Sign-up

ID

VAR-201704-1294


CVE

CVE-2017-8371


TITLE

Schneider Electric StruxureWare Data Center Expert Vulnerability in which important information is obtained

Trust: 0.8

sources: JVNDB: JVNDB-2017-003699

DESCRIPTION

Schneider Electric StruxureWare Data Center Expert before 7.4.0 uses cleartext RAM storage for passwords, which might allow remote attackers to obtain sensitive information via unspecified vectors. Schneider Electric StruxureWare Data Center is a data center automation system of Schneider Electric (France). Successfully exploiting this issue may allow an attacker to obtain sensitive information that may aid in further attacks

Trust: 2.52

sources: NVD: CVE-2017-8371 // JVNDB: JVNDB-2017-003699 // CNVD: CNVD-2017-07260 // BID: 98399 // VULMON: CVE-2017-8371

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2017-07260

AFFECTED PRODUCTS

vendor:schneider electricmodel:struxureware data center expertscope:lteversion:7.3.1

Trust: 1.0

vendor:schneider electricmodel:struxureware data center expertscope:eqversion:7.3.1

Trust: 0.9

vendor:schneider electricmodel:struxureware data center expertscope:ltversion:7.4.0

Trust: 0.8

vendor:schneidermodel:electric struxureware data centerscope:ltversion:7.4.0

Trust: 0.6

vendor:schneider electricmodel:struxureware data center expertscope:eqversion:7.2.4

Trust: 0.3

vendor:schneider electricmodel:struxureware data center expertscope:eqversion:7.3.1.114

Trust: 0.3

vendor:schneider electricmodel:struxureware data center expertscope:neversion:7.4

Trust: 0.3

sources: CNVD: CNVD-2017-07260 // BID: 98399 // JVNDB: JVNDB-2017-003699 // CNNVD: CNNVD-201705-046 // NVD: CVE-2017-8371

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-8371
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-8371
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2017-07260
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201705-046
value: MEDIUM

Trust: 0.6

VULMON: CVE-2017-8371
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-8371
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2017-07260
severity: HIGH
baseScore: 8.5
vectorString: AV:N/AC:L/AU:N/C:C/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 7.8
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2017-8371
baseSeverity: MEDIUM
baseScore: 6.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 4.0
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2017-07260 // VULMON: CVE-2017-8371 // JVNDB: JVNDB-2017-003699 // CNNVD: CNNVD-201705-046 // NVD: CVE-2017-8371

PROBLEMTYPE DATA

problemtype:CWE-522

Trust: 1.0

problemtype:CWE-200

Trust: 0.8

sources: JVNDB: JVNDB-2017-003699 // NVD: CVE-2017-8371

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201705-046

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201705-046

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-003699

PATCH
title:SEVD-2016-343-01url:http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2016-343-01
Trust: 0.8
title:Patch for Schneider Electric StruxureWare Data Center Information Disclosure Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/94149
Trust: 0.6
title:Schneider Electric StruxureWare Data Center Expert Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=69752
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-07260 // 
            
            
            
            JVNDB: JVNDB-2017-003699 // 
            
            
            
            CNNVD: CNNVD-201705-046

EXTERNAL IDS
db:NVDid:CVE-2017-8371
Trust: 3.4
db:SCHNEIDERid:SEVD-2016-343-01
Trust: 2.0
db:JVNDBid:JVNDB-2017-003699
Trust: 0.8
db:CNVDid:CNVD-2017-07260
Trust: 0.6
db:CNNVDid:CNNVD-201705-046
Trust: 0.6
db:BIDid:98399
Trust: 0.4
db:VULMONid:CVE-2017-8371
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2017-07260 // 
            
            
            
            VULMON: CVE-2017-8371 // 
            
            
            
            BID: 98399 // 
            
            
            
            JVNDB: JVNDB-2017-003699 // 
            
            
            
            CNNVD: CNNVD-201705-046 // 
            
            
            
            NVD: CVE-2017-8371

REFERENCES
url:http://www.datacenterdynamics.com/content-tracks/security-risk/schneider-patches-critical-vulnerability-in-struxureware-dcim/97738.fullarticle
Trust: 2.3
url:http://download.schneider-electric.com/files?p_doc_ref=sevd-2016-343-01
Trust: 2.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-8371
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-8371
Trust: 0.8
url:http://www.schneider-electric.com/site/home/index.cfm/ww/?selectcountry=true
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/522.html
Trust: 0.1
url:https://www.securityfocus.com/bid/98399
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2017-07260 // 
            
            
            
            VULMON: CVE-2017-8371 // 
            
            
            
            BID: 98399 // 
            
            
            
            JVNDB: JVNDB-2017-003699 // 
            
            
            
            CNNVD: CNNVD-201705-046 // 
            
            
            
            NVD: CVE-2017-8371

CREDITS
Ilya Karpov of Positive Technologies.
Trust: 0.3
sources:
            
            
            BID: 98399

SOURCES
db:CNVDid:CNVD-2017-07260
db:VULMONid:CVE-2017-8371
db:BIDid:98399
db:JVNDBid:JVNDB-2017-003699
db:CNNVDid:CNNVD-201705-046
db:NVDid:CVE-2017-8371

LAST UPDATE DATE
2024-11-23T21:54:07.551000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-07260date:2017-05-23T00:00:00
db:VULMONid:CVE-2017-8371date:2019-10-03T00:00:00
db:BIDid:98399date:2017-05-23T16:25:00
db:JVNDBid:JVNDB-2017-003699date:2017-06-05T00:00:00
db:CNNVDid:CNNVD-201705-046date:2019-10-23T00:00:00
db:NVDid:CVE-2017-8371date:2024-11-21T03:33:53.460

SOURCES RELEASE DATE
db:CNVDid:CNVD-2017-07260date:2017-05-22T00:00:00
db:VULMONid:CVE-2017-8371date:2017-04-30T00:00:00
db:BIDid:98399date:2017-01-20T00:00:00
db:JVNDBid:JVNDB-2017-003699date:2017-06-05T00:00:00
db:CNNVDid:CNNVD-201705-046date:2017-04-30T00:00:00
db:NVDid:CVE-2017-8371date:2017-04-30T20:59:00.167