Sign-up

ID

VAR-201308-0167


CVE

CVE-2013-2796


TITLE

plural Schneider Electric Vulnerability to read arbitrary files in the product

Trust: 0.8

sources: JVNDB: JVNDB-2013-003715

DESCRIPTION

Schneider Electric Vijeo Citect 7.20 and earlier, CitectSCADA 7.20 and earlier, and PowerLogic SCADA 7.20 and earlier allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. Schneider Electric provides total solutions for the energy and infrastructure, industrial, data center and network, building and residential markets in more than 100 countries. Multiple Schneider Electric products have security vulnerabilities that allow attackers to exploit vulnerabilities to obtain sensitive information or to perform denial of service attacks. Vulnerability-related errors with XML external entity references allow an attacker to submit specially crafted XML data that specifically references external resources, obtain sensitive information from local resources, or perform denial of service attacks. A remote attacker can exploit a vulnerability to gain sensitive information or perform a denial of service attack. Multiple Schneider Electric products are prone to an information-disclosure vulnerability. The following products are affected: Vijeo Citect 7.20 and prior CitectSCADA 7.20 and prior PowerLogic SCADA 7.20 and prior. Schneider Electric Vijeo Citect, CitectSCADA, and PowerLogic SCADA are software from Schneider Electric, France, that provide monitoring and control functions in supervisory control and data acquisition systems (SCADA)

Trust: 2.7

sources: NVD: CVE-2013-2796 // JVNDB: JVNDB-2013-003715 // CNVD: CNVD-2013-11763 // BID: 61598 // IVD: c95a4b10-2352-11e6-abef-000c29c66e3d // VULHUB: VHN-62798

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: c95a4b10-2352-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-11763

AFFECTED PRODUCTS

vendor:schneider electricmodel:citectscadascope:lteversion:7.20

Trust: 1.8

vendor:schneider electricmodel:powerlogic scadascope:lteversion:7.20

Trust: 1.8

vendor:schneider electricmodel:vijeo citectscope:lteversion:7.20

Trust: 1.8

vendor:schneider electricmodel:powerlogic scadascope:eqversion:7.10

Trust: 1.6

vendor:schneider electricmodel:vijeo citectscope:eqversion:7.10

Trust: 1.6

vendor:schneider electricmodel:citectscadascope:eqversion:7.10

Trust: 1.6

vendor:schneidermodel:electric vijeo citectscope:eqversion:7.20

Trust: 0.9

vendor:schneidermodel:electric citectscadascope:eqversion:7.20

Trust: 0.6

vendor:schneidermodel:electric powerlogic scadascope:eqversion:7.20

Trust: 0.6

vendor:schneider electricmodel:powerlogic scadascope:eqversion:7.20

Trust: 0.6

vendor:schneider electricmodel:vijeo citectscope:eqversion:7.20

Trust: 0.6

vendor:schneider electricmodel:citectscadascope:eqversion:7.20

Trust: 0.6

vendor:citectscadamodel: - scope:eqversion:7.10

Trust: 0.2

vendor:citectscadamodel: - scope:eqversion:*

Trust: 0.2

vendor:powerlogic scadamodel: - scope:eqversion:7.10

Trust: 0.2

vendor:powerlogic scadamodel: - scope:eqversion:*

Trust: 0.2

vendor:vijeo citectmodel: - scope:eqversion:7.10

Trust: 0.2

vendor:vijeo citectmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: c95a4b10-2352-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-11763 // BID: 61598 // JVNDB: JVNDB-2013-003715 // CNNVD: CNNVD-201308-141 // NVD: CVE-2013-2796

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-2796
value: MEDIUM

Trust: 1.0

NVD: CVE-2013-2796
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2013-11763
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201308-141
value: MEDIUM

Trust: 0.6

IVD: c95a4b10-2352-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

VULHUB: VHN-62798
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2013-2796
severity: MEDIUM
baseScore: 6.9
vectorString: AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2013-11763
severity: MEDIUM
baseScore: 6.9
vectorString: AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: c95a4b10-2352-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 6.9
vectorString: AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-62798
severity: MEDIUM
baseScore: 6.9
vectorString: AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: c95a4b10-2352-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-11763 // VULHUB: VHN-62798 // JVNDB: JVNDB-2013-003715 // CNNVD: CNNVD-201308-141 // NVD: CVE-2013-2796

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-62798 // JVNDB: JVNDB-2013-003715 // NVD: CVE-2013-2796

