ID

VAR-201504-0235


CVE

CVE-2015-2823


TITLE

plural SIMATIC HMI Products and SIMATIC WinCC Vulnerabilities that complete authentication

Trust: 0.8

sources: JVNDB: JVNDB-2015-002126

DESCRIPTION

Siemens SIMATIC HMI Basic Panels 2nd Generation before WinCC (TIA Portal) 13 SP1 Upd2, SIMATIC HMI Comfort Panels before WinCC (TIA Portal) 13 SP1 Upd2, SIMATIC WinCC Runtime Advanced before WinCC (TIA Portal) 13 SP1 Upd2, SIMATIC WinCC Runtime Professional before WinCC (TIA Portal) 13 SP1 Upd2, SIMATIC HMI Basic Panels 1st Generation (WinCC TIA Portal), SIMATIC HMI Mobile Panel 277 (WinCC TIA Portal), SIMATIC HMI Multi Panels (WinCC TIA Portal), and SIMATIC WinCC 7.x before 7.3 Upd4 allow remote attackers to complete authentication by leveraging knowledge of a password hash without knowledge of the associated password. plural SIMATIC HMI Products and SIMATIC WinCC Contains a vulnerability that allows authentication to be completed.Even if there is no related password information, a third party may use the password hash to complete the authentication. Siemens SIMATIC WinCC is a multi-user system that provides complete monitoring and data acquisition (SCADA) functionality for the industrial sector, from single-user systems to redundant server and remote web client solutions. Siemens SIMATIC and SIMATIC WinCC HMI Comfort Panels have verification bypass vulnerabilities that allow remote attackers to exploit vulnerabilities to bypass authentication. Multiple Siemens SIMATIC products are prone to an authentication-bypass vulnerability. This may aid in further attacks. The SIMATIC HMI Panel series, SIMATIC WinCC Runtime Advanced and Professional are all HMI software for operating and monitoring machines and plants. SIMATIC WinCC is an automated data acquisition and monitoring (SCADA) system. A remote attacker could exploit this vulnerability to authenticate using a known hashed password

Trust: 2.97

sources: NVD: CVE-2015-2823 // JVNDB: JVNDB-2015-002126 // CNVD: CNVD-2015-02291 // BID: 74040 // IVD: 344280cb-0461-40fa-a3c6-537ff0ce4aff // IVD: 9844de6a-2351-11e6-abef-000c29c66e3d // VULHUB: VHN-80784 // VULMON: CVE-2015-2823

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 1.0

sources: IVD: 344280cb-0461-40fa-a3c6-537ff0ce4aff // IVD: 9844de6a-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02291

AFFECTED PRODUCTS

vendor:siemensmodel:winccscope:eqversion:7.0

Trust: 2.2

vendor:siemensmodel:winccscope:eqversion:7.1

Trust: 2.2

vendor:siemensmodel:winccscope:eqversion:7.2

Trust: 2.2

vendor:siemensmodel:winccscope:eqversion:7.3

Trust: 2.2

vendor:siemensmodel:winccscope:lteversion:13.0

Trust: 1.0

vendor:winccmodel: - scope:eqversion:*

Trust: 0.8

vendor:siemensmodel:simatic hmi basic panels 2nd generationscope:eqversion:(wincc 13 sp1 upd2

Trust: 0.8

vendor:siemensmodel:simatic hmi mobile panel 277scope:eqversion:(wincc all versions )

Trust: 0.8

vendor:siemensmodel:simatic winccscope:eqversion:7.3 upd4

Trust: 0.8

vendor:siemensmodel:simatic hmi comfort panelsscope:ltversion:)

Trust: 0.8

vendor:siemensmodel:simatic hmi multi panelsscope:eqversion:(wincc all versions )

Trust: 0.8

vendor:siemensmodel:simatic hmi comfort panelsscope:eqversion:(wincc 13 sp1 upd2

Trust: 0.8

vendor:siemensmodel:simatic hmi basic panels 1st generationscope:eqversion:(wincc all versions )

Trust: 0.8

vendor:siemensmodel:simatic winccscope:ltversion:7.x

Trust: 0.8

vendor:siemensmodel:simatic hmi basic panels 2nd generationscope:ltversion:)

Trust: 0.8

vendor:siemensmodel:simatic hmi basic panels generationscope:eqversion:1

Trust: 0.6

vendor:siemensmodel:simatic hmi basic panels generationscope:eqversion:2

Trust: 0.6

vendor:siemensmodel:simatic hmi comfort panelsscope: - version: -

Trust: 0.6

vendor:siemensmodel:simatic hmi mobile panelscope:eqversion:277

Trust: 0.6

vendor:siemensmodel:simatic hmi mobile panelsscope: - version: -

Trust: 0.6

vendor:siemensmodel:winccscope:eqversion:13.0

Trust: 0.6

vendor:winccmodel: - scope:eqversion:7.0

Trust: 0.4

vendor:winccmodel: - scope:eqversion:7.1

Trust: 0.4

vendor:winccmodel: - scope:eqversion:7.2

Trust: 0.4

vendor:winccmodel: - scope:eqversion:7.3

Trust: 0.4

sources: IVD: 344280cb-0461-40fa-a3c6-537ff0ce4aff // IVD: 9844de6a-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02291 // JVNDB: JVNDB-2015-002126 // CNNVD: CNNVD-201504-097 // NVD: CVE-2015-2823

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-2823
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-2823
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2015-02291
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201504-097
value: MEDIUM

