345442	url:	http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345442.pdf	Trust: 0.8
title:	ソリューションパートナー	url:	http://www.automation.siemens.com/automation/jp/ja/solutionpartner/pages/default.aspx	Trust: 0.8
title:	Top Page	url:	http://www.siemens.com/entry/jp/ja/	Trust: 0.8
title:	Patch for multiple Siemens SIMATIC Product Verification Bypass Vulnerabilities (CNVD-2011-5448)	url:	https://www.cnvd.org.cn/patchInfo/show/72707	Trust: 0.6

sources: CNVD: CNVD-2011-5448 // JVNDB: JVNDB-2012-001310

EXTERNAL IDS

db:	NVD	id:	CVE-2011-4508	Trust: 3.6
db:	ICS CERT	id:	ICSA-12-030-01	Trust: 2.5
db:	SIEMENS	id:	SSA-345442	Trust: 1.7
db:	CNNVD	id:	CNNVD-201112-422	Trust: 0.9
db:	BID	id:	51177	Trust: 0.9
db:	CNVD	id:	CNVD-2011-5448	Trust: 0.8
db:	JVNDB	id:	JVNDB-2012-001310	Trust: 0.8
db:	NSFOCUS	id:	18390	Trust: 0.6
db:	ICS CERT	id:	ICSA-11-356-01	Trust: 0.3
db:	ICS CERT	id:	ICSA-12-030-01A	Trust: 0.3
db:	IVD	id:	28828750-2354-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	VULHUB	id:	VHN-52453	Trust: 0.1

sources: IVD: 28828750-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5448 // VULHUB: VHN-52453 // BID: 51177 // JVNDB: JVNDB-2012-001310 // CNNVD: CNNVD-201112-422 // NVD: CVE-2011-4508

REFERENCES

url:	http://www.us-cert.gov/control_systems/pdf/icsa-12-030-01.pdf	Trust: 2.5
url:	http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345442.pdf	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-4508	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-4508	Trust: 0.8
url:	http://xs-sniper.com/blog/2011/12/20/the-siemens-simatic-remote-authentication-bypass-that-doesnt-exist/http	Trust: 0.6
url:	http://www.securityfocus.com/bid/51177	Trust: 0.6
url:	http://www.nsfocus.net/vulndb/18390	Trust: 0.6
url:	http://www.automation.siemens.com/mcms/human-machine-interface/en/visualization-software/pages/default.aspx	Trust: 0.3
url:	http://www.automation.siemens.com/mcms/human-machine-interface/en/visualization-software/wincc-flexible/wincc-flexible-runtime/user-interface/pages/default.aspx	Trust: 0.3
url:	http://xs-sniper.com/blog/2011/12/20/the-siemens-simatic-remote-authentication-bypass-that-doesnt-exist/	Trust: 0.3
url:	http://www.us-cert.gov/control_systems/pdf/icsa-12-030-01a.pdf	Trust: 0.3
url:	http://www.us-cert.gov/control_systems/pdf/icsa-11-356-01.pdf	Trust: 0.3

sources: CNVD: CNVD-2011-5448 // VULHUB: VHN-52453 // BID: 51177 // JVNDB: JVNDB-2012-001310 // CNNVD: CNNVD-201112-422 // NVD: CVE-2011-4508

CREDITS

Billy Rios and Terry McCorkle

Trust: 0.9

sources: BID: 51177 // CNNVD: CNNVD-201112-422

SOURCES

db:	IVD	id:	28828750-2354-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2011-5448
db:	VULHUB	id:	VHN-52453
db:	BID	id:	51177
db:	JVNDB	id:	JVNDB-2012-001310
db:	CNNVD	id:	CNNVD-201112-422
db:	NVD	id:	CVE-2011-4508

LAST UPDATE DATE

2024-08-14T13:36:41.772000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2011-5448	date:	2016-03-15T00:00:00
db:	VULHUB	id:	VHN-52453	date:	2012-02-07T00:00:00
db:	BID	id:	51177	date:	2012-04-18T21:20:00
db:	JVNDB	id:	JVNDB-2012-001310	date:	2012-02-08T00:00:00
db:	CNNVD	id:	CNNVD-201112-422	date:	2012-01-05T00:00:00
db:	NVD	id:	CVE-2011-4508	date:	2012-02-07T05:00:00

SOURCES RELEASE DATE

db:	IVD	id:	28828750-2354-11e6-abef-000c29c66e3d	date:	2011-12-26T00:00:00
db:	CNVD	id:	CNVD-2011-5448	date:	2011-12-26T00:00:00
db:	VULHUB	id:	VHN-52453	date:	2012-02-03T00:00:00
db:	BID	id:	51177	date:	2011-12-22T00:00:00
db:	JVNDB	id:	JVNDB-2012-001310	date:	2012-02-08T00:00:00
db:	CNNVD	id:	CNNVD-201112-422	date:	1900-01-01T00:00:00
db:	NVD	id:	CVE-2011-4508	date:	2012-02-03T20:55:01.250