ID

VAR-201202-0164


CVE

CVE-2011-4877


TITLE

plural Siemens Product HmiLoad Service disruption in ( Application crash ) Vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2012-001319

DESCRIPTION

HmiLoad in the runtime loader in Siemens WinCC flexible 2004, 2005, 2007, and 2008; WinCC V11 (aka TIA portal); the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime, when Transfer Mode is enabled, allows remote attackers to cause a denial of service (application crash) by sending crafted data over TCP. Miniweb has a security vulnerability that allows an attacker to submit a specially crafted HTTP POST request to allow the server to access any illegal memory area while checking the extension of the requested file. Siemens SIMATIC WinCC is a multi-user system that provides complete monitoring and data acquisition (SCADA) functionality for the industrial sector, from single-user systems to redundant server and remote web client solutions. HmiLoad provides functions that read data and unicode strings with stack-based buffer overflows, allowing an attacker to exploit a vulnerability to execute arbitrary code. Siemens SIMATIC is an automation software in a single engineering environment. A security vulnerability exists in the Siemens SIMATIC WinCC HMI web server. When the transfer mode is enabled, the runtime loader listens on the 2308/TCP or 50523/TCP port. Since the incoming data is not fully verified, there are multiple denial of service attacks that can crash the program. A directory traversal vulnerability exists in the HmiLoad server that allows reading, writing, and deleting arbitrary files outside of the specified directory. Attackers can exploit these issues to execute arbitrary code in the context of the affected application, read/write or delete arbitrary files outside of the server root directory, or cause denial-of-service conditions; other attacks may also be possible

Trust: 5.4

sources: NVD: CVE-2011-4877 // JVNDB: JVNDB-2012-001319 // CNVD: CNVD-2011-5108 // CNVD: CNVD-2011-5110 // CNVD: CNVD-2011-5103 // CNVD: CNVD-2011-5107 // CNVD: CNVD-2012-0467 // CNVD: CNVD-2011-5105 // BID: 50828 // IVD: 28b0bc2e-2354-11e6-abef-000c29c66e3d // VULHUB: VHN-52822

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 3.8

sources: IVD: 28b0bc2e-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5108 // CNVD: CNVD-2011-5110 // CNVD: CNVD-2011-5103 // CNVD: CNVD-2011-5107 // CNVD: CNVD-2012-0467 // CNVD: CNVD-2011-5105

AFFECTED PRODUCTS

vendor:siemensmodel:simatic wincc flexible runtimescope: - version: -

Trust: 3.6

vendor:siemensmodel:simatic wincc flexible sp2scope:eqversion:2008

Trust: 3.3

vendor:siemensmodel:simatic hmi panelsscope:eqversion:mp

Trust: 2.4

vendor:siemensmodel:simatic hmi panelsscope:eqversion:op

Trust: 2.4

vendor:siemensmodel:simatic hmi panelsscope:eqversion:tp

Trust: 2.4

vendor:siemensmodel:simatic wincc flexiblescope:eqversion:2008

Trust: 1.7

vendor:siemensmodel:simatic wincc flexiblescope:eqversion:2007

Trust: 1.7

vendor:siemensmodel:simatic wincc flexiblescope:eqversion:2005

Trust: 1.7

vendor:siemensmodel:simatic wincc flexiblescope:eqversion:2004

Trust: 1.7

vendor:siemensmodel:simatic hmi panelsscope:eqversion:comfort_panels

Trust: 1.6

vendor:siemensmodel:wincc runtime advancedscope:eqversion:v11

Trust: 1.6

vendor:siemensmodel:winccscope:eqversion:v11

Trust: 1.6

vendor:siemensmodel:wincc flexiblescope:eqversion:2004

Trust: 1.6

vendor:siemensmodel:wincc flexiblescope:eqversion:2005

Trust: 1.6

vendor:siemensmodel:simatic hmi panelsscope:eqversion:mobile_panels

Trust: 1.6

vendor:siemensmodel:simatic winccscope:eqversion:v11

Trust: 1.4

vendor:siemensmodel:wincc flexiblescope:eqversion:2007

Trust: 1.0

vendor:siemensmodel:wincc flexible runtimescope:eqversion:*

Trust: 1.0

vendor:siemensmodel:wincc flexiblescope:eqversion:2008

Trust: 1.0

vendor:siemensmodel:simatic hmi panelsscope:eqversion:comfort panels

Trust: 0.8

vendor:siemensmodel:simatic hmi panelsscope:eqversion:mobile panels

Trust: 0.8

vendor:siemensmodel:simatic wincc flexible rumtimescope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic wincc runtime advancedscope:eqversion:v11

