Details of VAR-201503-0063

ID

VAR-201503-0063

CVE

CVE-2015-0998

TITLE

Schneider Electric InduSoft Web Studio and InTouch Machine Edition 2014 Vulnerability in which important information is obtained

Trust: 0.8

sources: JVNDB: JVNDB-2015-001995

DESCRIPTION

Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 transmit cleartext credentials, which allows remote attackers to obtain sensitive information by sniffing the network. A remote attacker can exploit the vulnerability to gain sensitive information by sniffing the network. The following products are affected: InduSoft Web Studio 7.1.3.2 and prior. InTouch Machine Edition 7.1.3.2 and prior. This product provides HMI clients with read, write tag and event monitoring capabilities. The vulnerability is caused by the programs transmitting plaintext certificates

Trust: 2.88

sources: NVD: CVE-2015-0998 // JVNDB: JVNDB-2015-001995 // CNVD: CNVD-2015-02057 // BID: 73378 // IVD: 7d7f27c1-463f-11e9-81a1-000c29342cb1 // IVD: 9a355f92-2351-11e6-abef-000c29c66e3d // VULHUB: VHN-78944

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 1.0

sources: IVD: 7d7f27c1-463f-11e9-81a1-000c29342cb1 // IVD: 9a355f92-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02057

AFFECTED PRODUCTS

vendor:	schneider electric	model:	wonderware intouch 2014	scope:	eq	version:	7.1	Trust: 1.2
vendor:	schneider electric	model:	indusoft web studio	scope:	eq	version:	7.1	Trust: 1.2
vendor:	aveva	model:	edge	scope:	lt	version:	7.1.3.4	Trust: 1.0
vendor:	schneider electric	model:	wonderware intouch 2014	scope:	lt	version:	7.1.3.4	Trust: 1.0
vendor:	schneider electric	model:	indusoft web studio	scope:	lt	version:	7.1.3.4 sp3 patch 4	Trust: 0.8
vendor:	schneider electric	model:	intouch machine edition 2014	scope:	lt	version:	7.1.3.4 sp3 patch 4	Trust: 0.8
vendor:	schneider	model:	electric indusoft web studio sp3 patch	scope:	lt	version:	7.1.3.44	Trust: 0.6
vendor:	schneider	model:	electric intouch machine edition sp3 patch	scope:	eq	version:	2014(<7.1.3.44)	Trust: 0.6
vendor:	indusoft web studio	model:	-	scope:	eq	version:	*	Trust: 0.4
vendor:	wonderware intouch 2014	model:	-	scope:	eq	version:	*	Trust: 0.4
vendor:	schneider electric	model:	intouch machine edition	scope:	eq	version:	20147.1.3.2	Trust: 0.3
vendor:	schneider electric	model:	indusoft web studio	scope:	eq	version:	7.1.3.2	Trust: 0.3
vendor:	schneider electric	model:	indusoft web studio sp patch	scope:	ne	version:	7.1.3.434	Trust: 0.3

sources: IVD: 7d7f27c1-463f-11e9-81a1-000c29342cb1 // IVD: 9a355f92-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02057 // BID: 73378 // JVNDB: JVNDB-2015-001995 // CNNVD: CNNVD-201503-617 // NVD: CVE-2015-0998

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-0998
value:	LOW
Trust: 1.0
NVD:	CVE-2015-0998
value:	LOW
Trust: 0.8
CNVD:	CNVD-2015-02057
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-201503-617
value:	LOW
Trust: 0.6
IVD:	7d7f27c1-463f-11e9-81a1-000c29342cb1
value:	LOW
Trust: 0.2
IVD:	9a355f92-2351-11e6-abef-000c29c66e3d
value:	LOW
Trust: 0.2
VULHUB:	VHN-78944
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2015-0998
severity:	LOW
baseScore:	3.3
vectorString:	AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.5
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2015-02057
severity:	LOW
baseScore:	3.3
vectorString:	AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.5
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	7d7f27c1-463f-11e9-81a1-000c29342cb1
severity:	LOW
baseScore:	3.3
vectorString:	AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.5
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
IVD:	9a355f92-2351-11e6-abef-000c29c66e3d
severity:	LOW
baseScore:	3.3
vectorString:	AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.5
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-78944
severity:	LOW
baseScore:	3.3
vectorString:	AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.5
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: IVD: 7d7f27c1-463f-11e9-81a1-000c29342cb1 // IVD: 9a355f92-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02057 // VULHUB: VHN-78944 // JVNDB: JVNDB-2015-001995 // CNNVD: CNNVD-201503-617 // NVD: CVE-2015-0998

