Details of VAR-201202-0165

ID

VAR-201202-0165

CVE

CVE-2011-4878

TITLE

plural Siemens Product HMI Web Server traversal vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2012-001320

DESCRIPTION

Directory traversal vulnerability in miniweb.exe in the HMI web server in Siemens WinCC flexible 2004, 2005, 2007, and 2008 before SP3; WinCC V11 (aka TIA portal) before SP2 Update 1; the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime allows remote attackers to read arbitrary files via a ..%5c (dot dot backslash) in a URI. plural Siemens Product HMI Web Server miniweb.exe Contains a directory traversal vulnerability.By a third party ..%5c ( Dot dot backslash ) including URI Any file may be read via. Siemens SIMATIC is an automation software in a single engineering environment. A security vulnerability exists in the Siemens SIMATIC WinCC HMI web server. The HMI web server listening on TCP ports 80 and 443 does not correctly verify the URL in the HTTP request, and builds a URL containing a specially crafted slash to perform a directory traversal attack and read any file in the file system. Siemens SIMATIC WinCC is prone to an HTTP-header-injection issue, a directory-traversal issue, and an arbitrary memory-read access issue because the application fails to properly sanitize user-supplied input. A remote attacker can exploit these issues to gain elevated privileges, obtain sensitive information, or cause denial-of-service conditions. A remote attacker can exploit this vulnerability to read arbitrary files by means of ../ (dotted backslashes) in the URL

Trust: 2.7

sources: NVD: CVE-2011-4878 // JVNDB: JVNDB-2012-001320 // CNVD: CNVD-2012-0468 // BID: 51836 // IVD: 2848847e-2354-11e6-abef-000c29c66e3d // VULHUB: VHN-52823

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 2848847e-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2012-0468

AFFECTED PRODUCTS

vendor:	siemens	model:	simatic hmi panels	scope:	eq	version:	mp	Trust: 2.4
vendor:	siemens	model:	simatic hmi panels	scope:	eq	version:	tp	Trust: 2.4
vendor:	siemens	model:	simatic hmi panels	scope:	eq	version:	op	Trust: 2.4
vendor:	siemens	model:	simatic wincc flexible	scope:	eq	version:	2005	Trust: 1.7
vendor:	siemens	model:	simatic wincc flexible	scope:	eq	version:	2004	Trust: 1.7
vendor:	siemens	model:	simatic wincc flexible	scope:	eq	version:	2007	Trust: 1.7
vendor:	siemens	model:	simatic hmi panels	scope:	eq	version:	comfort_panels	Trust: 1.6
vendor:	siemens	model:	wincc runtime advanced	scope:	eq	version:	v11	Trust: 1.6
vendor:	siemens	model:	wincc	scope:	eq	version:	v11	Trust: 1.6
vendor:	siemens	model:	simatic hmi panels	scope:	eq	version:	mobile_panels	Trust: 1.6
vendor:	siemens	model:	wincc flexible	scope:	eq	version:	2005	Trust: 1.0
vendor:	siemens	model:	wincc	scope:	lte	version:	v11	Trust: 1.0
vendor:	siemens	model:	wincc flexible	scope:	eq	version:	2007	Trust: 1.0
vendor:	siemens	model:	wincc flexible runtime	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	wincc flexible	scope:	eq	version:	2004	Trust: 1.0
vendor:	siemens	model:	wincc flexible	scope:	eq	version:	2008	Trust: 1.0
vendor:	siemens	model:	simatic wincc flexible	scope:	eq	version:	2008	Trust: 0.9
vendor:	siemens	model:	simatic wincc	scope:	eq	version:	v11	Trust: 0.9
vendor:	siemens	model:	simatic wincc	scope:	eq	version:	sp2 update 1	Trust: 0.8
vendor:	siemens	model:	simatic wincc	scope:	lt	version:	v11\\	Trust: 0.8
vendor:	siemens	model:	simatic hmi panels	scope:	eq	version:	comfort panels	Trust: 0.8
vendor:	siemens	model:	simatic wincc runtime advanced	scope:	eq	version:	v11	Trust: 0.8
vendor:	siemens	model:	simatic hmi panels	scope:	eq	version:	mobile panels	Trust: 0.8
vendor:	siemens	model:	simatic wincc flexible rumtime	scope:	-	version:	-	Trust: 0.8
vendor:	wincc flexible	model:	-	scope:	eq	version:	2008	Trust: 0.6
vendor:	siemens	model:	simatic hmi panels	scope:	-	version:	-	Trust: 0.6
vendor:	siemens	model:	simatic wincc flexible runtime	scope:	-	version:	-	Trust: 0.6
vendor:	siemens	model:	simatic wincc runtime advanced	scope:	-	version:	-	Trust: 0.6
vendor:	siemens	model:	simatic wincc	scope:	-	version:	-	Trust: 0.6
vendor:	siemens	model:	wincc flexible runtime	scope:	-	version:	-	Trust: 0.6
vendor:	wincc	model:	-	scope:	eq	version:	v11	Trust: 0.4
vendor:	siemens	model:	simatic wincc flexible runtime	scope:	eq	version:	0	Trust: 0.3
vendor:	siemens	model:	simatic wincc runtime advanced	scope:	eq	version:	0	Trust: 0.3
vendor:	siemens	model:	simatic wincc	scope:	eq	version:	0	Trust: 0.3
vendor:	siemens	model:	simatic hmi panels	scope:	eq	version:	0	Trust: 0.3
vendor:	wincc flexible	model:	-	scope:	eq	version:	2004	Trust: 0.2
vendor:	wincc flexible	model:	-	scope:	eq	version:	2005	Trust: 0.2
vendor:	wincc flexible	model:	-	scope:	eq	version:	2007	Trust: 0.2
vendor:	wincc	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	simatic hmi panels	model:	comfort panels	scope:	-	version:	-	Trust: 0.2
vendor:	simatic hmi panels	model:	mobile panels	scope:	-	version:	-	Trust: 0.2
vendor:	simatic hmi panels	model:	mp	scope:	-	version:	-	Trust: 0.2
vendor:	simatic hmi panels	model:	op	scope:	-	version:	-	Trust: 0.2
vendor:	simatic hmi panels	model:	tp	scope:	-	version:	-	Trust: 0.2
vendor:	wincc runtime advanced	model:	-	scope:	eq	version:	v11	Trust: 0.2
vendor:	wincc flexible runtime	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 2848847e-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2012-0468 // BID: 51836 // JVNDB: JVNDB-2012-001320 // CNNVD: CNNVD-201202-093 // NVD: CVE-2011-4878

