Sign-up

ID

VAR-201708-1399


CVE

CVE-2017-9644


TITLE

ALC WebCTRL i-Vu/SiteScan Web Unreferenced Search Path Vulnerability

Trust: 0.8

sources: IVD: 963de9f9-6e8a-4c63-8060-67b7ca4de5ce // CNVD: CNVD-2017-22828

DESCRIPTION

An Unquoted Search Path or Element issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web 6.5 and prior; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6.0 and prior; ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior; and ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior. An unquoted search path vulnerability may allow a non-privileged local attacker to change files in the installation directory and execute arbitrary code with elevated privileges. ALC WebCTRL , i-Vu ,and SiteScan Web Contains vulnerabilities related to unquoted search paths or elements.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ALC WebCTRL is a building automation platform. Multiple Automated Logic Corporation (ALC) Products are prone to local privilege-escalation vulnerability. WebCTRL®, Automated Logic's web-based building automationsystem, is known for its intuitive user interface and powerful integrationcapabilities. It allows building operators to optimize and manageall of their building systems - including HVAC, lighting, fire, elevators,and security - all within a single HVAC controls platform. It's everythingthey need to keep occupants comfortable, manage energy conservation measures,identify key operational problems, and validate the results.WebCTRL suffers from an authenticated arbitrary code execution vulnerability. The issue is caused due to the improper verification when uploading Add-on (.addons or .war) files using the uploadwarfile servlet. This can be exploited to execute arbitrary code by uploading a malicious web archive file that will run automatically and can be accessed from within the webroot directory. Additionaly, an improper authorization access control occurs when using the 'anonymous' user. By specification, the anonymous user should not have permissions or authorization to upload or install add-ons. In this case, when using the anonymous user, an attacker is still able to upload a malicious file via insecure direct object reference and execute arbitrary code. The anonymous user was removed from version 6.5 of WebCTRL.Tested on: Microsoft Windows 7 Professional (6.1.7601 Service Pack 1 Build 7601)Apache-Coyote/1.1Apache Tomcat/7.0.42CJServer/1.1Java/1.7.0_25-b17Java HotSpot Server VM 23.25-b01Ant 1.7.0Axis 1.4Trove 2.0.2Xalan Java 2.4.1Xerces-J 2.6.1. The vulnerability exist due to the improper permissions,with the 'M' flag (Modify) or 'C' flag (Change) for 'Authenticated Users' group.The application suffers from an unquoted search path issue as well impacting the service'WebCTRL Service' for Windows deployed as part of WebCTRL server solution. A successful attempt would require thelocal user to be able to insert their code in the system root path undetected by theOS or other security applications where it could potentially be executed duringapplication startup or reboot

Trust: 2.88

sources: NVD: CVE-2017-9644 // JVNDB: JVNDB-2017-007644 // CNVD: CNVD-2017-22828 // BID: 100454 // IVD: 963de9f9-6e8a-4c63-8060-67b7ca4de5ce // ZSL: ZSL-2017-5431 // ZSL: ZSL-2017-5430 // ZSL: ZSL-2017-5429

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 963de9f9-6e8a-4c63-8060-67b7ca4de5ce // CNVD: CNVD-2017-22828

