Sign-up

ID

VAR-201407-0603


CVE

CVE-2014-4683


TITLE

Siemens SIMATIC PCS 7 Used in products such as SIMATIC WinCC of WebNavigator Vulnerability that can be obtained privilege in the server

Trust: 0.8

sources: JVNDB: JVNDB-2014-003566

DESCRIPTION

The WebNavigator server in Siemens SIMATIC WinCC before 7.3, as used in PCS7 and other products, allows remote authenticated users to gain privileges via a (1) HTTP or (2) HTTPS request. Siemens SIMATIC WinCC is a multi-user system that provides complete monitoring and data acquisition (SCADA) functionality for the industrial sector, from single-user systems to redundant server and remote web client solutions. A remote privilege elevation vulnerability exists in Siemens SIMATIC WinCC And PCS7 that can be exploited by remote attackers to gain elevated privileges on affected devices. Siemens SIMATIC WinCC and PCS7 are prone to a remote privilege-escalation vulnerability. Siemens SIMATIC WinCC is a set of automatic data acquisition and monitoring (SCADA) system of German Siemens (Siemens). The system provides process monitoring, data acquisition and other functions. There is a security hole in the WebNavigator server used by Siemens SIMATIC WinCC versions prior to 7.3 for PCS7 and other products

Trust: 3.06

sources: NVD: CVE-2014-4683 // JVNDB: JVNDB-2014-003566 // CNVD: CNVD-2014-04644 // BID: 68879 // IVD: e2d78202-2351-11e6-abef-000c29c66e3d // IVD: c0a709a9-648b-4fbc-869e-37cd7064012b // IVD: 7d71e153-463f-11e9-be10-000c29342cb1 // VULHUB: VHN-72624

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 1.2

sources: IVD: e2d78202-2351-11e6-abef-000c29c66e3d // IVD: c0a709a9-648b-4fbc-869e-37cd7064012b // IVD: 7d71e153-463f-11e9-be10-000c29342cb1 // CNVD: CNVD-2014-04644

AFFECTED PRODUCTS

vendor:winccmodel: - scope:eqversion:6.0

Trust: 2.4

vendor:winccmodel: - scope:eqversion:7.0

Trust: 2.4

vendor:siemensmodel:simatic pcs7scope:eqversion:7.1

Trust: 1.6

vendor:siemensmodel:winccscope:eqversion:7.0

Trust: 1.6

vendor:siemensmodel:simatic pcs7scope:eqversion:8.0

Trust: 1.6

vendor:siemensmodel:winccscope:eqversion:6.0

Trust: 1.6

vendor:siemensmodel:winccscope:eqversion:5.0

Trust: 1.6

vendor:siemensmodel:simatic winccscope:ltversion:7.3

Trust: 1.4

vendor:winccmodel: - scope:eqversion:5.0

Trust: 1.2

vendor:winccmodel: - scope:eqversion:7.1

Trust: 1.2

vendor:siemensmodel:winccscope:eqversion:7.1

Trust: 1.0

vendor:siemensmodel:simatic pcs7scope:lteversion:8.0

Trust: 1.0

vendor:siemensmodel:winccscope:lteversion:7.2

Trust: 1.0

vendor:siemensmodel:simatic pcs 7scope:ltversion:8.1

Trust: 0.8

vendor:simatic pcs7model: - scope:eqversion:7.1

Trust: 0.6

vendor:simatic pcs7model: - scope:eqversion:8.0

Trust: 0.6

vendor:simatic pcs7model: - scope:eqversion:*

Trust: 0.6

vendor:winccmodel: - scope:eqversion:*

Trust: 0.6

vendor:siemensmodel:pcs7scope:ltversion:8.1

Trust: 0.6

vendor:siemensmodel:simatic winccscope:eqversion:6.2

Trust: 0.3

sources: IVD: e2d78202-2351-11e6-abef-000c29c66e3d // IVD: c0a709a9-648b-4fbc-869e-37cd7064012b // IVD: 7d71e153-463f-11e9-be10-000c29342cb1 // CNVD: CNVD-2014-04644 // BID: 68879 // JVNDB: JVNDB-2014-003566 // CNNVD: CNNVD-201407-603 // NVD: CVE-2014-4683

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-4683
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-4683
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2014-04644
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201407-603
value: MEDIUM

Trust: 0.6

IVD: e2d78202-2351-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

IVD: c0a709a9-648b-4fbc-869e-37cd7064012b
value: MEDIUM

Trust: 0.2

IVD: 7d71e153-463f-11e9-be10-000c29342cb1
value: MEDIUM

Trust: 0.2

VULHUB: VHN-72624
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-4683
severity: MEDIUM
baseScore: 4.9
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2014-04644
severity: MEDIUM
baseScore: 4.9
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: e2d78202-2351-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 4.9
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

IVD: c0a709a9-648b-4fbc-869e-37cd7064012b
severity: MEDIUM
baseScore: 4.9
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

IVD: 7d71e153-463f-11e9-be10-000c29342cb1
severity: MEDIUM
baseScore: 4.9
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-72624
severity: MEDIUM
baseScore: 4.9
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: e2d78202-2351-11e6-abef-000c29c66e3d // IVD: c0a709a9-648b-4fbc-869e-37cd7064012b // IVD: 7d71e153-463f-11e9-be10-000c29342cb1 // CNVD: CNVD-2014-04644 // VULHUB: VHN-72624 // JVNDB: JVNDB-2014-003566 // CNNVD: CNNVD-201407-603 // NVD: CVE-2014-4683

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-72624 // JVNDB: JVNDB-2014-003566 // NVD: CVE-2014-4683

