Sign-up

ID

VAR-201702-0854


CVE

CVE-2016-9353


TITLE

Advantech SUSIAccess Server Vulnerabilities in administrator account passwords

Trust: 0.8

sources: JVNDB: JVNDB-2016-007632

DESCRIPTION

An issue was discovered in Advantech SUISAccess Server Version 3.0 and prior. The admin password is stored in the system and is encrypted with a static key hard-coded in the program. Attackers could reverse the admin account password for use. This vulnerability allows attackers to escalate privileges on vulnerable installations of Advantech SUSIAccess Server. Authentication is not required to exploit this vulnerability. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of SYSTEM. SUSIAccess is an easy-to-use remote device management software solution. Advantech SUSIAccess Server has a local privilege elevation vulnerability. Advantech SUISAccess Server is a set of Advantech's Platform as a Service (PaaS) products for cloud and Internet of Things (IoT) devices

Trust: 3.69

sources: NVD: CVE-2016-9353 // JVNDB: JVNDB-2016-007632 // ZDI: ZDI-16-629 // CNVD: CNVD-2016-11829 // CNNVD: CNNVD-201612-010 // BID: 94631 // VULHUB: VHN-98173

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2016-11829

AFFECTED PRODUCTS

vendor:advantechmodel:susiaccessscope:lteversion:3.0

Trust: 1.0

vendor:advantechmodel:susiaccessscope:lteversion:server 3.0

Trust: 0.8

vendor:advantechmodel:susiaccess serverscope: - version: -

Trust: 0.7

vendor:advantechmodel:suisaccess serverscope:lteversion:<=3.0

Trust: 0.6

vendor:advantechmodel:susiaccessscope:eqversion:3.0

Trust: 0.6

vendor:advantechmodel:suisaccess serverscope:eqversion:3.0

Trust: 0.3

sources: ZDI: ZDI-16-629 // CNVD: CNVD-2016-11829 // BID: 94631 // JVNDB: JVNDB-2016-007632 // CNNVD: CNNVD-201612-010 // NVD: CVE-2016-9353

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-9353
value: HIGH

Trust: 1.0

NVD: CVE-2016-9353
value: HIGH

Trust: 0.8

ZDI: CVE-2016-9353
value: HIGH

Trust: 0.7

CNVD: CNVD-2016-11829
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201612-010
value: HIGH

Trust: 0.6

VULHUB: VHN-98173
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2016-9353
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 2.5

CNVD: CNVD-2016-11829
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-98173
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-9353
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: ZDI: ZDI-16-629 // CNVD: CNVD-2016-11829 // VULHUB: VHN-98173 // JVNDB: JVNDB-2016-007632 // CNNVD: CNNVD-201612-010 // NVD: CVE-2016-9353

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-98173 // JVNDB: JVNDB-2016-007632 // NVD: CVE-2016-9353

THREAT TYPE

local

Trust: 0.9

sources: BID: 94631 // CNNVD: CNNVD-201612-010

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201612-010

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-007632

PATCH
title:SUSIAccessurl:http://www2.advantech.com/industrialCloud/about_what.aspx
Trust: 0.8
title:Advantech has issued an update to correct this vulnerability.url:https://ics-cert.us-cert.gov/advisories/ICSA-16-336-04
Trust: 0.7
title:Patch for Advantech SUSIAccess Server Local Privilege Escalation Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/84925
Trust: 0.6
sources:
            
            
            ZDI: ZDI-16-629 // 
            
            
            
            CNVD: CNVD-2016-11829 // 
            
            
            
            JVNDB: JVNDB-2016-007632

EXTERNAL IDS
db:NVDid:CVE-2016-9353
Trust: 4.1
db:ICS CERTid:ICSA-16-336-04
Trust: 3.4
db:BIDid:94631
Trust: 2.6
db:JVNDBid:JVNDB-2016-007632
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-3987
Trust: 0.7
db:ZDIid:ZDI-16-629
Trust: 0.7
db:CNNVDid:CNNVD-201612-010
Trust: 0.7
db:CNVDid:CNVD-2016-11829
Trust: 0.6
db:VULHUBid:VHN-98173
Trust: 0.1
sources:
            
            
            ZDI: ZDI-16-629 // 
            
            
            
            CNVD: CNVD-2016-11829 // 
            
            
            
            VULHUB: VHN-98173 // 
            
            
            
            BID: 94631 // 
            
            
            
            JVNDB: JVNDB-2016-007632 // 
            
            
            
            CNNVD: CNNVD-201612-010 // 
            
            
            
            NVD: CVE-2016-9353

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-16-336-04
Trust: 4.1
url:http://www.securityfocus.com/bid/94631
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-9353
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-9353
Trust: 0.8
url:http://webaccess.advantech.com
Trust: 0.3
sources:
            
            
            ZDI: ZDI-16-629 // 
            
            
            
            CNVD: CNVD-2016-11829 // 
            
            
            
            VULHUB: VHN-98173 // 
            
            
            
            BID: 94631 // 
            
            
            
            JVNDB: JVNDB-2016-007632 // 
            
            
            
            CNNVD: CNNVD-201612-010 // 
            
            
            
            NVD: CVE-2016-9353

CREDITS
rgod working with Zero Day Initiative (ZDI).
Trust: 0.9
sources:
            
            
            BID: 94631 // 
            
            
            
            CNNVD: CNNVD-201612-010

SOURCES
db:ZDIid:ZDI-16-629
db:CNVDid:CNVD-2016-11829
db:VULHUBid:VHN-98173
db:BIDid:94631
db:JVNDBid:JVNDB-2016-007632
db:CNNVDid:CNNVD-201612-010
db:NVDid:CVE-2016-9353

LAST UPDATE DATE
2024-11-23T22:07:38.541000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-16-629date:2016-12-13T00:00:00
db:CNVDid:CNVD-2016-11829date:2016-12-05T00:00:00
db:VULHUBid:VHN-98173date:2017-02-17T00:00:00
db:BIDid:94631date:2016-12-20T01:05:00
db:JVNDBid:JVNDB-2016-007632date:2017-03-08T00:00:00
db:CNNVDid:CNNVD-201612-010date:2016-12-02T00:00:00
db:NVDid:CVE-2016-9353date:2024-11-21T03:01:00.333

SOURCES RELEASE DATE
db:ZDIid:ZDI-16-629date:2016-12-13T00:00:00
db:CNVDid:CNVD-2016-11829date:2016-12-03T00:00:00
db:VULHUBid:VHN-98173date:2017-02-13T00:00:00
db:BIDid:94631date:2016-12-01T00:00:00
db:JVNDBid:JVNDB-2016-007632date:2017-03-08T00:00:00
db:CNNVDid:CNNVD-201612-010date:2016-12-02T00:00:00
db:NVDid:CVE-2016-9353date:2017-02-13T21:59:01.940