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2011-4878
value:	HIGH
Trust: 1.0
NVD:	CVE-2011-4878
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201202-093
value:	HIGH
Trust: 0.6
IVD:	2848847e-2354-11e6-abef-000c29c66e3d
value:	HIGH
Trust: 0.2
VULHUB:	VHN-52823
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2011-4878
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
IVD:	2848847e-2354-11e6-abef-000c29c66e3d
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-52823
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: IVD: 2848847e-2354-11e6-abef-000c29c66e3d // VULHUB: VHN-52823 // JVNDB: JVNDB-2012-001320 // CNNVD: CNNVD-201202-093 // NVD: CVE-2011-4878

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.9

sources: VULHUB: VHN-52823 // JVNDB: JVNDB-2012-001320 // NVD: CVE-2011-4878

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201202-093

TYPE

Path traversal

Trust: 0.8

sources: IVD: 2848847e-2354-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201202-093

CONFIGURATIONS

sources: JVNDB: JVNDB-2012-001320

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-52823

PATCH

title:	SSA-345442	url:	http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345442.pdf	Trust: 0.8
title:	ソリューションパートナー	url:	http://www.automation.siemens.com/automation/jp/ja/solutionpartner/pages/default.aspx	Trust: 0.8
title:	Top Page	url:	http://www.siemens.com/entry/jp/ja/	Trust: 0.8
title:	Patch for Siemens SIMATIC WinCC HMI Directory Traversal Vulnerability (CNVD-2012-0468)	url:	https://www.cnvd.org.cn/patchInfo/show/9074	Trust: 0.6

