ID

VAR-201504-0031


CVE

CVE-2015-1601


TITLE

Siemens SIMATIC STEP 7 TIA Portal Man-in-the-middle attack information disclosure vulnerability

Trust: 1.0

sources: IVD: 98ac9190-2351-11e6-abef-000c29c66e3d // IVD: 06c17524-8593-488c-b05c-2941868b4f47 // CNVD: CNVD-2015-01196

DESCRIPTION

Siemens SIMATIC STEP 7 (TIA Portal) 12 and 13 before 13 SP1 Upd1 allows man-in-the-middle attackers to obtain sensitive information or modify transmitted data via unspecified vectors. Supplementary information : CWE Vulnerability type by CWE-254: Security Features ( Security function ) Has been identified. http://cwe.mitre.org/data/definitions/254.htmlMan-in-the-middle attacks (man-in-the-middle attack) May obtain important information or change the data sent. Siemens SIMATIC is an automation software in a single engineering environment. The software provides PLC programming, design option packages, advanced drive technology and more

Trust: 2.88

sources: NVD: CVE-2015-1601 // JVNDB: JVNDB-2015-002095 // CNVD: CNVD-2015-01196 // BID: 72691 // IVD: 98ac9190-2351-11e6-abef-000c29c66e3d // IVD: 06c17524-8593-488c-b05c-2941868b4f47 // VULHUB: VHN-79562

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 1.0

sources: IVD: 98ac9190-2351-11e6-abef-000c29c66e3d // IVD: 06c17524-8593-488c-b05c-2941868b4f47 // CNVD: CNVD-2015-01196

AFFECTED PRODUCTS

vendor:siemensmodel:simatic step 7scope:eqversion:12

Trust: 2.4

vendor:siemensmodel:simatic step 7scope:eqversion:13

Trust: 1.6

vendor:siemensmodel:simatic step 7scope:lteversion:13

Trust: 1.0

vendor:siemensmodel:simatic step 7scope:ltversion:13 thats all 13 sp1 upd1

Trust: 0.8

vendor:siemensmodel:simatic step sp1 upd1scope:eqversion:7<v13

Trust: 0.6

vendor:simatic step 7model: - scope:eqversion:12

Trust: 0.4

vendor:simatic step 7model: - scope:eqversion:13

Trust: 0.4

vendor:simatic step 7model: - scope:eqversion:*

Trust: 0.4

sources: IVD: 98ac9190-2351-11e6-abef-000c29c66e3d // IVD: 06c17524-8593-488c-b05c-2941868b4f47 // CNVD: CNVD-2015-01196 // JVNDB: JVNDB-2015-002095 // CNNVD: CNNVD-201503-050 // NVD: CVE-2015-1601

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-1601
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-1601
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2015-01196
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201503-050
value: MEDIUM

Trust: 0.6

IVD: 98ac9190-2351-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

IVD: 06c17524-8593-488c-b05c-2941868b4f47
value: MEDIUM

Trust: 0.2

VULHUB: VHN-79562
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-1601
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2015-01196
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 98ac9190-2351-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

IVD: 06c17524-8593-488c-b05c-2941868b4f47
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-79562
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: 98ac9190-2351-11e6-abef-000c29c66e3d // IVD: 06c17524-8593-488c-b05c-2941868b4f47 // CNVD: CNVD-2015-01196 // VULHUB: VHN-79562 // JVNDB: JVNDB-2015-002095 // CNNVD: CNNVD-201503-050 // NVD: CVE-2015-1601

PROBLEMTYPE DATA

problemtype:CWE-254

Trust: 1.1

problemtype:CWE-Other

Trust: 0.8

sources: VULHUB: VHN-79562 // JVNDB: JVNDB-2015-002095 // NVD: CVE-2015-1601

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201503-050

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201503-050

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-002095

PATCH

title:SSA-315836url:http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-315836.pdf

Trust: 0.8

title:Siemens SIMATIC STEP 7 TIA Portal man-in-the-middle attack information disclosure vulnerability patchurl:https://www.cnvd.org.cn/patchInfo/show/55649

