Details of VAR-201503-0064

ID

VAR-201503-0064

CVE

CVE-2015-0999

TITLE

Schneider Electric InduSoft Web Studio Vulnerability in which important information is obtained

Trust: 0.8

sources: JVNDB: JVNDB-2015-001996

DESCRIPTION

Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 store cleartext OPC User credentials in a configuration file, which allows local users to obtain sensitive information by reading this file. Schneider Electric InduSoft Web Studio and InTouch Machine Edition are both embedded HMI software packages from Schneider Electric, France. Multiple Schneider Electric products are prone to a local information-disclosure vulnerability. This product provides HMI clients with read, write tag and event monitoring capabilities

Trust: 2.88

sources: NVD: CVE-2015-0999 // JVNDB: JVNDB-2015-001996 // CNVD: CNVD-2015-02056 // BID: 73389 // IVD: 7d7f27c2-463f-11e9-8462-000c29342cb1 // IVD: 9a39670e-2351-11e6-abef-000c29c66e3d // VULHUB: VHN-78945

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 1.0

sources: IVD: 7d7f27c2-463f-11e9-8462-000c29342cb1 // IVD: 9a39670e-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02056

AFFECTED PRODUCTS

vendor:	schneider electric	model:	wonderware intouch 2014	scope:	eq	version:	7.1	Trust: 1.2
vendor:	schneider electric	model:	indusoft web studio	scope:	eq	version:	7.1	Trust: 1.2
vendor:	aveva	model:	edge	scope:	lt	version:	7.1.3.4	Trust: 1.0
vendor:	schneider electric	model:	wonderware intouch 2014	scope:	lt	version:	7.1.3.4	Trust: 1.0
vendor:	schneider electric	model:	indusoft web studio	scope:	lt	version:	7.1.3.4 sp3 patch 4	Trust: 0.8
vendor:	schneider electric	model:	intouch machine edition 2014	scope:	lt	version:	7.1.3.4 sp3 patch 4	Trust: 0.8
vendor:	schneider	model:	electric indusoft web studio sp3 patch	scope:	lt	version:	7.1.3.44	Trust: 0.6
vendor:	schneider	model:	electric intouch machine edition sp3 patch	scope:	eq	version:	2014(<7.1.3.44)	Trust: 0.6
vendor:	indusoft web studio	model:	-	scope:	eq	version:	*	Trust: 0.4
vendor:	wonderware intouch 2014	model:	-	scope:	eq	version:	*	Trust: 0.4
vendor:	schneider electric	model:	intouch machine edition	scope:	eq	version:	20147.1.3.2	Trust: 0.3
vendor:	schneider electric	model:	indusoft web studio	scope:	eq	version:	7.1.3.2	Trust: 0.3
vendor:	schneider electric	model:	indusoft web studio sp patch	scope:	ne	version:	7.1.3.434	Trust: 0.3

sources: IVD: 7d7f27c2-463f-11e9-8462-000c29342cb1 // IVD: 9a39670e-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02056 // BID: 73389 // JVNDB: JVNDB-2015-001996 // CNNVD: CNNVD-201503-618 // NVD: CVE-2015-0999

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-0999
value:	LOW
Trust: 1.0
NVD:	CVE-2015-0999
value:	LOW
Trust: 0.8
CNVD:	CNVD-2015-02056
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-201503-618
value:	LOW
Trust: 0.6
IVD:	7d7f27c2-463f-11e9-8462-000c29342cb1
value:	LOW
Trust: 0.2
IVD:	9a39670e-2351-11e6-abef-000c29c66e3d
value:	LOW
Trust: 0.2
VULHUB:	VHN-78945
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2015-0999
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2015-02056
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	7d7f27c2-463f-11e9-8462-000c29342cb1
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
IVD:	9a39670e-2351-11e6-abef-000c29c66e3d
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-78945
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: IVD: 7d7f27c2-463f-11e9-8462-000c29342cb1 // IVD: 9a39670e-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02056 // VULHUB: VHN-78945 // JVNDB: JVNDB-2015-001996 // CNNVD: CNNVD-201503-618 // NVD: CVE-2015-0999

