Sign-up

ID

VAR-201503-0061


CVE

CVE-2015-0996


TITLE

Schneider Electric InduSoft Web Studio and InTouch Machine Edition 2014 Vulnerability in which important information is obtained

Trust: 0.8

sources: JVNDB: JVNDB-2015-001993

DESCRIPTION

Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 rely on a hardcoded cleartext password to control read access to Project files and Project Configuration files, which makes it easier for local users to obtain sensitive information by discovering this password. Schneider Electric InduSoft Web Studio and InTouch Machine Edition are both embedded HMI software packages from Schneider Electric, France. Read access. A local attacker could exploit this vulnerability to obtain sensitive information by discovering passwords. Schneider Electric Products are prone to multiple local information-disclosure vulnerabilities. This may aid in further attacks. This product provides HMI clients with read, write tag and event monitoring capabilities

Trust: 3.15

sources: NVD: CVE-2015-0996 // JVNDB: JVNDB-2015-001993 // CNVD: CNVD-2015-02059 // BID: 73387 // IVD: 7d7f00b1-463f-11e9-9603-000c29342cb1 // IVD: 9a491a14-2351-11e6-abef-000c29c66e3d // IVD: 9ca039b4-2351-11e6-abef-000c29c66e3d // VULHUB: VHN-78942 // VULMON: CVE-2015-0996

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 1.2

sources: IVD: 7d7f00b1-463f-11e9-9603-000c29342cb1 // IVD: 9a491a14-2351-11e6-abef-000c29c66e3d // IVD: 9ca039b4-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02059

AFFECTED PRODUCTS

vendor:schneider electricmodel:wonderware intouch 2014scope:eqversion:7.1

Trust: 1.2

vendor:schneider electricmodel:indusoft web studioscope:eqversion:7.1

Trust: 1.2

vendor:avevamodel:edgescope:ltversion:7.1.3.4

Trust: 1.0

vendor:schneider electricmodel:wonderware intouch 2014scope:ltversion:7.1.3.4

Trust: 1.0

vendor:schneider electricmodel:indusoft web studioscope:ltversion:7.1.3.4 sp3 patch 4

Trust: 0.8

vendor:schneider electricmodel:intouch machine edition 2014scope:ltversion:7.1.3.4 sp3 patch 4

Trust: 0.8

vendor:indusoft web studiomodel: - scope:eqversion:*

Trust: 0.6

vendor:wonderware intouch 2014model: - scope:eqversion:*

Trust: 0.6

vendor:schneidermodel:electric indusoft web studio sp3 patchscope:ltversion:7.1.3.44

Trust: 0.6

vendor:schneidermodel:electric intouch machine edition sp3 patchscope:eqversion:2014(<7.1.3.44)

Trust: 0.6

vendor:schneider electricmodel:intouch machine editionscope:eqversion:20147.1.3.2

Trust: 0.3

vendor:schneider electricmodel:indusoft web studioscope:eqversion:7.1.3.2

Trust: 0.3

vendor:schneider electricmodel:indusoft web studio sp patchscope:neversion:7.1.3.434

Trust: 0.3

sources: IVD: 7d7f00b1-463f-11e9-9603-000c29342cb1 // IVD: 9a491a14-2351-11e6-abef-000c29c66e3d // IVD: 9ca039b4-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02059 // BID: 73387 // JVNDB: JVNDB-2015-001993 // CNNVD: CNNVD-201503-615 // NVD: CVE-2015-0996

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-0996
value: LOW

Trust: 1.0

NVD: CVE-2015-0996
value: LOW

Trust: 0.8

CNVD: CNVD-2015-02059
value: LOW

Trust: 0.6

CNNVD: CNNVD-201503-615
value: LOW

Trust: 0.6

IVD: 7d7f00b1-463f-11e9-9603-000c29342cb1
value: LOW

Trust: 0.2

IVD: 9a491a14-2351-11e6-abef-000c29c66e3d
value: LOW

Trust: 0.2

IVD: 9ca039b4-2351-11e6-abef-000c29c66e3d
value: LOW

Trust: 0.2

VULHUB: VHN-78942
value: LOW

Trust: 0.1

VULMON: CVE-2015-0996
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2015-0996
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2015-02059
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 7d7f00b1-463f-11e9-9603-000c29342cb1
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

IVD: 9a491a14-2351-11e6-abef-000c29c66e3d
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

IVD: 9ca039b4-2351-11e6-abef-000c29c66e3d
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-78942
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: 7d7f00b1-463f-11e9-9603-000c29342cb1 // IVD: 9a491a14-2351-11e6-abef-000c29c66e3d // IVD: 9ca039b4-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02059 // VULHUB: VHN-78942 // VULMON: CVE-2015-0996 // JVNDB: JVNDB-2015-001993 // CNNVD: CNNVD-201503-615 // NVD: CVE-2015-0996

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-78942 // JVNDB: JVNDB-2015-001993 // NVD: CVE-2015-0996

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201503-615

TYPE

Information leakage

Trust: 0.6

sources: IVD: 7d7f00b1-463f-11e9-9603-000c29342cb1 // IVD: 9a491a14-2351-11e6-abef-000c29c66e3d // IVD: 9ca039b4-2351-11e6-abef-000c29c66e3d