Trust: 0.8

vendor:siemensmodel:simatic wincc runtime advancedscope: - version: -

Trust: 0.6

vendor:siemensmodel:simatic hmi panelsscope: - version: -

Trust: 0.6

vendor:siemensmodel:simatic winccscope: - version: -

Trust: 0.6

vendor:siemensmodel:wincc flexible runtimescope: - version: -

Trust: 0.6

vendor:siemensmodel:simatic wincc flexible runtimescope:eqversion:0

Trust: 0.3

vendor:siemensmodel:simatic wincc flexible sp1scope:eqversion:2008

Trust: 0.3

vendor:siemensmodel:simatic wincc flexible sp1scope:eqversion:2005

Trust: 0.3

vendor:wincc flexiblemodel: - scope:eqversion:2004

Trust: 0.2

vendor:wincc flexiblemodel: - scope:eqversion:2005

Trust: 0.2

vendor:wincc flexiblemodel: - scope:eqversion:2007

Trust: 0.2

vendor:wincc flexiblemodel: - scope:eqversion:2008

Trust: 0.2

vendor:winccmodel: - scope:eqversion:v11

Trust: 0.2

vendor:simatic hmi panelsmodel:comfort panelsscope: - version: -

Trust: 0.2

vendor:simatic hmi panelsmodel:mobile panelsscope: - version: -

Trust: 0.2

vendor:simatic hmi panelsmodel:mpscope: - version: -

Trust: 0.2

vendor:simatic hmi panelsmodel:opscope: - version: -

Trust: 0.2

vendor:simatic hmi panelsmodel:tpscope: - version: -

Trust: 0.2

vendor:wincc runtime advancedmodel: - scope:eqversion:v11

Trust: 0.2

vendor:wincc flexible runtimemodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 28b0bc2e-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5108 // CNVD: CNVD-2011-5110 // CNVD: CNVD-2011-5103 // CNVD: CNVD-2011-5107 // CNVD: CNVD-2012-0467 // CNVD: CNVD-2011-5105 // BID: 50828 // JVNDB: JVNDB-2012-001319 // CNNVD: CNNVD-201202-092 // NVD: CVE-2011-4877

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2011-4877
value: HIGH

Trust: 1.0

NVD: CVE-2011-4877
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201202-092
value: HIGH

Trust: 0.6

IVD: 28b0bc2e-2354-11e6-abef-000c29c66e3d
value: HIGH

Trust: 0.2

VULHUB: VHN-52822
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2011-4877
severity: HIGH
baseScore: 7.1
vectorString: AV:N/AC:M/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

IVD: 28b0bc2e-2354-11e6-abef-000c29c66e3d
severity: HIGH
baseScore: 7.1
vectorString: AV:N/AC:M/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-52822
severity: HIGH
baseScore: 7.1
vectorString: AV:N/AC:M/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: 28b0bc2e-2354-11e6-abef-000c29c66e3d // VULHUB: VHN-52822 // JVNDB: JVNDB-2012-001319 // CNNVD: CNNVD-201202-092 // NVD: CVE-2011-4877

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-52822 // JVNDB: JVNDB-2012-001319 // NVD: CVE-2011-4877

THREAT TYPE

remote

Trust: 1.2

sources: CNNVD: CNNVD-201111-480 // CNNVD: CNNVD-201202-092

TYPE

Input validation

Trust: 0.8

sources: IVD: 28b0bc2e-2354-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201202-092

CONFIGURATIONS

sources: JVNDB: JVNDB-2012-001319

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-52822

PATCH

title:SSA-345442url:http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345442.pdf