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.9

sources: VULHUB: VHN-78945 // JVNDB: JVNDB-2015-001996 // NVD: CVE-2015-0999

THREAT TYPE

local

Trust: 0.9

sources: BID: 73389 // CNNVD: CNNVD-201503-618

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201503-618

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-001996

PATCH

title:	InduSoft Web Studio Vulnerabilities	url:	http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2015-054-01	Trust: 0.8
title:	InTouch Machine Edition 2014 Vulnerabilities	url:	http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2015-054-02	Trust: 0.8
title:	Patch for Schneider Electric InduSoft Web Studio and InTouch Machine Edition Information Disclosure Vulnerability (CNVD-2015-02056)	url:	https://www.cnvd.org.cn/patchInfo/show/56788	Trust: 0.6
title:	IWS71.3.4	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=54647	Trust: 0.6

sources: CNVD: CNVD-2015-02056 // JVNDB: JVNDB-2015-001996 // CNNVD: CNNVD-201503-618

EXTERNAL IDS

db:	NVD	id:	CVE-2015-0999	Trust: 3.8
db:	ICS CERT	id:	ICSA-15-085-01	Trust: 2.8
db:	SCHNEIDER	id:	SEVD-2015-054-01	Trust: 2.3
db:	SCHNEIDER	id:	SEVD-2015-054-02	Trust: 1.7
db:	CNNVD	id:	CNNVD-201503-618	Trust: 1.1
db:	CNVD	id:	CNVD-2015-02056	Trust: 1.0
db:	JVNDB	id:	JVNDB-2015-001996	Trust: 0.8
db:	BID	id:	73389	Trust: 0.4
db:	IVD	id:	7D7F27C2-463F-11E9-8462-000C29342CB1	Trust: 0.2
db:	IVD	id:	9A39670E-2351-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	VULHUB	id:	VHN-78945	Trust: 0.1

sources: IVD: 7d7f27c2-463f-11e9-8462-000c29342cb1 // IVD: 9a39670e-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02056 // VULHUB: VHN-78945 // BID: 73389 // JVNDB: JVNDB-2015-001996 // CNNVD: CNNVD-201503-618 // NVD: CVE-2015-0999

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-15-085-01	Trust: 2.8
url:	http://download.schneider-electric.com/files?p_doc_ref=sevd-2015-054-01	Trust: 2.3
url:	http://download.schneider-electric.com/files?p_doc_ref=sevd-2015-054-02	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-0999	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-0999	Trust: 0.8
url:	http://www.schneider-electric.com/site/home/index.cfm/ww/?selectcountry=true	Trust: 0.3

sources: CNVD: CNVD-2015-02056 // VULHUB: VHN-78945 // BID: 73389 // JVNDB: JVNDB-2015-001996 // CNNVD: CNNVD-201503-618 // NVD: CVE-2015-0999

CREDITS

Gleb Gritsai, Ilya Karpov, and Kirill Nesterov of Positive Technologies Security Lab and Alisa Esage Shevcheckno

Trust: 0.3

sources: BID: 73389

SOURCES

db:	IVD	id:	7d7f27c2-463f-11e9-8462-000c29342cb1
db:	IVD	id:	9a39670e-2351-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2015-02056
db:	VULHUB	id:	VHN-78945
db:	BID	id:	73389
db:	JVNDB	id:	JVNDB-2015-001996
db:	CNNVD	id:	CNNVD-201503-618
db:	NVD	id:	CVE-2015-0999

LAST UPDATE DATE

2024-11-23T22:01:52.798000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2015-02056	date:	2015-03-31T00:00:00
db:	VULHUB	id:	VHN-78945	date:	2018-10-30T00:00:00
db:	BID	id:	73389	date:	2015-03-26T00:00:00
db:	JVNDB	id:	JVNDB-2015-001996	date:	2015-04-01T00:00:00
db:	CNNVD	id:	CNNVD-201503-618	date:	2021-05-18T00:00:00
db:	NVD	id:	CVE-2015-0999	date:	2024-11-21T02:24:06.687

SOURCES RELEASE DATE

db:	IVD	id:	7d7f27c2-463f-11e9-8462-000c29342cb1	date:	2015-03-31T00:00:00
db:	IVD	id:	9a39670e-2351-11e6-abef-000c29c66e3d	date:	2015-03-31T00:00:00
db:	CNVD	id:	CNVD-2015-02056	date:	2015-03-31T00:00:00
db:	VULHUB	id:	VHN-78945	date:	2015-03-29T00:00:00
db:	BID	id:	73389	date:	2015-03-26T00:00:00
db:	JVNDB	id:	JVNDB-2015-001996	date:	2015-04-01T00:00:00
db:	CNNVD	id:	CNNVD-201503-618	date:	2015-03-30T00:00:00
db:	NVD	id:	CVE-2015-0999	date:	2015-03-29T10:59:08.477