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-001993

PATCH
title:InTouch Machine Edition 2014 Vulnerabilitiesurl:http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2015-054-02
Trust: 0.8
title:InduSoft Web Studi Vulnerabilitiesurl:http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2015-054-01
Trust: 0.8
title:Patch for Schneider Electric InduSoft Web Studio and InTouch Machine Edition Information Disclosure Vulnerability (CNVD-2015-02059)url:https://www.cnvd.org.cn/patchInfo/show/56785
Trust: 0.6
title:IWS71.3.4url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=54647
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2015-02059 // 
            
            
            
            JVNDB: JVNDB-2015-001993 // 
            
            
            
            CNNVD: CNNVD-201503-615

EXTERNAL IDS
db:NVDid:CVE-2015-0996
Trust: 4.1
db:ICS CERTid:ICSA-15-085-01
Trust: 2.9
db:SCHNEIDERid:SEVD-2015-054-02
Trust: 2.4
db:SCHNEIDERid:SEVD-2015-054-01
Trust: 1.8
db:CNNVDid:CNNVD-201503-615
Trust: 1.3
db:CNVDid:CNVD-2015-02059
Trust: 1.2
db:JVNDBid:JVNDB-2015-001993
Trust: 0.8
db:BIDid:73387
Trust: 0.4
db:IVDid:7D7F00B1-463F-11E9-9603-000C29342CB1
Trust: 0.2
db:IVDid:9A491A14-2351-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:IVDid:9CA039B4-2351-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:VULHUBid:VHN-78942
Trust: 0.1
db:ICS CERTid:ICSA-15-085-01A
Trust: 0.1
db:VULMONid:CVE-2015-0996
Trust: 0.1
sources:
            
            
            IVD: 7d7f00b1-463f-11e9-9603-000c29342cb1 // 
            
            
            
            IVD: 9a491a14-2351-11e6-abef-000c29c66e3d // 
            
            
            
            IVD: 9ca039b4-2351-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2015-02059 // 
            
            
            
            VULHUB: VHN-78942 // 
            
            
            
            VULMON: CVE-2015-0996 // 
            
            
            
            BID: 73387 // 
            
            
            
            JVNDB: JVNDB-2015-001993 // 
            
            
            
            CNNVD: CNNVD-201503-615 // 
            
            
            
            NVD: CVE-2015-0996

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-15-085-01
Trust: 2.9
url:http://download.schneider-electric.com/files?p_doc_ref=sevd-2015-054-02
Trust: 2.4
url:http://download.schneider-electric.com/files?p_doc_ref=sevd-2015-054-01
Trust: 1.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-0996
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-0996
Trust: 0.8
url:http://www.schneider-electric.com/site/home/index.cfm/ww/?selectcountry=true
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/200.html
Trust: 0.1
url:http://tools.cisco.com/security/center/viewalert.x?alertid=38083
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://ics-cert.us-cert.gov/advisories/icsa-15-085-01a
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2015-02059 // 
            
            
            
            VULHUB: VHN-78942 // 
            
            
            
            VULMON: CVE-2015-0996 // 
            
            
            
            BID: 73387 // 
            
            
            
            JVNDB: JVNDB-2015-001993 // 
            
            
            
            CNNVD: CNNVD-201503-615 // 
            
            
            
            NVD: CVE-2015-0996

CREDITS
Gleb Gritsai, Ilya Karpov, and Kirill Nesterov of Positive Technologies.
Trust: 0.3
sources:
            
            
            BID: 73387

SOURCES
db:IVDid:7d7f00b1-463f-11e9-9603-000c29342cb1
db:IVDid:9a491a14-2351-11e6-abef-000c29c66e3d
db:IVDid:9ca039b4-2351-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2015-02059
db:VULHUBid:VHN-78942
db:VULMONid:CVE-2015-0996
db:BIDid:73387
db:JVNDBid:JVNDB-2015-001993
db:CNNVDid:CNNVD-201503-615
db:NVDid:CVE-2015-0996

LAST UPDATE DATE
2024-11-23T22:01:52.696000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2015-02059date:2015-03-31T00:00:00
db:VULHUBid:VHN-78942date:2018-10-30T00:00:00
db:VULMONid:CVE-2015-0996date:2018-10-30T00:00:00
db:BIDid:73387date:2015-03-26T00:00:00
db:JVNDBid:JVNDB-2015-001993date:2015-04-01T00:00:00
db:CNNVDid:CNNVD-201503-615date:2021-05-18T00:00:00
db:NVDid:CVE-2015-0996date:2024-11-21T02:24:06.317

SOURCES RELEASE DATE
db:IVDid:7d7f00b1-463f-11e9-9603-000c29342cb1date:2015-03-31T00:00:00
db:IVDid:9a491a14-2351-11e6-abef-000c29c66e3ddate:2015-03-31T00:00:00
db:IVDid:9ca039b4-2351-11e6-abef-000c29c66e3ddate:2015-03-31T00:00:00
db:CNVDid:CNVD-2015-02059date:2015-03-31T00:00:00
db:VULHUBid:VHN-78942date:2015-03-29T00:00:00
db:VULMONid:CVE-2015-0996date:2015-03-29T00:00:00
db:BIDid:73387date:2015-03-26T00:00:00
db:JVNDBid:JVNDB-2015-001993date:2015-04-01T00:00:00
db:CNNVDid:CNNVD-201503-615date:2015-03-30T00:00:00
db:NVDid:CVE-2015-0996date:2015-03-29T10:59:05.383