AFFECTED PRODUCTS

vendor:webctrlmodel: - scope:eqversion:*

Trust: 1.0

vendor:automatedlogicmodel:sitescan webscope:lteversion:6.1

Trust: 1.0

vendor:carriermodel:automatedlogic webctrlscope:lteversion:6.0

Trust: 1.0

vendor:carriermodel:automatedlogic webctrlscope:lteversion:6.1

Trust: 1.0

vendor:automatedlogicmodel:i-vuscope:lteversion:5.5

Trust: 1.0

vendor:automatedlogicmodel:sitescan webscope:lteversion:5.2

Trust: 1.0

vendor:carriermodel:automatedlogic webctrlscope:lteversion:5.2

Trust: 1.0

vendor:automatedlogicmodel:i-vuscope:lteversion:5.2

Trust: 1.0

vendor:automatedlogicmodel:sitescan webscope:lteversion:6.5

Trust: 1.0

vendor:automatedlogicmodel:sitescan webscope:lteversion:5.5

Trust: 1.0

vendor:carriermodel:automatedlogic webctrlscope:lteversion:6.5

Trust: 1.0

vendor:automatedlogicmodel:i-vuscope:lteversion:6.5

Trust: 1.0

vendor:carriermodel:automatedlogic webctrlscope:lteversion:5.5

Trust: 1.0

vendor:automatedlogicmodel:i-vuscope:lteversion:6.0

Trust: 1.0

vendor:i vumodel: - scope:eqversion:*

Trust: 0.8

vendor:sitescan webmodel: - scope:eqversion:*

Trust: 0.8

vendor:automated logicmodel:i-vuscope:lteversion:5.2

Trust: 0.8

vendor:automated logicmodel:i-vuscope:lteversion:5.5

Trust: 0.8

vendor:automated logicmodel:i-vuscope:lteversion:6.0

Trust: 0.8

vendor:automated logicmodel:i-vuscope:lteversion:6.5

Trust: 0.8

vendor:automated logicmodel:sitescan webscope:lteversion:5.2

Trust: 0.8

vendor:automated logicmodel:sitescan webscope:lteversion:5.5

Trust: 0.8

vendor:automated logicmodel:sitescan webscope:lteversion:6.1

Trust: 0.8

vendor:automated logicmodel:sitescan webscope:lteversion:6.5

Trust: 0.8

vendor:automated logicmodel:webctrlscope:lteversion:5.2

Trust: 0.8

vendor:automated logicmodel:webctrlscope:lteversion:5.5

Trust: 0.8

vendor:automated logicmodel:webctrlscope:lteversion:6.0

Trust: 0.8

vendor:automated logicmodel:webctrlscope:lteversion:6.1

Trust: 0.8

vendor:automated logicmodel:webctrlscope:lteversion:6.5

Trust: 0.8

vendor:ibm automated logicmodel:sitescan webscope:lteversion:<=6.5

Trust: 0.6

vendor:automated logicmodel:alc webctrl i-vuscope:lteversion:<=6.0

Trust: 0.6

vendor:automated logicmodel:alc webctrl sitescan webscope:lteversion:<=6.1

Trust: 0.6

vendor:automated logicmodel:sitescan web i-vu alc webctrlscope:lteversion:<=6.5

Trust: 0.6

vendor:automated logicmodel:sitescan web i-vu alc webctrlscope:lteversion:<=5.5

Trust: 0.6

vendor:automated logicmodel:sitescan web i-vu alc webctrlscope:lteversion:<=5.2

Trust: 0.6

vendor:automatedlogicmodel:i-vuscope:eqversion:6.0

Trust: 0.6

vendor:automatedlogicmodel:sitescan webscope:eqversion:5.2

Trust: 0.6

vendor:automatedlogicmodel:sitescan webscope:eqversion:5.5

Trust: 0.6

vendor:automatedlogicmodel:i-vuscope:eqversion:6.5

Trust: 0.6

vendor:automatedlogicmodel:webctrlscope:eqversion:5.5

Trust: 0.6

vendor:automatedlogicmodel:webctrlscope:eqversion:5.2

Trust: 0.6

vendor:automatedlogicmodel:sitescan webscope:eqversion:6.5

Trust: 0.6

vendor:automatedlogicmodel:sitescan webscope:eqversion:6.1

Trust: 0.6