Trust: 0.6

IVD: 344280cb-0461-40fa-a3c6-537ff0ce4aff
value: MEDIUM

Trust: 0.2

IVD: 9844de6a-2351-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

VULHUB: VHN-80784
value: MEDIUM

Trust: 0.1

VULMON: CVE-2015-2823
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-2823
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2015-02291
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 344280cb-0461-40fa-a3c6-537ff0ce4aff
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

IVD: 9844de6a-2351-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-80784
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: 344280cb-0461-40fa-a3c6-537ff0ce4aff // IVD: 9844de6a-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02291 // VULHUB: VHN-80784 // VULMON: CVE-2015-2823 // JVNDB: JVNDB-2015-002126 // CNNVD: CNNVD-201504-097 // NVD: CVE-2015-2823

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.9

sources: VULHUB: VHN-80784 // JVNDB: JVNDB-2015-002126 // NVD: CVE-2015-2823

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201504-097

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201504-097

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-002126

PATCH

title:SSA-487246url:http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-487246.pdf

Trust: 0.8

title:Siemens SIMATIC and SIMATIC WinCC HMI Comfort Panels verify patches for bypassing vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/57127

Trust: 0.6

title:The Registerurl:https://www.theregister.co.uk/2015/08/31/ruskie_ics_hacker_drops_nine_holes_in_popular_siemens_power_plant_kit/

Trust: 0.2

sources: CNVD: CNVD-2015-02291 // VULMON: CVE-2015-2823 // JVNDB: JVNDB-2015-002126

EXTERNAL IDS

db:NVDid:CVE-2015-2823

Trust: 3.9

db:BIDid:74040

Trust: 2.1

db:SIEMENSid:SSA-487246

Trust: 1.8

db:CNNVDid:CNNVD-201504-097

Trust: 1.1

db:CNVDid:CNVD-2015-02291

Trust: 1.0

db:ICS CERTid:ICSA-15-099-01

Trust: 0.8

db:JVNDBid:JVNDB-2015-002126

Trust: 0.8

db:IVDid:344280CB-0461-40FA-A3C6-537FF0CE4AFF

Trust: 0.2

db:IVDid:9844DE6A-2351-11E6-ABEF-000C29C66E3D

Trust: 0.2

db:VULHUBid:VHN-80784

Trust: 0.1

db:ICS CERTid:ICSA-15-099-01E

Trust: 0.1

db:VULMONid:CVE-2015-2823

Trust: 0.1

sources: IVD: 344280cb-0461-40fa-a3c6-537ff0ce4aff // IVD: 9844de6a-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02291 // VULHUB: VHN-80784 // VULMON: CVE-2015-2823 // BID: 74040 // JVNDB: JVNDB-2015-002126 // CNNVD: CNNVD-201504-097 // NVD: CVE-2015-2823

REFERENCES

url:http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-487246.pdf

Trust: 1.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2823

Trust: 1.4

url:http://www.securityfocus.com/bid/74040

Trust: 1.3

url:https://cert-portal.siemens.com/productcert/pdf/ssa-487246.pdf

Trust: 1.2

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2823

Trust: 0.8

url:https://ics-cert.us-cert.gov/advisories/icsa-15-099-01

Trust: 0.8

url:http://subscriber.communications.siemens.com/

Trust: 0.3

url:https://cwe.mitre.org/data/definitions/287.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://www.theregister.co.uk/2015/08/31/ruskie_ics_hacker_drops_nine_holes_in_popular_siemens_power_plant_kit/

Trust: 0.1

url:https://ics-cert.us-cert.gov/advisories/icsa-15-099-01e

Trust: 0.1

sources: CNVD: CNVD-2015-02291 // VULHUB: VHN-80784 // VULMON: CVE-2015-2823 // BID: 74040 // JVNDB: JVNDB-2015-002126 // CNNVD: CNNVD-201504-097 // NVD: CVE-2015-2823

CREDITS

Quarkslab team and Ilya Karpov from Positive Technologies.

Trust: 0.3

sources: BID: 74040

SOURCES

db:IVDid:344280cb-0461-40fa-a3c6-537ff0ce4aff
db:IVDid:9844de6a-2351-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2015-02291
db:VULHUBid:VHN-80784
db:VULMONid:CVE-2015-2823
db:BIDid:74040
db:JVNDBid:JVNDB-2015-002126
db:CNNVDid:CNNVD-201504-097
db:NVDid:CVE-2015-2823

LAST UPDATE DATE

2024-08-14T13:57:39.257000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2015-02291date:2015-04-10T00:00:00
db:VULHUBid:VHN-80784date:2016-11-28T00:00:00
db:VULMONid:CVE-2015-2823date:2016-11-28T00:00:00
db:BIDid:74040date:2015-11-03T19:21:00
db:JVNDBid:JVNDB-2015-002126date:2015-04-10T00:00:00
db:CNNVDid:CNNVD-201504-097date:2015-04-09T00:00:00
db:NVDid:CVE-2015-2823date:2016-11-28T19:21:58.403

SOURCES RELEASE DATE

db:IVDid:344280cb-0461-40fa-a3c6-537ff0ce4affdate:2015-04-10T00:00:00
db:IVDid:9844de6a-2351-11e6-abef-000c29c66e3ddate:2015-04-10T00:00:00
db:CNVDid:CNVD-2015-02291date:2015-04-10T00:00:00
db:VULHUBid:VHN-80784date:2015-04-08T00:00:00
db:VULMONid:CVE-2015-2823date:2015-04-08T00:00:00
db:BIDid:74040date:2015-04-10T00:00:00
db:JVNDBid:JVNDB-2015-002126date:2015-04-10T00:00:00
db:CNNVDid:CNNVD-201504-097date:2015-04-09T00:00:00
db:NVDid:CVE-2015-2823date:2015-04-08T16:59:01.270