sources: CNVD: CNVD-2012-0468 // JVNDB: JVNDB-2012-001320

EXTERNAL IDS

db:	NVD	id:	CVE-2011-4878	Trust: 3.6
db:	ICS CERT	id:	ICSA-12-030-01	Trust: 3.4
db:	SIEMENS	id:	SSA-345442	Trust: 1.7
db:	ICS CERT ALERT	id:	ICS-ALERT-11-332-02A	Trust: 1.1
db:	ICS CERT ALERT	id:	ICS-ALERT-11-332-02	Trust: 1.1
db:	EXPLOIT-DB	id:	18166	Trust: 1.1
db:	OSVDB	id:	77383	Trust: 1.1
db:	CNNVD	id:	CNNVD-201202-093	Trust: 0.9
db:	CNVD	id:	CNVD-2012-0468	Trust: 0.8
db:	JVNDB	id:	JVNDB-2012-001320	Trust: 0.8
db:	NSFOCUS	id:	18633	Trust: 0.6
db:	ICS CERT	id:	ICSA-12-030-01A	Trust: 0.3
db:	BID	id:	51836	Trust: 0.3
db:	IVD	id:	2848847E-2354-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	VULHUB	id:	VHN-52823	Trust: 0.1

sources: IVD: 2848847e-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2012-0468 // VULHUB: VHN-52823 // BID: 51836 // JVNDB: JVNDB-2012-001320 // CNNVD: CNNVD-201202-093 // NVD: CVE-2011-4878

REFERENCES

url:	http://www.us-cert.gov/control_systems/pdf/icsa-12-030-01.pdf	Trust: 3.4
url:	http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345442.pdf	Trust: 1.7
url:	http://www.exploit-db.com/exploits/18166	Trust: 1.1
url:	http://aluigi.org/adv/winccflex_1-adv.txt	Trust: 1.1
url:	http://www.us-cert.gov/control_systems/pdf/ics-alert-11-332-02.pdf	Trust: 1.1
url:	http://www.us-cert.gov/control_systems/pdf/ics-alert-11-332-02a.pdf	Trust: 1.1
url:	http://www.osvdb.org/77383	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/71452	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-4878	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-4878	Trust: 0.8
url:	http://aluigi.altervista.org/adv/winccflex_1-adv.txt	Trust: 0.6
url:	http://www.nsfocus.net/vulndb/18633	Trust: 0.6
url:	http://www.automation.siemens.com/mcms/human-machine-interface/en/visualization-software/scada/pages/default.aspx	Trust: 0.3
url:	http://www.us-cert.gov/control_systems/pdf/icsa-12-030-01a.pdf	Trust: 0.3

sources: CNVD: CNVD-2012-0468 // VULHUB: VHN-52823 // BID: 51836 // JVNDB: JVNDB-2012-001320 // CNNVD: CNNVD-201202-093 // NVD: CVE-2011-4878

CREDITS

ICS-CERT

Trust: 0.9

sources: BID: 51836 // CNNVD: CNNVD-201202-093

SOURCES

db:	IVD	id:	2848847e-2354-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2012-0468
db:	VULHUB	id:	VHN-52823
db:	BID	id:	51836
db:	JVNDB	id:	JVNDB-2012-001320
db:	CNNVD	id:	CNNVD-201202-093
db:	NVD	id:	CVE-2011-4878

LAST UPDATE DATE

2024-08-14T13:36:41.530000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2012-0468	date:	2012-02-07T00:00:00
db:	VULHUB	id:	VHN-52823	date:	2017-08-29T00:00:00
db:	BID	id:	51836	date:	2012-04-18T21:20:00
db:	JVNDB	id:	JVNDB-2012-001320	date:	2012-02-08T00:00:00
db:	CNNVD	id:	CNNVD-201202-093	date:	2012-02-07T00:00:00
db:	NVD	id:	CVE-2011-4878	date:	2017-08-29T01:30:37.350

SOURCES RELEASE DATE

db:	IVD	id:	2848847e-2354-11e6-abef-000c29c66e3d	date:	2012-02-07T00:00:00
db:	CNVD	id:	CNVD-2012-0468	date:	2012-02-07T00:00:00
db:	VULHUB	id:	VHN-52823	date:	2012-02-03T00:00:00
db:	BID	id:	51836	date:	2012-02-02T00:00:00
db:	JVNDB	id:	JVNDB-2012-001320	date:	2012-02-08T00:00:00
db:	CNNVD	id:	CNNVD-201202-093	date:	2012-02-07T00:00:00
db:	NVD	id:	CVE-2011-4878	date:	2012-02-03T20:55:02.030