ID

VAR-201306-0314


CVE

CVE-2013-3957


TITLE

SIMATIC PCS 7 Used in Siemens WinCC of Web Navigator In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2013-002982

DESCRIPTION

SQL injection vulnerability in the login screen in the Web Navigator in Siemens WinCC before 7.2 Update 1, as used in SIMATIC PCS7 8.0 SP1 and earlier and other products, allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Siemens SIMATIC WinCC is a monitoring control and data acquisition SCADA and human machine interface HMI system. Siemens SIMATIC PCS is a process control system. By operating the database, remote attackers can exploit this vulnerability to enhance their permissions. Depending on the system configuration, it is possible to obtain full system access rights and execute. Any SQL command

Trust: 2.7

sources: NVD: CVE-2013-3957 // JVNDB: JVNDB-2013-002982 // CNVD: CNVD-2013-07609 // BID: 60558 // IVD: e6a420b0-2352-11e6-abef-000c29c66e3d // VULHUB: VHN-63959

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: e6a420b0-2352-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-07609

AFFECTED PRODUCTS

vendor:siemensmodel:simatic pcs7scope:eqversion:8.0

Trust: 1.6

vendor:siemensmodel:winccscope:eqversion:7.1

Trust: 1.6

vendor:siemensmodel:winccscope:eqversion:7.0

Trust: 1.6

vendor:siemensmodel:winccscope:lteversion:7.2

Trust: 1.0

vendor:siemensmodel:simatic pcs7scope:lteversion:8.0

Trust: 1.0

vendor:winccmodel: - scope:eqversion:7.0

Trust: 0.8

vendor:siemensmodel:simatic pcs 7scope:lteversion:8.0 sp1

Trust: 0.8

vendor:siemensmodel:simatic winccscope:ltversion:7.2 update 1

Trust: 0.8

vendor:siemensmodel:simatic winccscope:eqversion:7.x

Trust: 0.6

vendor:siemensmodel:simatic pcsscope:eqversion:78.x

Trust: 0.6

vendor:siemensmodel:winccscope:eqversion:7.2

Trust: 0.6

vendor:winccmodel: - scope:eqversion:7.1

Trust: 0.4

vendor:simatic pcs7model: - scope:eqversion:8.0

Trust: 0.2

vendor:simatic pcs7model: - scope:eqversion:*

Trust: 0.2

vendor:winccmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: e6a420b0-2352-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-07609 // JVNDB: JVNDB-2013-002982 // CNNVD: CNNVD-201306-247 // NVD: CVE-2013-3957

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-3957
value: HIGH

Trust: 1.0

NVD: CVE-2013-3957
value: HIGH

Trust: 0.8

CNVD: CNVD-2013-07609
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201306-247
value: HIGH

Trust: 0.6

IVD: e6a420b0-2352-11e6-abef-000c29c66e3d
value: HIGH

Trust: 0.2

VULHUB: VHN-63959
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2013-3957
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2013-07609
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: e6a420b0-2352-11e6-abef-000c29c66e3d
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-63959
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: e6a420b0-2352-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-07609 // VULHUB: VHN-63959 // JVNDB: JVNDB-2013-002982 // CNNVD: CNNVD-201306-247 // NVD: CVE-2013-3957

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.9

sources: VULHUB: VHN-63959 // JVNDB: JVNDB-2013-002982 // NVD: CVE-2013-3957

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201306-247

TYPE

SQL injection

Trust: 0.8

sources: IVD: e6a420b0-2352-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201306-247

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-002982

PATCH

title:SSA-345843: Vulnerabilites in WinCC 7.2url:http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345843.pdf

Trust: 0.8

title:Patch for Siemens SIMATIC WinCC/PCS 7 SQL Injection Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/34669

Trust: 0.6

sources: CNVD: CNVD-2013-07609 // JVNDB: JVNDB-2013-002982

EXTERNAL IDS

db:NVDid:CVE-2013-3957

Trust: 3.6

db:SIEMENSid:SSA-345843

Trust: 1.7

db:SECUNIAid:53805

Trust: 1.2

db:BIDid:60558

Trust: 1.0

db:CNVDid:CNVD-2013-07609

Trust: 0.8

db:CNNVDid:CNNVD-201306-247

Trust: 0.8

db:JVNDBid:JVNDB-2013-002982

Trust: 0.8

db:IVDid:E6A420B0-2352-11E6-ABEF-000C29C66E3D

Trust: 0.2

db:VULHUBid:VHN-63959

Trust: 0.1

sources: IVD: e6a420b0-2352-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-07609 // VULHUB: VHN-63959 // BID: 60558 // JVNDB: JVNDB-2013-002982 // CNNVD: CNNVD-201306-247 // NVD: CVE-2013-3957

REFERENCES

url:http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345843.pdf

Trust: 1.7

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-3957

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-3957

Trust: 0.8

url:http://secunia.com/advisories/53805/

Trust: 0.6

url:http://secunia.com/advisories/53805

Trust: 0.6

url:http://subscriber.communications.siemens.com/

Trust: 0.3

sources: CNVD: CNVD-2013-07609 // VULHUB: VHN-63959 // BID: 60558 // JVNDB: JVNDB-2013-002982 // CNNVD: CNNVD-201306-247 // NVD: CVE-2013-3957

CREDITS

Alexander Tlyapov from Positive Technologies

Trust: 0.3

sources: BID: 60558

SOURCES

db:IVDid:e6a420b0-2352-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2013-07609
db:VULHUBid:VHN-63959
db:BIDid:60558
db:JVNDBid:JVNDB-2013-002982
db:CNNVDid:CNNVD-201306-247
db:NVDid:CVE-2013-3957

LAST UPDATE DATE

2024-08-14T14:28:02.923000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2013-07609date:2013-06-19T00:00:00
db:VULHUBid:VHN-63959date:2013-06-17T00:00:00
db:BIDid:60558date:2015-03-19T08:17:00
db:JVNDBid:JVNDB-2013-002982date:2013-06-18T00:00:00
db:CNNVDid:CNNVD-201306-247date:2013-07-11T00:00:00
db:NVDid:CVE-2013-3957date:2013-06-17T04:00:00

SOURCES RELEASE DATE

db:IVDid:e6a420b0-2352-11e6-abef-000c29c66e3ddate:2013-06-19T00:00:00
db:CNVDid:CNVD-2013-07609date:2013-06-19T00:00:00
db:VULHUBid:VHN-63959date:2013-06-14T00:00:00
db:BIDid:60558date:2013-06-14T00:00:00
db:JVNDBid:JVNDB-2013-002982date:2013-06-18T00:00:00
db:CNNVDid:CNNVD-201306-247date:2013-06-18T00:00:00
db:NVDid:CVE-2013-3957date:2013-06-14T19:55:01.233