Sign-up

ID

VAR-201403-0343


CVE

CVE-2014-2249


TITLE

Siemens SIMATIC S7-1500 CPU PLC Device firmware cross-site request forgery vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-001709

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability on Siemens SIMATIC S7-1500 CPU PLC devices with firmware before 1.5.0 and SIMATIC S7-1200 CPU PLC devices with firmware before 4.0 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. Siemens SIMATIC is an automation software in a single engineering environment. An unidentified cross-site request forgery vulnerability exists in the WEB server integrated with Siemens SIMATIC S7-1500, allowing remote attackers to construct malicious URIs, enticing users to resolve, and performing malicious operations in the target user context. Siemens SIMATIC S7-1500 is prone to a cross-site request-forgery vulnerability because it fails to properly validate HTTP requests. Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected application. Other attacks are also possible. Versions prior to SIMATIC S7-1500 1.5.0 are vulnerable

Trust: 2.7

sources: NVD: CVE-2014-2249 // JVNDB: JVNDB-2014-001709 // CNVD: CNVD-2014-01721 // BID: 66199 // IVD: 25bbf2f6-2352-11e6-abef-000c29c66e3d // VULHUB: VHN-70188

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 25bbf2f6-2352-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-01721

AFFECTED PRODUCTS

vendor:siemensmodel:simatic s7-1500 cpuscope:eqversion:1.0.1

Trust: 1.6

vendor:siemensmodel:simatic s7-1500 cpuscope:eqversion:1.1.1

Trust: 1.6

vendor:siemensmodel:simatic s7-1500 cpuscope:eqversion:1.1.0

Trust: 1.6

vendor:siemensmodel:simatic s7-1500 cpuscope:lteversion:1.1.2

Trust: 1.0

vendor:siemensmodel:simatic s7-1200 cpuscope:ltversion:4.0

Trust: 0.8

vendor:siemensmodel:simatic s7-1500 cpuscope:ltversion:1.5.0

Trust: 0.8

vendor:siemensmodel:simatic s7-1500scope:eqversion:1.x

Trust: 0.6

vendor:siemensmodel:simatic s7-1500 cpuscope:eqversion:1.1.2

Trust: 0.6

vendor:simatic s7 1500 cpumodel: - scope:eqversion:1.0.1

Trust: 0.2

vendor:simatic s7 1500 cpumodel: - scope:eqversion:1.1.0

Trust: 0.2

vendor:simatic s7 1500 cpumodel: - scope:eqversion:1.1.1

Trust: 0.2

vendor:simatic s7 1500 cpumodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 25bbf2f6-2352-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-01721 // JVNDB: JVNDB-2014-001709 // CNNVD: CNNVD-201403-326 // NVD: CVE-2014-2249

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-2249
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-2249
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2014-01721
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201403-326
value: MEDIUM

Trust: 0.6

IVD: 25bbf2f6-2352-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

VULHUB: VHN-70188
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-2249
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2014-01721
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 25bbf2f6-2352-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-70188
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: 25bbf2f6-2352-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-01721 // VULHUB: VHN-70188 // JVNDB: JVNDB-2014-001709 // CNNVD: CNNVD-201403-326 // NVD: CVE-2014-2249

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-70188 // JVNDB: JVNDB-2014-001709 // NVD: CVE-2014-2249

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201403-326

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201403-326

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-001709

PATCH
title:SSA-654382url:http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-654382.pdf
Trust: 0.8
title:SSA-456423url:http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-456423.pdf
Trust: 0.8
title:Patch for Siemens SIMATIC S7-1500 with unknown cross-site request forgery vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/44303
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2014-01721 // 
            
            
            
            JVNDB: JVNDB-2014-001709

EXTERNAL IDS
db:NVDid:CVE-2014-2249
Trust: 3.6
db:ICS CERTid:ICSA-14-073-01
Trust: 2.5
db:SIEMENSid:SSA-456423
Trust: 2.3
db:ICS CERTid:ICSA-14-079-02
Trust: 1.9
db:SIEMENSid:SSA-654382
Trust: 1.1
db:BIDid:66199
Trust: 1.0
db:CNNVDid:CNNVD-201403-326
Trust: 0.9
db:CNVDid:CNVD-2014-01721
Trust: 0.8
db:JVNDBid:JVNDB-2014-001709
Trust: 0.8
db:SECUNIAid:57400
Trust: 0.6
db:IVDid:25BBF2F6-2352-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:SEEBUGid:SSVID-89664
Trust: 0.1
db:VULHUBid:VHN-70188
Trust: 0.1
sources:
            
            
            IVD: 25bbf2f6-2352-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2014-01721 // 
            
            
            
            VULHUB: VHN-70188 // 
            
            
            
            BID: 66199 // 
            
            
            
            JVNDB: JVNDB-2014-001709 // 
            
            
            
            CNNVD: CNNVD-201403-326 // 
            
            
            
            NVD: CVE-2014-2249

REFERENCES
url:http://ics-cert.us-cert.gov/advisories/icsa-14-073-01
Trust: 2.5
url:http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-456423.pdf
Trust: 2.3
url:http://ics-cert.us-cert.gov/advisories/icsa-14-079-02
Trust: 1.9
url:http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-654382.pdf
Trust: 1.1
url:https://cert-portal.siemens.com/productcert/pdf/ssa-456423.pdf
Trust: 1.1
url:https://cert-portal.siemens.com/productcert/pdf/ssa-654382.pdf
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2249
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2249
Trust: 0.8
url:http://secunia.com/advisories/57400
Trust: 0.6
url:http://subscriber.communications.siemens.com/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2014-01721 // 
            
            
            
            VULHUB: VHN-70188 // 
            
            
            
            BID: 66199 // 
            
            
            
            JVNDB: JVNDB-2014-001709 // 
            
            
            
            CNNVD: CNNVD-201403-326 // 
            
            
            
            NVD: CVE-2014-2249

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 66199

SOURCES
db:IVDid:25bbf2f6-2352-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2014-01721
db:VULHUBid:VHN-70188
db:BIDid:66199
db:JVNDBid:JVNDB-2014-001709
db:CNNVDid:CNNVD-201403-326
db:NVDid:CVE-2014-2249

LAST UPDATE DATE
2024-11-23T21:45:19.485000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2014-01721date:2014-03-17T00:00:00
db:VULHUBid:VHN-70188date:2014-03-26T00:00:00
db:BIDid:66199date:2014-03-25T01:04:00
db:JVNDBid:JVNDB-2014-001709date:2014-04-07T00:00:00
db:CNNVDid:CNNVD-201403-326date:2014-03-20T00:00:00
db:NVDid:CVE-2014-2249date:2024-11-21T02:05:55.780

SOURCES RELEASE DATE
db:IVDid:25bbf2f6-2352-11e6-abef-000c29c66e3ddate:2014-03-17T00:00:00
db:CNVDid:CNVD-2014-01721date:2014-03-17T00:00:00
db:VULHUBid:VHN-70188date:2014-03-16T00:00:00
db:BIDid:66199date:2014-03-12T00:00:00
db:JVNDBid:JVNDB-2014-001709date:2014-03-18T00:00:00
db:CNNVDid:CNNVD-201403-326date:2014-03-20T00:00:00
db:NVDid:CVE-2014-2249date:2014-03-16T14:06:45.850