ID

VAR-201411-0460


CVE

CVE-2014-8552


TITLE

Siemens SIMATIC WinCC/PCS 7 Directory Traversal Vulnerability

Trust: 1.0

sources: IVD: b4bc03b6-2351-11e6-abef-000c29c66e3d // IVD: 633e044b-7adf-4adf-9ca1-7d68e531ed2f // CNVD: CNVD-2014-08594

DESCRIPTION

The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before Update 9, and 7.3 before Update 2; SIMATIC PCS 7 7.1 through SP4, 8.0 through SP2, and 8.1; and TIA Portal 13 before Update 6 allows remote attackers to read arbitrary files via crafted packets. Siemens SIMATIC WinCC is a monitoring control and data acquisition SCADA and human machine interface HMI system. Siemens SIMATIC WinCC, SIMATIC PCS 7 and TIA Portal (Botu) are all industrial automation products of German Siemens (Siemens). SIMATIC WinCC is an automated data acquisition and monitoring (SCADA) system; SIMATIC PCS 7 is a distributed process control system using WinCC; TIA Portal is a software platform that can quickly develop and debug automation systems. WinCC server is an option for it, which can operate multiple operating systems and monitoring stations in the network connected to the automation system. There are security vulnerabilities in the WinCC server of several Siemens products

Trust: 2.61

sources: NVD: CVE-2014-8552 // JVNDB: JVNDB-2014-005645 // CNVD: CNVD-2014-08594 // IVD: b4bc03b6-2351-11e6-abef-000c29c66e3d // IVD: 633e044b-7adf-4adf-9ca1-7d68e531ed2f // VULHUB: VHN-76497

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 1.0

sources: IVD: b4bc03b6-2351-11e6-abef-000c29c66e3d // IVD: 633e044b-7adf-4adf-9ca1-7d68e531ed2f // CNVD: CNVD-2014-08594

AFFECTED PRODUCTS

vendor:simatic winccmodel: - scope:eqversion:7.2

Trust: 3.2

vendor:simatic winccmodel: - scope:eqversion:7.0

Trust: 1.6

vendor:siemensmodel:simatic winccscope:eqversion:7.0

Trust: 1.6

vendor:siemensmodel:simatic pcs7scope:eqversion:7.1

Trust: 1.6

vendor:siemensmodel:simatic pcs 7scope:eqversion:7.1

Trust: 1.6

vendor:siemensmodel:simatic winccscope:eqversion:7.2

Trust: 1.6

vendor:simatic tiaportalmodel: - scope:eqversion:13.0

Trust: 1.2

vendor:siemensmodel:simatic tiaportalscope:eqversion:13.0

Trust: 1.0

vendor:siemensmodel:simatic pcs7scope:eqversion:8.1

Trust: 1.0

vendor:siemensmodel:simatic pcs7scope:eqversion:8.0

Trust: 1.0

vendor:siemensmodel:simatic winccscope:eqversion:7.3

Trust: 1.0

vendor:simatic pcs7model: - scope:eqversion:7.1

Trust: 0.8

vendor:simatic pcs7model: - scope:eqversion:8.0

Trust: 0.8

vendor:siemensmodel:simatic winccscope:eqversion:7.3 update 2

Trust: 0.8

vendor:siemensmodel:simatic winccscope:eqversion:7.2 update 9

Trust: 0.8

vendor:siemensmodel:simatic pcs 7scope:eqversion:7.1 to 7.1 sp4

Trust: 0.8

vendor:siemensmodel:simatic pcs 7scope:eqversion:8.0 to 8.0 sp2

Trust: 0.8

vendor:siemensmodel:totally integrated automation portalscope:ltversion:13

Trust: 0.8

vendor:siemensmodel:simatic winccscope:ltversion:7.3

Trust: 0.8

vendor:siemensmodel:simatic winccscope:ltversion:7.2

Trust: 0.8

vendor:siemensmodel:simatic pcs 7scope:eqversion:8.1

Trust: 0.8

vendor:siemensmodel:simatic winccscope:eqversion:7.0 to 7.0 sp3

Trust: 0.8

vendor:siemensmodel:totally integrated automation portalscope:eqversion:13 update 6

Trust: 0.8

vendor:siemensmodel:wincc 7.0-sp3scope: - version: -

Trust: 0.6

vendor:siemensmodel:wincc (<updatescope:eqversion:7.29)

Trust: 0.6

vendor:siemensmodel:wincc (<updatescope:eqversion:7.32)

Trust: 0.6

vendor:siemensmodel:simatic pcs 7.1-sp4scope:eqversion:7

Trust: 0.6

vendor:siemensmodel:simatic pcs 8.0-sp2scope:eqversion:7

Trust: 0.6

vendor:siemensmodel:simatic pcsscope:eqversion:78.1

Trust: 0.6

vendor:simatic pcs7model: - scope:eqversion:8.1

Trust: 0.4

vendor:simatic pcs 7model: - scope:eqversion:7.1

Trust: 0.4

vendor:simatic winccmodel: - scope:eqversion:7.3

Trust: 0.4

sources: IVD: b4bc03b6-2351-11e6-abef-000c29c66e3d // IVD: 633e044b-7adf-4adf-9ca1-7d68e531ed2f // CNVD: CNVD-2014-08594 // JVNDB: JVNDB-2014-005645 // CNNVD: CNNVD-201411-501 // NVD: CVE-2014-8552