Trust: 0.6

sources: CNVD: CNVD-2015-01196 // JVNDB: JVNDB-2015-002095

EXTERNAL IDS

db:NVDid:CVE-2015-1601

Trust: 3.8

db:BIDid:72691

Trust: 2.6

db:SIEMENSid:SSA-315836

Trust: 1.7

db:CNNVDid:CNNVD-201503-050

Trust: 1.1

db:SIEMENSid:SSA-487246

Trust: 1.1

db:ICS CERTid:ICSA-15-099-01

Trust: 1.1

db:CNVDid:CNVD-2015-01196

Trust: 1.0

db:ICS CERTid:ICSA-15-050-01

Trust: 0.9

db:JVNDBid:JVNDB-2015-002095

Trust: 0.8

db:ICS CERTid:ICSA-15-099-01C

Trust: 0.3

db:IVDid:98AC9190-2351-11E6-ABEF-000C29C66E3D

Trust: 0.2

db:IVDid:06C17524-8593-488C-B05C-2941868B4F47

Trust: 0.2

db:VULHUBid:VHN-79562

Trust: 0.1

sources: IVD: 98ac9190-2351-11e6-abef-000c29c66e3d // IVD: 06c17524-8593-488c-b05c-2941868b4f47 // CNVD: CNVD-2015-01196 // VULHUB: VHN-79562 // BID: 72691 // JVNDB: JVNDB-2015-002095 // CNNVD: CNNVD-201503-050 // NVD: CVE-2015-1601

REFERENCES

url:http://www.securityfocus.com/bid/72691

Trust: 1.7

url:http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-315836.pdf

Trust: 1.7

url:https://cert-portal.siemens.com/productcert/pdf/ssa-487246.pdf

Trust: 1.1

url:https://ics-cert.us-cert.gov/advisories/icsa-15-099-01

Trust: 1.1

url:https://ics-cert.us-cert.gov/advisories/icsa-15-050-01

Trust: 0.9

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-1601

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-1601

Trust: 0.8

url:http://www.industry.siemens.com/topics/global/en/tia-portal/controller-sw-tia-portal/simatic-step7-basic-tia-portal/pages/default.aspx

Trust: 0.3

url:https://ics-cert.us-cert.gov/advisories/icsa-15-099-01c

Trust: 0.3

sources: CNVD: CNVD-2015-01196 // VULHUB: VHN-79562 // BID: 72691 // JVNDB: JVNDB-2015-002095 // CNNVD: CNNVD-201503-050 // NVD: CVE-2015-1601

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 72691

SOURCES

db:IVDid:98ac9190-2351-11e6-abef-000c29c66e3d
db:IVDid:06c17524-8593-488c-b05c-2941868b4f47
db:CNVDid:CNVD-2015-01196
db:VULHUBid:VHN-79562
db:BIDid:72691
db:JVNDBid:JVNDB-2015-002095
db:CNNVDid:CNNVD-201503-050
db:NVDid:CVE-2015-1601

LAST UPDATE DATE

2024-11-23T22:13:30.992000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2015-01196date:2015-02-27T00:00:00
db:VULHUBid:VHN-79562date:2016-11-28T00:00:00
db:BIDid:72691date:2015-10-26T16:22:00
db:JVNDBid:JVNDB-2015-002095date:2015-04-10T00:00:00
db:CNNVDid:CNNVD-201503-050date:2015-04-07T00:00:00
db:NVDid:CVE-2015-1601date:2024-11-21T02:25:45.227

SOURCES RELEASE DATE

db:IVDid:98ac9190-2351-11e6-abef-000c29c66e3ddate:2015-02-27T00:00:00
db:IVDid:06c17524-8593-488c-b05c-2941868b4f47date:2015-02-27T00:00:00
db:CNVDid:CNVD-2015-01196date:2015-02-27T00:00:00
db:VULHUBid:VHN-79562date:2015-04-06T00:00:00
db:BIDid:72691date:2015-02-19T00:00:00
db:JVNDBid:JVNDB-2015-002095date:2015-04-07T00:00:00
db:CNNVDid:CNNVD-201503-050date:2015-02-19T00:00:00
db:NVDid:CVE-2015-1601date:2015-04-06T01:59:01.667