THREAT TYPE

local

Trust: 0.9

sources: BID: 61598 // CNNVD: CNNVD-201308-141

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201308-141

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-003715

PATCH
title:Top Pageurl:http://www.schneider-electric.com/site/home/index.cfm/uk/
Trust: 0.8
title:Patch Information - cs-HF720SP459363url:http://www.citect.schneider-electric.com/cs-HF720SP459363
Trust: 0.8
title:サポートurl:http://www.schneider-electric.co.jp/sites/japan/jp/support/contact/we-care.page
Trust: 0.8
title:トップページurl:http://www.schneider-electric.com/site/home/index.cfm/jp/
Trust: 0.8
title:Schneider Electric patch for multiple product XML external entity vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/38074
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2013-11763 // 
            
            
            
            JVNDB: JVNDB-2013-003715

EXTERNAL IDS
db:NVDid:CVE-2013-2796
Trust: 3.6
db:ICS CERTid:ICSA-13-217-02
Trust: 2.8
db:BIDid:61598
Trust: 1.0
db:CNNVDid:CNNVD-201308-141
Trust: 0.9
db:SCHNEIDERid:SEVD-2013-197-01
Trust: 0.9
db:CNVDid:CNVD-2013-11763
Trust: 0.8
db:JVNDBid:JVNDB-2013-003715
Trust: 0.8
db:SECUNIAid:54422
Trust: 0.6
db:IVDid:C95A4B10-2352-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:VULHUBid:VHN-62798
Trust: 0.1
sources:
            
            
            IVD: c95a4b10-2352-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2013-11763 // 
            
            
            
            VULHUB: VHN-62798 // 
            
            
            
            BID: 61598 // 
            
            
            
            JVNDB: JVNDB-2013-003715 // 
            
            
            
            CNNVD: CNNVD-201308-141 // 
            
            
            
            NVD: CVE-2013-2796

REFERENCES
url:http://ics-cert.us-cert.gov/advisories/icsa-13-217-02
Trust: 2.8
url:http://www.citect.schneider-electric.com/cs-hf720sp459363
Trust: 1.7
url:http://www.schneider-electric.com/download/ww/en/details/125349410-vulnerability-disclosure---citectscada-vijeo-citect-powerlogic-scada/?reference=sevd-2013-197-01
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-2796
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-2796
Trust: 0.8
url:http://download.schneider-electric.com/files?p_file_id=125349417&p_file_name=sevd-2013-197-01.pdf
Trust: 0.6
url:http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/viewer-news.page?c_filepath=/templatedata/content/news/data/en/local/cybersecurity/general_information/2013/07/20130716_advisory_of_vulnerability_affecting_vijeo_citect_citect_scada_and_powe.xml
Trust: 0.6
url:http://www.secunia.com/advisories/54422/
Trust: 0.6
url:http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/viewer-news.page?c_filepath=/templatedata/content/news/data/en/local/cybersecurity/general_information/2013/07/20130716_advi
Trust: 0.3
url:http://www.schneider-electric.com/site/home/index.cfm/ww/?selectcountry=true
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2013-11763 // 
            
            
            
            VULHUB: VHN-62798 // 
            
            
            
            BID: 61598 // 
            
            
            
            JVNDB: JVNDB-2013-003715 // 
            
            
            
            CNNVD: CNNVD-201308-141 // 
            
            
            
            NVD: CVE-2013-2796

CREDITS
Timur Yunusov, Alexey Osipov and Ilya Karpov of Positive Technologies
Trust: 0.3
sources:
            
            
            BID: 61598

SOURCES
db:IVDid:c95a4b10-2352-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2013-11763
db:VULHUBid:VHN-62798
db:BIDid:61598
db:JVNDBid:JVNDB-2013-003715
db:CNNVDid:CNNVD-201308-141
db:NVDid:CVE-2013-2796

LAST UPDATE DATE
2024-08-14T14:52:37.527000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2013-11763date:2013-08-08T00:00:00
db:VULHUBid:VHN-62798date:2013-08-12T00:00:00
db:BIDid:61598date:2015-03-19T08:09:00
db:JVNDBid:JVNDB-2013-003715date:2013-08-13T00:00:00
db:CNNVDid:CNNVD-201308-141date:2013-08-28T00:00:00
db:NVDid:CVE-2013-2796date:2013-08-12T20:21:04.173

SOURCES RELEASE DATE
db:IVDid:c95a4b10-2352-11e6-abef-000c29c66e3ddate:2013-08-08T00:00:00
db:CNVDid:CNVD-2013-11763date:2013-08-08T00:00:00
db:VULHUBid:VHN-62798date:2013-08-09T00:00:00
db:BIDid:61598date:2013-07-16T00:00:00
db:JVNDBid:JVNDB-2013-003715date:2013-08-13T00:00:00
db:CNNVDid:CNNVD-201308-141date:2013-08-23T00:00:00
db:NVDid:CVE-2013-2796date:2013-08-09T23:55:02.537