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.9

sources: VULHUB: VHN-78944 // JVNDB: JVNDB-2015-001995 // NVD: CVE-2015-0998

THREAT TYPE

specific network environment

Trust: 0.6

sources: CNNVD: CNNVD-201503-617

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201503-617

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-001995

PATCH

title:	InTouch Machine Edition 2014 Vulnerabilities	url:	http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2015-054-02	Trust: 0.8
title:	InduSoft Web Studi Vulnerabilities	url:	http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2015-054-01	Trust: 0.8
title:	\302\240\302\240\302\240\302\240\302\240Patch for Schneider Electric InduSoft Web Studio and InTouch Machine Edition Information Disclosure Vulnerability (CNVD-2015-02057)	url:	https://www.cnvd.org.cn/patchInfo/show/56787	Trust: 0.6
title:	IWS71.3.4	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=54647	Trust: 0.6

sources: CNVD: CNVD-2015-02057 // JVNDB: JVNDB-2015-001995 // CNNVD: CNNVD-201503-617

EXTERNAL IDS

db:	NVD	id:	CVE-2015-0998	Trust: 3.8
db:	ICS CERT	id:	ICSA-15-085-01	Trust: 2.8
db:	SCHNEIDER	id:	SEVD-2015-054-02	Trust: 2.3
db:	SCHNEIDER	id:	SEVD-2015-054-01	Trust: 1.7
db:	CNNVD	id:	CNNVD-201503-617	Trust: 1.1
db:	CNVD	id:	CNVD-2015-02057	Trust: 1.0
db:	JVNDB	id:	JVNDB-2015-001995	Trust: 0.8
db:	BID	id:	73378	Trust: 0.4
db:	IVD	id:	7D7F27C1-463F-11E9-81A1-000C29342CB1	Trust: 0.2
db:	IVD	id:	9A355F92-2351-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	VULHUB	id:	VHN-78944	Trust: 0.1

sources: IVD: 7d7f27c1-463f-11e9-81a1-000c29342cb1 // IVD: 9a355f92-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02057 // VULHUB: VHN-78944 // BID: 73378 // JVNDB: JVNDB-2015-001995 // CNNVD: CNNVD-201503-617 // NVD: CVE-2015-0998

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-15-085-01	Trust: 2.8
url:	http://download.schneider-electric.com/files?p_doc_ref=sevd-2015-054-02	Trust: 2.3
url:	http://download.schneider-electric.com/files?p_doc_ref=sevd-2015-054-01	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-0998	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-0998	Trust: 0.8
url:	http://www.schneider-electric.com/site/home/index.cfm/ww/?selectcountry=true	Trust: 0.3

sources: CNVD: CNVD-2015-02057 // VULHUB: VHN-78944 // BID: 73378 // JVNDB: JVNDB-2015-001995 // CNNVD: CNNVD-201503-617 // NVD: CVE-2015-0998

CREDITS

Gleb Gritsai, Ilya Karpov, and Kirill Nesterov of Positive Technologies Security Lab and Alisa Esage Shevcheckno

Trust: 0.3

sources: BID: 73378

SOURCES

db:	IVD	id:	7d7f27c1-463f-11e9-81a1-000c29342cb1
db:	IVD	id:	9a355f92-2351-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2015-02057
db:	VULHUB	id:	VHN-78944
db:	BID	id:	73378
db:	JVNDB	id:	JVNDB-2015-001995
db:	CNNVD	id:	CNNVD-201503-617
db:	NVD	id:	CVE-2015-0998

LAST UPDATE DATE

2024-11-23T22:01:52.754000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2015-02057	date:	2015-03-31T00:00:00
db:	VULHUB	id:	VHN-78944	date:	2018-10-30T00:00:00
db:	BID	id:	73378	date:	2015-03-26T00:00:00
db:	JVNDB	id:	JVNDB-2015-001995	date:	2015-04-01T00:00:00
db:	CNNVD	id:	CNNVD-201503-617	date:	2021-05-18T00:00:00
db:	NVD	id:	CVE-2015-0998	date:	2024-11-21T02:24:06.567

SOURCES RELEASE DATE

db:	IVD	id:	7d7f27c1-463f-11e9-81a1-000c29342cb1	date:	2015-03-31T00:00:00
db:	IVD	id:	9a355f92-2351-11e6-abef-000c29c66e3d	date:	2015-03-31T00:00:00
db:	CNVD	id:	CNVD-2015-02057	date:	2015-03-31T00:00:00
db:	VULHUB	id:	VHN-78944	date:	2015-03-29T00:00:00
db:	BID	id:	73378	date:	2015-03-26T00:00:00
db:	JVNDB	id:	JVNDB-2015-001995	date:	2015-04-01T00:00:00
db:	CNNVD	id:	CNNVD-201503-617	date:	2015-03-30T00:00:00
db:	NVD	id:	CVE-2015-0998	date:	2015-03-29T10:59:07.460