vendor:automatedlogicmodel:i-vuscope:eqversion:5.2

Trust: 0.6

vendor:automatedlogicmodel:i-vuscope:eqversion:5.5

Trust: 0.6

vendor:automated logicmodel:webctrlscope:lteversion: sitescan web 6.1 and prior

Trust: 0.3

vendor:automated logicmodel:webctrlscope:lteversion: i-vu 6.0 and prior

Trust: 0.3

vendor:automated logicmodel:webctrlscope:lteversion: sitescan web 5.5 and prior

Trust: 0.3

vendor:automated logicmodel:webctrlscope:lteversion: sitescan web 5.2 and prior

Trust: 0.3

vendor:automated logicmodel:webctrlscope:eqversion:6.1 and 6.0

Trust: 0.3

vendor:automated logicmodel:webctrlscope:eqversion:6.5

Trust: 0.3

vendor:automated logicmodel:webctrlscope:eqversion:6.1

Trust: 0.3

vendor:automated logicmodel:webctrlscope:eqversion:6.0

Trust: 0.3

vendor:automated logicmodel:webctrlscope:eqversion:5.5

Trust: 0.3

vendor:automated logicmodel:webctrlscope:eqversion:5.2

Trust: 0.3

vendor:automated logicmodel:sitescan webscope:eqversion:6.5

Trust: 0.3

vendor:automated logicmodel:sitescan webscope:eqversion:6.1

Trust: 0.3

vendor:automated logicmodel:sitescan webscope:eqversion:5.5

Trust: 0.3

vendor:automated logicmodel:sitescan webscope:eqversion:5.2

Trust: 0.3

vendor:automated logicmodel:i-vuscope:eqversion:6.5

Trust: 0.3

vendor:automated logicmodel:i-vuscope:eqversion:6.0

Trust: 0.3

vendor:automated logicmodel:i-vuscope:eqversion:5.5

Trust: 0.3

vendor:automated logicmodel:i-vuscope:eqversion:5.2

Trust: 0.3

vendor:automated logicmodel:webctrlscope:lteversion: sitescan web 6.5 and prior

Trust: 0.2

sources: ZSL: ZSL-2017-5431 // ZSL: ZSL-2017-5430 // ZSL: ZSL-2017-5429 // IVD: 963de9f9-6e8a-4c63-8060-67b7ca4de5ce // CNVD: CNVD-2017-22828 // BID: 100454 // JVNDB: JVNDB-2017-007644 // CNNVD: CNNVD-201706-859 // NVD: CVE-2017-9644

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-9644
value: HIGH

Trust: 1.0

NVD: CVE-2017-9644
value: HIGH

Trust: 0.8

CNVD: CNVD-2017-22828
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201706-859
value: HIGH

Trust: 0.6

IVD: 963de9f9-6e8a-4c63-8060-67b7ca4de5ce
value: HIGH

Trust: 0.2

ZSL: ZSL-2017-5431
value: (4/5)

Trust: 0.1

ZSL: ZSL-2017-5430
value: (3/5)

Trust: 0.1

ZSL: ZSL-2017-5429
value: (3/5)

Trust: 0.1

nvd@nist.gov: CVE-2017-9644
severity: MEDIUM
baseScore: 6.9
vectorString: AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-22828
severity: MEDIUM
baseScore: 6.2
vectorString: AV:L/AC:H/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 1.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 963de9f9-6e8a-4c63-8060-67b7ca4de5ce
severity: MEDIUM
baseScore: 6.2
vectorString: AV:L/AC:H/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 1.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2017-9644
baseSeverity: HIGH
baseScore: 7.0
vectorString: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.0
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: ZSL: ZSL-2017-5431 // ZSL: ZSL-2017-5430 // ZSL: ZSL-2017-5429 // IVD: 963de9f9-6e8a-4c63-8060-67b7ca4de5ce // CNVD: CNVD-2017-22828 // JVNDB: JVNDB-2017-007644 // CNNVD: CNNVD-201706-859 // NVD: CVE-2017-9644