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-8552
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-8552
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2014-08594
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201411-501
value: MEDIUM

Trust: 0.6

IVD: b4bc03b6-2351-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

IVD: 633e044b-7adf-4adf-9ca1-7d68e531ed2f
value: MEDIUM

Trust: 0.2

VULHUB: VHN-76497
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-8552
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2014-08594
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: b4bc03b6-2351-11e6-abef-000c29c66e3d
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

IVD: 633e044b-7adf-4adf-9ca1-7d68e531ed2f
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-76497
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: b4bc03b6-2351-11e6-abef-000c29c66e3d // IVD: 633e044b-7adf-4adf-9ca1-7d68e531ed2f // CNVD: CNVD-2014-08594 // VULHUB: VHN-76497 // JVNDB: JVNDB-2014-005645 // CNNVD: CNNVD-201411-501 // NVD: CVE-2014-8552

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-76497 // JVNDB: JVNDB-2014-005645 // NVD: CVE-2014-8552

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201411-501

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201411-501

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-005645

PATCH

title:SSA-134508url:http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-134508.pdf

Trust: 0.8

title:Patch for Siemens SIMATIC WinCC/PCS 7 directory traversal vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/52283

Trust: 0.6

sources: CNVD: CNVD-2014-08594 // JVNDB: JVNDB-2014-005645

EXTERNAL IDS

db:NVDid:CVE-2014-8552

Trust: 3.5

db:SIEMENSid:SSA-134508

Trust: 2.3

db:CNNVDid:CNNVD-201411-501

Trust: 1.1

db:CNVDid:CNVD-2014-08594

Trust: 1.0

db:ICS CERTid:ICSA-14-329-02

Trust: 0.8

db:JVNDBid:JVNDB-2014-005645

Trust: 0.8

db:SECUNIAid:60068

Trust: 0.6

db:IVDid:B4BC03B6-2351-11E6-ABEF-000C29C66E3D

Trust: 0.2

db:IVDid:633E044B-7ADF-4ADF-9CA1-7D68E531ED2F

Trust: 0.2

db:VULHUBid:VHN-76497

Trust: 0.1

sources: IVD: b4bc03b6-2351-11e6-abef-000c29c66e3d // IVD: 633e044b-7adf-4adf-9ca1-7d68e531ed2f // CNVD: CNVD-2014-08594 // VULHUB: VHN-76497 // JVNDB: JVNDB-2014-005645 // CNNVD: CNNVD-201411-501 // NVD: CVE-2014-8552

REFERENCES

url:http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-134508.pdf

Trust: 2.3

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8552

Trust: 1.4

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8552

Trust: 0.8

url:https://ics-cert.us-cert.gov/advisories/icsa-14-329-02

Trust: 0.8

url:http://secunia.com/advisories/60068

Trust: 0.6

sources: CNVD: CNVD-2014-08594 // VULHUB: VHN-76497 // JVNDB: JVNDB-2014-005645 // CNNVD: CNNVD-201411-501 // NVD: CVE-2014-8552

SOURCES

db:IVDid:b4bc03b6-2351-11e6-abef-000c29c66e3d
db:IVDid:633e044b-7adf-4adf-9ca1-7d68e531ed2f
db:CNVDid:CNVD-2014-08594
db:VULHUBid:VHN-76497
db:JVNDBid:JVNDB-2014-005645
db:CNNVDid:CNNVD-201411-501
db:NVDid:CVE-2014-8552

LAST UPDATE DATE

2024-08-14T13:34:40.692000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2014-08594date:2014-12-01T00:00:00
db:VULHUBid:VHN-76497date:2014-11-26T00:00:00
db:JVNDBid:JVNDB-2014-005645date:2014-11-27T00:00:00
db:CNNVDid:CNNVD-201411-501date:2014-11-27T00:00:00
db:NVDid:CVE-2014-8552date:2014-11-26T16:54:50.050

SOURCES RELEASE DATE

db:IVDid:b4bc03b6-2351-11e6-abef-000c29c66e3ddate:2014-12-01T00:00:00
db:IVDid:633e044b-7adf-4adf-9ca1-7d68e531ed2fdate:2014-12-01T00:00:00
db:CNVDid:CNVD-2014-08594date:2014-12-01T00:00:00
db:VULHUBid:VHN-76497date:2014-11-26T00:00:00
db:JVNDBid:JVNDB-2014-005645date:2014-11-27T00:00:00
db:CNNVDid:CNNVD-201411-501date:2014-11-27T00:00:00
db:NVDid:CVE-2014-8552date:2014-11-26T11:59:01.373