Trust: 0.8

title:ソリューションパートナーurl:http://www.automation.siemens.com/automation/jp/ja/solutionpartner/pages/default.aspx

Trust: 0.8

title:Top Pageurl:http://www.siemens.com/entry/jp/ja/

Trust: 0.8

title:Patch for Siemens SIMATIC WinCC Flexible Runtime 'HmiLoad.exe' file download vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/72694

Trust: 0.6

title:Siemens SIMATIC WinCC Flexible Runtime 'HmiLoad.exe' memory access vulnerability patchurl:https://www.cnvd.org.cn/patchInfo/show/72697

Trust: 0.6

title:Siemens SIMATIC WinCC Flexible Runtime 'HmiLoad.exe' Buffer Overflow Vulnerability Patchurl:https://www.cnvd.org.cn/patchInfo/show/72705

Trust: 0.6

title:Siemens SIMATIC WinCC Flexible Runtime 'HmiLoad.exe' service crash vulnerability patchurl:https://www.cnvd.org.cn/patchInfo/show/72689

Trust: 0.6

title:Patch for Siemens SIMATIC WinCC HMI Denial of Service Attack Vulnerability (CNVD-2012-0467)url:https://www.cnvd.org.cn/patchInfo/show/9073

Trust: 0.6

sources: CNVD: CNVD-2011-5108 // CNVD: CNVD-2011-5110 // CNVD: CNVD-2011-5103 // CNVD: CNVD-2011-5107 // CNVD: CNVD-2012-0467 // JVNDB: JVNDB-2012-001319

EXTERNAL IDS

db:BIDid:50828

Trust: 3.9

db:NVDid:CVE-2011-4877

Trust: 3.6

db:ICS CERTid:ICSA-12-030-01

Trust: 3.4

db:SIEMENSid:SSA-345442

Trust: 1.7

db:ICS CERT ALERTid:ICS-ALERT-11-332-02A

Trust: 1.1

db:ICS CERT ALERTid:ICS-ALERT-11-332-02

Trust: 1.1

db:EXPLOIT-DBid:18166

Trust: 1.1

db:OSVDBid:77382

Trust: 1.1

db:CNNVDid:CNNVD-201202-092

Trust: 0.9

db:CNVDid:CNVD-2012-0467

Trust: 0.8

db:JVNDBid:JVNDB-2012-001319

Trust: 0.8

db:CNVDid:CNVD-2011-5108

Trust: 0.6

db:CNVDid:CNVD-2011-5110

Trust: 0.6

db:CNVDid:CNVD-2011-5103

Trust: 0.6

db:CNVDid:CNVD-2011-5107

Trust: 0.6

db:CNVDid:CNVD-2011-5105

Trust: 0.6

db:CNNVDid:CNNVD-201111-480

Trust: 0.6

db:ICS CERTid:ICSA-12-030-01A

Trust: 0.3

db:IVDid:28B0BC2E-2354-11E6-ABEF-000C29C66E3D

Trust: 0.2

db:VULHUBid:VHN-52822

Trust: 0.1

sources: IVD: 28b0bc2e-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5108 // CNVD: CNVD-2011-5110 // CNVD: CNVD-2011-5103 // CNVD: CNVD-2011-5107 // CNVD: CNVD-2012-0467 // CNVD: CNVD-2011-5105 // VULHUB: VHN-52822 // BID: 50828 // JVNDB: JVNDB-2012-001319 // CNNVD: CNNVD-201111-480 // CNNVD: CNNVD-201202-092 // NVD: CVE-2011-4877