PROBLEMTYPE DATA

problemtype:CWE-428

Trust: 1.8

sources: JVNDB: JVNDB-2017-007644 // NVD: CVE-2017-9644

THREAT TYPE

local

Trust: 0.9

sources: BID: 100454 // CNNVD: CNNVD-201706-859

TYPE

Code problem

Trust: 0.8

sources: IVD: 963de9f9-6e8a-4c63-8060-67b7ca4de5ce // CNNVD: CNNVD-201706-859

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-007644

EXPLOIT AVAILABILITY
sources:
            
            
            ZSL: ZSL-2017-5431 // 
            
            
            
            ZSL: ZSL-2017-5430 // 
            
            
            
            ZSL: ZSL-2017-5429

PATCH
title:Security Best Practices Checklists for Building Automation Systems (BAS)url:http://www.automatedlogic.com/Pages/Security.aspx
Trust: 0.8
title:ALC WebCTRL i-Vu/SiteScan Web does not reference patches for search path vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/100837
Trust: 0.6
title:ALC WebCTRL , i-Vu  and SiteScan Web Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=99869
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-22828 // 
            
            
            
            JVNDB: JVNDB-2017-007644 // 
            
            
            
            CNNVD: CNNVD-201706-859

EXTERNAL IDS
db:NVDid:CVE-2017-9644
Trust: 3.6
db:ICS CERTid:ICSA-17-234-01
Trust: 3.0
db:BIDid:100454
Trust: 2.0
db:EXPLOIT-DBid:42542
Trust: 1.7
db:CNVDid:CNVD-2017-22828
Trust: 0.8
db:CNNVDid:CNNVD-201706-859
Trust: 0.8
db:JVNDBid:JVNDB-2017-007644
Trust: 0.8
db:BIDid:100452
Trust: 0.2
db:IVDid:963DE9F9-6E8A-4C63-8060-67B7CA4DE5CE
Trust: 0.2
db:PACKETSTORMid:143897
Trust: 0.1
db:EXPLOIT-DBid:42544
Trust: 0.1
db:NVDid:CVE-2017-9650
Trust: 0.1
db:CXSECURITYid:WLB-2017080166
Trust: 0.1
db:ZSLid:ZSL-2017-5431
Trust: 0.1
db:AUSCERTid:ESB-2017.2113
Trust: 0.1
db:EXPLOIT-DBid:42543
Trust: 0.1
db:PACKETSTORMid:143896
Trust: 0.1
db:NVDid:CVE-2017-9640
Trust: 0.1
db:CXSECURITYid:WLB-2017080165
Trust: 0.1
db:ZSLid:ZSL-2017-5430
Trust: 0.1
db:CXSECURITYid:WLB-2017080167
Trust: 0.1
db:PACKETSTORMid:143895
Trust: 0.1
db:ZSLid:ZSL-2017-5429
Trust: 0.1
sources:
            
            
            ZSL: ZSL-2017-5431 // 
            
            
            
            ZSL: ZSL-2017-5430 // 
            
            
            
            ZSL: ZSL-2017-5429 // 
            
            
            
            IVD: 963de9f9-6e8a-4c63-8060-67b7ca4de5ce // 
            
            
            
            CNVD: CNVD-2017-22828 // 
            
            
            
            BID: 100454 // 
            
            
            
            JVNDB: JVNDB-2017-007644 // 
            
            
            
            CNNVD: CNNVD-201706-859 // 
            
            
            