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201407-603

TYPE

Permission permission and access control

Trust: 0.6

sources: IVD: e2d78202-2351-11e6-abef-000c29c66e3d // IVD: c0a709a9-648b-4fbc-869e-37cd7064012b // IVD: 7d71e153-463f-11e9-be10-000c29342cb1

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-003566

PATCH
title:SSA-214365url:http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-214365.pdf
Trust: 0.8
title:Patch for Siemens SIMATIC Multiple Products Remote Privilege Escalation Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/47899
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2014-04644 // 
            
            
            
            JVNDB: JVNDB-2014-003566

EXTERNAL IDS
db:NVDid:CVE-2014-4683
Trust: 4.1
db:SIEMENSid:SSA-214365
Trust: 2.3
db:CNNVDid:CNNVD-201407-603
Trust: 1.3
db:CNVDid:CNVD-2014-04644
Trust: 1.2
db:BIDid:68879
Trust: 1.0
db:ICS CERTid:ICSA-14-205-02
Trust: 0.8
db:JVNDBid:JVNDB-2014-003566
Trust: 0.8
db:SECUNIAid:60392
Trust: 0.6
db:SECUNIAid:60388
Trust: 0.6
db:IVDid:E2D78202-2351-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:IVDid:C0A709A9-648B-4FBC-869E-37CD7064012B
Trust: 0.2
db:IVDid:7D71E153-463F-11E9-BE10-000C29342CB1
Trust: 0.2
db:VULHUBid:VHN-72624
Trust: 0.1
db:PACKETSTORMid:127660
Trust: 0.1
sources:
            
            
            IVD: e2d78202-2351-11e6-abef-000c29c66e3d // 
            
            
            
            IVD: c0a709a9-648b-4fbc-869e-37cd7064012b // 
            
            
            
            IVD: 7d71e153-463f-11e9-be10-000c29342cb1 // 
            
            
            
            CNVD: CNVD-2014-04644 // 
            
            
            
            VULHUB: VHN-72624 // 
            
            
            
            BID: 68879 // 
            
            
            
            JVNDB: JVNDB-2014-003566 // 
            
            
            
            PACKETSTORM: 127660 // 
            
            
            
            CNNVD: CNNVD-201407-603 // 
            
            
            
            NVD: CVE-2014-4683

REFERENCES
url:http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-214365.pdf
Trust: 2.3
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-4683
Trust: 1.4
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-4683
Trust: 0.8
url:https://ics-cert.us-cert.gov/advisories/icsa-14-205-02
Trust: 0.8
url:http://www.securityfocus.com/bid/68879/info
Trust: 0.6
url:http://secunia.com/advisories/60388
Trust: 0.6
url:http://secunia.com/advisories/60392
Trust: 0.6
url:http://subscriber.communications.siemens.com/
Trust: 0.3
url:http://aunz.siemens.com/newscentre/productreleases/pages/iac_pr_simaticwinccv62.aspx
Trust: 0.3
url:https://nvd.nist.gov/vuln/detail/cve-2014-4684
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-4683
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-4685
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-4686
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-4682
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2014-04644 // 
            
            
            
            VULHUB: VHN-72624 // 
            
            
            
            BID: 68879 // 
            
            
            
            JVNDB: JVNDB-2014-003566 // 
            
            
            
            PACKETSTORM: 127660 // 
            
            
            
            CNNVD: CNNVD-201407-603 // 
            
            
            
            NVD: CVE-2014-4683

CREDITS
Sergey Gordeychik, Alexander Tlyapov, Dmitry Nagibin, and Gleb Gritsai from Positive Technologies.
Trust: 0.3
sources:
            
            
            BID: 68879

SOURCES
db:IVDid:e2d78202-2351-11e6-abef-000c29c66e3d
db:IVDid:c0a709a9-648b-4fbc-869e-37cd7064012b
db:IVDid:7d71e153-463f-11e9-be10-000c29342cb1
db:CNVDid:CNVD-2014-04644
db:VULHUBid:VHN-72624
db:BIDid:68879
db:JVNDBid:JVNDB-2014-003566
db:PACKETSTORMid:127660
db:CNNVDid:CNNVD-201407-603
db:NVDid:CVE-2014-4683

LAST UPDATE DATE
2024-08-14T13:34:53.093000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2014-04644date:2014-07-28T00:00:00
db:VULHUBid:VHN-72624date:2014-07-25T00:00:00
db:BIDid:68879date:2015-03-19T09:40:00
db:JVNDBid:JVNDB-2014-003566date:2014-08-05T00:00:00
db:CNNVDid:CNNVD-201407-603date:2014-07-25T00:00:00
db:NVDid:CVE-2014-4683date:2014-07-25T14:37:19.350

SOURCES RELEASE DATE
db:IVDid:e2d78202-2351-11e6-abef-000c29c66e3ddate:2014-07-28T00:00:00
db:IVDid:c0a709a9-648b-4fbc-869e-37cd7064012bdate:2014-07-28T00:00:00
db:IVDid:7d71e153-463f-11e9-be10-000c29342cb1date:2014-07-28T00:00:00
db:CNVDid:CNVD-2014-04644date:2014-07-28T00:00:00
db:VULHUBid:VHN-72624date:2014-07-24T00:00:00
db:BIDid:68879date:2014-07-23T00:00:00
db:JVNDBid:JVNDB-2014-003566date:2014-07-28T00:00:00
db:PACKETSTORMid:127660date:2014-07-29T22:37:22
db:CNNVDid:CNNVD-201407-603date:2014-07-25T00:00:00
db:NVDid:CVE-2014-4683date:2014-07-24T14:55:08.050