REFERENCES

url:http://aluigi.altervista.org/adv/winccflex_1-adv.txt

Trust: 3.9

url:http://www.us-cert.gov/control_systems/pdf/icsa-12-030-01.pdf

Trust: 3.4

url:http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345442.pdf

Trust: 1.7

url:http://www.exploit-db.com/exploits/18166

Trust: 1.1

url:http://aluigi.org/adv/winccflex_1-adv.txt

Trust: 1.1

url:http://www.us-cert.gov/control_systems/pdf/ics-alert-11-332-02.pdf

Trust: 1.1

url:http://www.us-cert.gov/control_systems/pdf/ics-alert-11-332-02a.pdf

Trust: 1.1

url:http://www.osvdb.org/77382

Trust: 1.1

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/71451

Trust: 1.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-4877

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-4877

Trust: 0.8

url:http://www.securityfocus.com/bid/50828

Trust: 0.6

url:http://www.automation.siemens.com/mcms/human-machine-interface/en/visualization-software/wincc-flexible/wincc-flexible-runtime/pages/default.aspx

Trust: 0.3

url:http://www.us-cert.gov/control_systems/pdf/icsa-12-030-01a.pdf

Trust: 0.3

sources: CNVD: CNVD-2011-5108 // CNVD: CNVD-2011-5110 // CNVD: CNVD-2011-5103 // CNVD: CNVD-2011-5107 // CNVD: CNVD-2012-0467 // CNVD: CNVD-2011-5105 // VULHUB: VHN-52822 // BID: 50828 // JVNDB: JVNDB-2012-001319 // CNNVD: CNNVD-201111-480 // CNNVD: CNNVD-201202-092 // NVD: CVE-2011-4877

CREDITS

Luigi Auriemma

Trust: 0.9

sources: BID: 50828 // CNNVD: CNNVD-201111-480

SOURCES

db:IVDid:28b0bc2e-2354-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2011-5108
db:CNVDid:CNVD-2011-5110
db:CNVDid:CNVD-2011-5103
db:CNVDid:CNVD-2011-5107
db:CNVDid:CNVD-2012-0467
db:CNVDid:CNVD-2011-5105
db:VULHUBid:VHN-52822
db:BIDid:50828
db:JVNDBid:JVNDB-2012-001319
db:CNNVDid:CNNVD-201111-480
db:CNNVDid:CNNVD-201202-092
db:NVDid:CVE-2011-4877

LAST UPDATE DATE

2024-08-14T13:36:41.620000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2011-5108date:2016-03-15T00:00:00
db:CNVDid:CNVD-2011-5110date:2016-03-15T00:00:00
db:CNVDid:CNVD-2011-5103date:2016-03-15T00:00:00
db:CNVDid:CNVD-2011-5107date:2016-03-15T00:00:00
db:CNVDid:CNVD-2012-0467date:2012-02-07T00:00:00
db:CNVDid:CNVD-2011-5105date:2011-12-05T00:00:00
db:VULHUBid:VHN-52822date:2017-08-29T00:00:00
db:BIDid:50828date:2012-04-18T21:20:00
db:JVNDBid:JVNDB-2012-001319date:2012-02-08T00:00:00
db:CNNVDid:CNNVD-201111-480date:2011-11-30T00:00:00
db:CNNVDid:CNNVD-201202-092date:2012-02-07T00:00:00
db:NVDid:CVE-2011-4877date:2017-08-29T01:30:37.270

SOURCES RELEASE DATE

db:IVDid:28b0bc2e-2354-11e6-abef-000c29c66e3ddate:2012-02-07T00:00:00
db:CNVDid:CNVD-2011-5108date:2011-12-05T00:00:00
db:CNVDid:CNVD-2011-5110date:2011-12-05T00:00:00
db:CNVDid:CNVD-2011-5103date:2011-12-05T00:00:00
db:CNVDid:CNVD-2011-5107date:2011-12-05T00:00:00
db:CNVDid:CNVD-2012-0467date:2012-02-07T00:00:00
db:CNVDid:CNVD-2011-5105date:2011-12-05T00:00:00
db:VULHUBid:VHN-52822date:2012-02-03T00:00:00
db:BIDid:50828date:2011-11-28T00:00:00
db:JVNDBid:JVNDB-2012-001319date:2012-02-08T00:00:00
db:CNNVDid:CNNVD-201111-480date:1900-01-01T00:00:00
db:CNNVDid:CNNVD-201202-092date:2012-02-07T00:00:00
db:NVDid:CVE-2011-4877date:2012-02-03T20:55:01.983