ID

VAR-201606-0248


CVE

CVE-2016-4511


TITLE

ABB PCM600 Vulnerability in obtaining important plaintext information

Trust: 0.8

sources: JVNDB: JVNDB-2016-003202

DESCRIPTION

ABB PCM600 before 2.7 uses an improper hash algorithm for the main application password, which makes it easier for local users to obtain sensitive cleartext information by leveraging read access to the ACTConfig configuration file. ABB PCM600 is a protection and control IED manager for the energy industry. A local attacker could exploit this vulnerability to access affected devices. ABB PCM600 is prone to following security vulnerabilities: 1. An insecure password-hash vulnerability 2. Multiple insecure password storage vulnerabilities Successful attacks can allow a local attacker to gain unauthorized access to the application's users' password information. ABB PCM600 prior to 2.7 are vulnerable

Trust: 2.7

sources: NVD: CVE-2016-4511 // JVNDB: JVNDB-2016-003202 // CNVD: CNVD-2016-03750 // BID: 90966 // IVD: 5719c522-2351-11e6-abef-000c29c66e3d // VULHUB: VHN-93330

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 5719c522-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2016-03750

AFFECTED PRODUCTS

vendor:abbmodel:pcm600scope:eqversion:2.6

Trust: 1.2

vendor:abbmodel:pcm600scope:lteversion:2.6

Trust: 1.0

vendor:abbmodel:pcm600scope:ltversion:2.7

Trust: 0.8

vendor:pcm600model: - scope:eqversion:*

Trust: 0.2

sources: IVD: 5719c522-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2016-03750 // JVNDB: JVNDB-2016-003202 // CNNVD: CNNVD-201605-713 // NVD: CVE-2016-4511

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-4511
value: LOW

Trust: 1.0

NVD: CVE-2016-4511
value: LOW

Trust: 0.8

CNVD: CNVD-2016-03750
value: LOW

Trust: 0.6

CNNVD: CNNVD-201605-713
value: LOW

Trust: 0.6

IVD: 5719c522-2351-11e6-abef-000c29c66e3d
value: LOW

Trust: 0.2

VULHUB: VHN-93330
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2016-4511
severity: LOW
baseScore: 1.9
vectorString: AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.4
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2016-03750
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 5719c522-2351-11e6-abef-000c29c66e3d
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-93330
severity: LOW
baseScore: 1.9
vectorString: AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.4
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-4511
baseSeverity: LOW
baseScore: 2.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.3
impactScore: 1.4
version: 3.0

Trust: 1.8

sources: IVD: 5719c522-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2016-03750 // VULHUB: VHN-93330 // JVNDB: JVNDB-2016-003202 // CNNVD: CNNVD-201605-713 // NVD: CVE-2016-4511

PROBLEMTYPE DATA

problemtype:CWE-310

Trust: 1.9

sources: VULHUB: VHN-93330 // JVNDB: JVNDB-2016-003202 // NVD: CVE-2016-4511

THREAT TYPE

local

Trust: 0.9

sources: BID: 90966 // CNNVD: CNNVD-201605-713

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201605-713

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-003202

PATCH

title:Protection and Control IED Manager PCM600url:https://library.e.abb.com/public/2d9c28adfaa348ab91a041e507d3195b/PCM600_27_csdepl_758440_ENa.pdf

Trust: 0.8

title:ABB PCM600 password hash vulnerability patchurl:https://www.cnvd.org.cn/patchInfo/show/76876

Trust: 0.6

title:ABB PCM600 Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=62021

Trust: 0.6

sources: CNVD: CNVD-2016-03750 // JVNDB: JVNDB-2016-003202 // CNNVD: CNNVD-201605-713

EXTERNAL IDS

db:NVDid:CVE-2016-4511

Trust: 3.6

db:ICS CERTid:ICSA-16-152-02

Trust: 3.1

db:CNNVDid:CNNVD-201605-713

Trust: 0.9

db:CNVDid:CNVD-2016-03750

Trust: 0.8

db:JVNDBid:JVNDB-2016-003202

Trust: 0.8

db:AUSCERTid:ESB-2016.1375

Trust: 0.6

db:BIDid:90966

Trust: 0.3

db:IVDid:5719C522-2351-11E6-ABEF-000C29C66E3D

Trust: 0.2

db:VULHUBid:VHN-93330

Trust: 0.1

sources: IVD: 5719c522-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2016-03750 // VULHUB: VHN-93330 // BID: 90966 // JVNDB: JVNDB-2016-003202 // CNNVD: CNNVD-201605-713 // NVD: CVE-2016-4511

REFERENCES

url:https://ics-cert.us-cert.gov/advisories/icsa-16-152-02

Trust: 3.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-4511

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-4511

Trust: 0.8

url:http://www.auscert.org.au/./render.html?it=35270

Trust: 0.6

sources: CNVD: CNVD-2016-03750 // VULHUB: VHN-93330 // JVNDB: JVNDB-2016-003202 // CNNVD: CNNVD-201605-713 // NVD: CVE-2016-4511

CREDITS

The vendor reported these issue.

Trust: 0.3

sources: BID: 90966

SOURCES

db:IVDid:5719c522-2351-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2016-03750
db:VULHUBid:VHN-93330
db:BIDid:90966
db:JVNDBid:JVNDB-2016-003202
db:CNNVDid:CNNVD-201605-713
db:NVDid:CVE-2016-4511

LAST UPDATE DATE

2024-08-14T13:32:32.427000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2016-03750date:2016-06-02T00:00:00
db:VULHUBid:VHN-93330date:2016-06-17T00:00:00
db:BIDid:90966date:2016-05-31T00:00:00
db:JVNDBid:JVNDB-2016-003202date:2016-06-27T00:00:00
db:CNNVDid:CNNVD-201605-713date:2016-06-12T00:00:00
db:NVDid:CVE-2016-4511date:2016-06-17T13:00:40.673

SOURCES RELEASE DATE

db:IVDid:5719c522-2351-11e6-abef-000c29c66e3ddate:2016-06-02T00:00:00
db:CNVDid:CNVD-2016-03750date:2016-06-02T00:00:00
db:VULHUBid:VHN-93330date:2016-06-10T00:00:00
db:BIDid:90966date:2016-05-31T00:00:00
db:JVNDBid:JVNDB-2016-003202date:2016-06-17T00:00:00
db:CNNVDid:CNNVD-201605-713date:2016-05-31T00:00:00
db:NVDid:CVE-2016-4511date:2016-06-10T01:59:11.083