            NVD: CVE-2017-9644

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-17-234-01
Trust: 3.0
url:https://www.exploit-db.com/exploits/42542/
Trust: 1.7
url:http://www.securityfocus.com/bid/100454
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2017-9644
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9644
Trust: 0.9
url:http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9644
Trust: 0.6
url:http://www.automatedlogic.com/pages/security_commitment.aspx
Trust: 0.3
url:http://www.automatedlogic.com/specsheets/security_best_practices_checklists_for_building_automation_systems_(bas)pdf.pdf
Trust: 0.3
url:http://www.securityweek.com/automated-logic-patches-flaws-building-automation-system
Trust: 0.3
url:http://www.automatedlogic.com
Trust: 0.3
url:http://www.securityfocus.com/bid/100452
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2017-9650
Trust: 0.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9650
Trust: 0.1
url:https://www.exploit-db.com/exploits/42544/
Trust: 0.1
url:https://packetstormsecurity.com/files/143897
Trust: 0.1
url:https://cxsecurity.com/issue/wlb-2017080166
Trust: 0.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/130767
Trust: 0.1
url:http://www.vfocus.net/art/20170824/13802.html
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9640
Trust: 0.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9640
Trust: 0.1
url:https://www.exploit-db.com/exploits/42543/
Trust: 0.1
url:https://cxsecurity.com/issue/wlb-2017080165
Trust: 0.1
url:https://packetstormsecurity.com/files/143896
Trust: 0.1
url:https://www.auscert.org.au/bulletins/51482
Trust: 0.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/130766
Trust: 0.1
url:https://packetstormsecurity.com/files/143895
Trust: 0.1
url:https://cxsecurity.com/issue/wlb-2017080167
Trust: 0.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/130760
Trust: 0.1
sources:
            
            
            ZSL: ZSL-2017-5431 // 
            
            
            
            ZSL: ZSL-2017-5430 // 
            
            
            
            ZSL: ZSL-2017-5429 // 
            
            
            
            CNVD: CNVD-2017-22828 // 
            
            
            
            BID: 100454 // 
            
            
            
            JVNDB: JVNDB-2017-007644 // 
            
            
            
            CNNVD: CNNVD-201706-859 // 
            
            
            
            NVD: CVE-2017-9644

CREDITS
Vulnerability discovered by Gjoko Krstic
Trust: 0.3
sources:
            
            
            ZSL: ZSL-2017-5431 // 
            
            
            
            ZSL: ZSL-2017-5430 // 
            
            
            
            ZSL: ZSL-2017-5429

SOURCES
db:ZSLid:ZSL-2017-5431
db:ZSLid:ZSL-2017-5430
db:ZSLid:ZSL-2017-5429
db:IVDid:963de9f9-6e8a-4c63-8060-67b7ca4de5ce
db:CNVDid:CNVD-2017-22828
db:BIDid:100454
db:JVNDBid:JVNDB-2017-007644
db:CNNVDid:CNNVD-201706-859
db:NVDid:CVE-2017-9644

LAST UPDATE DATE
2025-04-20T23:04:20.626000+00:00

SOURCES UPDATE DATE
db:ZSLid:ZSL-2017-5431date:2017-08-28T00:00:00
db:ZSLid:ZSL-2017-5430date:2017-08-25T00:00:00
db:ZSLid:ZSL-2017-5429date:2017-08-25T00:00:00
db:CNVDid:CNVD-2017-22828date:2017-08-25T00:00:00
db:BIDid:100454date:2017-08-23T00:00:00
db:JVNDBid:JVNDB-2017-007644date:2017-09-27T00:00:00
db:CNNVDid:CNNVD-201706-859date:2019-10-17T00:00:00
db:NVDid:CVE-2017-9644date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:ZSLid:ZSL-2017-5431date:2017-08-22T00:00:00
db:ZSLid:ZSL-2017-5430date:2017-08-22T00:00:00
db:ZSLid:ZSL-2017-5429date:2017-08-22T00:00:00
db:IVDid:963de9f9-6e8a-4c63-8060-67b7ca4de5cedate:2017-08-25T00:00:00
db:CNVDid:CNVD-2017-22828date:2017-08-25T00:00:00
db:BIDid:100454date:2017-08-23T00:00:00
db:JVNDBid:JVNDB-2017-007644date:2017-09-27T00:00:00
db:CNNVDid:CNNVD-201706-859date:2017-06-21T00:00:00
db:NVDid:CVE-2017-9644date:2017-08-25T19:29:00.457