Sign-up

ID

VAR-201702-0861


CVE

CVE-2016-9362


TITLE

plural WAGO Vulnerability of editing settings without authentication in the product

Trust: 0.8

sources: JVNDB: JVNDB-2016-007990

DESCRIPTION

An issue was discovered in WAGO 750-8202/PFC200 prior to FW04 (released August 2015), WAGO 750-881 prior to FW09 (released August 2016), and WAGO 0758-0874-0000-0111. By accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to edit and to view settings without authenticating. WAGO 750-8202 / PFC200 and so on are all bus editable logic controller modules of German WAGO company. An authentication bypass vulnerability exists in several WAGO products. An attacker could use this vulnerability to bypass the authentication mechanism and perform unauthorized operations. This may lead to further attacks. The following products are vulnerable: WAGO 750-8202/PFC200 prior to FW04 WAGO 750-881 prior to FW09 WAGO 0758-0874-0000-0111. WAGO 750-8202/PFC200, etc

Trust: 2.61

sources: NVD: CVE-2016-9362 // JVNDB: JVNDB-2016-007990 // CNVD: CNVD-2016-13097 // BID: 95074 // VULHUB: VHN-98182 // VULMON: CVE-2016-9362

AFFECTED PRODUCTS

vendor:wagomodel:758-xxxx seriesscope:eqversion: -

Trust: 1.6

vendor:wagomodel:750-xxxx seriesscope:eqversion: -

Trust: 1.6

vendor:wagomodel:pfc200scope:eqversion: -

Trust: 1.6

vendor:wagomodel:750-xxxx seriesscope: - version: -

Trust: 0.8

vendor:wagomodel:758-xxxx seriesscope: - version: -

Trust: 0.8

vendor:wagomodel:pfc200scope: - version: -

Trust: 0.8

vendor:wagomodel: - scope:eqversion:0758-0874-0000-0111

Trust: 0.6

vendor:wagomodel:<fw09scope:eqversion:750-881

Trust: 0.6

vendor:wagomodel:750-8202/pfc200 <fw04scope: - version: -

Trust: 0.6

vendor:wagomodel:pfc200scope:eqversion:0

Trust: 0.3

vendor:wagomodel:wagoscope:eqversion:750-8810

Trust: 0.3

vendor:wagomodel:wagoscope:eqversion:750-82020

Trust: 0.3

vendor:wagomodel:wagoscope:eqversion:0758-0874-0000-0111

Trust: 0.3

vendor:wagomodel:pfc200 fw04scope:neversion: -

Trust: 0.3

vendor:wagomodel:fw09scope:neversion:750-881

Trust: 0.3

vendor:wagomodel:fw04scope:neversion:750-8202

Trust: 0.3

sources: CNVD: CNVD-2016-13097 // BID: 95074 // JVNDB: JVNDB-2016-007990 // CNNVD: CNNVD-201612-631 // NVD: CVE-2016-9362

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-9362
value: CRITICAL

Trust: 1.0

NVD: CVE-2016-9362
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2016-13097
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201612-631
value: MEDIUM

Trust: 0.6

VULHUB: VHN-98182
value: MEDIUM

Trust: 0.1

VULMON: CVE-2016-9362
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2016-9362
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: CVE-2016-9362
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2016-13097
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-98182
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-9362
baseSeverity: CRITICAL
baseScore: 9.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 5.2
version: 3.0

Trust: 1.0

NVD: CVE-2016-9362
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2016-13097 // VULHUB: VHN-98182 // VULMON: CVE-2016-9362 // JVNDB: JVNDB-2016-007990 // CNNVD: CNNVD-201612-631 // NVD: CVE-2016-9362

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.9

sources: VULHUB: VHN-98182 // JVNDB: JVNDB-2016-007990 // NVD: CVE-2016-9362

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201612-631

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201612-631

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-007990

PATCH
title:Top Pageurl:http://global.wago.com/jp/
Trust: 0.8
title:Patch for Multiple WAGO Product Certification Bypass Vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/86762
Trust: 0.6
title:Multiple WAGO Product security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=66653
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2016-13097 // 
            
            
            
            JVNDB: JVNDB-2016-007990 // 
            
            
            
            CNNVD: CNNVD-201612-631

EXTERNAL IDS
db:NVDid:CVE-2016-9362
Trust: 3.5
db:ICS CERTid:ICSA-16-357-02
Trust: 2.9
db:BIDid:95074
Trust: 2.7
db:JVNDBid:JVNDB-2016-007990
Trust: 0.8
db:CNNVDid:CNNVD-201612-631
Trust: 0.7
db:CNVDid:CNVD-2016-13097
Trust: 0.6
db:VULHUBid:VHN-98182
Trust: 0.1
db:VULMONid:CVE-2016-9362
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2016-13097 // 
            
            
            
            VULHUB: VHN-98182 // 
            
            
            
            VULMON: CVE-2016-9362 // 
            
            
            
            BID: 95074 // 
            
            
            
            JVNDB: JVNDB-2016-007990 // 
            
            
            
            CNNVD: CNNVD-201612-631 // 
            
            
            
            NVD: CVE-2016-9362

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-16-357-02
Trust: 3.0
url:http://www.securityfocus.com/bid/95074
Trust: 2.4
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-9362
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2016-9362
Trust: 0.8
url: http://www.wago.com/
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/287.html
Trust: 0.1
url:https://tools.cisco.com/security/center/viewalert.x?alertid=52214
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2016-13097 // 
            
            
            
            VULHUB: VHN-98182 // 
            
            
            
            VULMON: CVE-2016-9362 // 
            
            
            
            BID: 95074 // 
            
            
            
            JVNDB: JVNDB-2016-007990 // 
            
            
            
            CNNVD: CNNVD-201612-631 // 
            
            
            
            NVD: CVE-2016-9362

CREDITS
Maxim Rupp.
Trust: 0.9
sources:
            
            
            BID: 95074 // 
            
            
            
            CNNVD: CNNVD-201612-631

SOURCES
db:CNVDid:CNVD-2016-13097
db:VULHUBid:VHN-98182
db:VULMONid:CVE-2016-9362
db:BIDid:95074
db:JVNDBid:JVNDB-2016-007990
db:CNNVDid:CNNVD-201612-631
db:NVDid:CVE-2016-9362

LAST UPDATE DATE
2024-11-23T23:12:33.016000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2016-13097date:2016-12-27T00:00:00
db:VULHUBid:VHN-98182date:2017-06-28T00:00:00
db:VULMONid:CVE-2016-9362date:2017-06-28T00:00:00
db:BIDid:95074date:2017-01-12T08:04:00
db:JVNDBid:JVNDB-2016-007990date:2017-04-05T00:00:00
db:CNNVDid:CNNVD-201612-631date:2016-12-23T00:00:00
db:NVDid:CVE-2016-9362date:2024-11-21T03:01:01.330

SOURCES RELEASE DATE
db:CNVDid:CNVD-2016-13097date:2016-12-27T00:00:00
db:VULHUBid:VHN-98182date:2017-02-13T00:00:00
db:VULMONid:CVE-2016-9362date:2017-02-13T00:00:00
db:BIDid:95074date:2016-12-22T00:00:00
db:JVNDBid:JVNDB-2016-007990date:2017-04-05T00:00:00
db:CNNVDid:CNNVD-201612-631date:2016-12-23T00:00:00
db:NVDid:CVE-2016-9362date:2017-02-13T21:59:02.110