Sign-up

ID

VAR-201708-1403


CVE

CVE-2017-9650


TITLE

plural ALC Product unrestricted upload vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-007660

DESCRIPTION

An Unrestricted Upload of File with Dangerous Type issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web 6.5 and prior; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6.0 and prior; ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior; and ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior. An authenticated attacker may be able to upload a malicious file allowing the execution of arbitrary code. ALC WebCTRL , i-Vu ,and SiteScan Web Contains a vulnerability related to unlimited uploads of dangerous types of files.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ALC WebCTRL is a building automation platform. Multiple Automated Logic Corporation Products are prone to a directory-traversal vulnerability and an arbitrary-file-upload vulnerability. WebCTRL®, Automated Logic's web-based building automationsystem, is known for its intuitive user interface and powerful integrationcapabilities. It allows building operators to optimize and manageall of their building systems - including HVAC, lighting, fire, elevators,and security - all within a single HVAC controls platform. It's everythingthey need to keep occupants comfortable, manage energy conservation measures,identify key operational problems, and validate the results.WebCTRL suffers from an authenticated arbitrary code execution vulnerability. The issue is caused due to the improper verification when uploading Add-on (.addons or .war) files using the uploadwarfile servlet. Additionaly, an improper authorization access control occurs when using the 'anonymous' user. By specification, the anonymous user should not have permissions or authorization to upload or install add-ons. The anonymous user was removed from version 6.5 of WebCTRL.Tested on: Microsoft Windows 7 Professional (6.1.7601 Service Pack 1 Build 7601)Apache-Coyote/1.1Apache Tomcat/7.0.42CJServer/1.1Java/1.7.0_25-b17Java HotSpot Server VM 23.25-b01Ant 1.7.0Axis 1.4Trove 2.0.2Xalan Java 2.4.1Xerces-J 2.6.1. The vulnerability exist due to the improper permissions,with the 'M' flag (Modify) or 'C' flag (Change) for 'Authenticated Users' group.The application suffers from an unquoted search path issue as well impacting the service'WebCTRL Service' for Windows deployed as part of WebCTRL server solution. This couldpotentially allow an authorized but non-privileged local user to execute arbitrarycode with elevated privileges on the system. A successful attempt would require thelocal user to be able to insert their code in the system root path undetected by theOS or other security applications where it could potentially be executed duringapplication startup or reboot. If successful, the local user’s code would executewith the elevated privileges of the application.Tested on: Microsoft Windows 7 Professional SP1 (EN)

Trust: 2.88

sources: NVD: CVE-2017-9650 // JVNDB: JVNDB-2017-007660 // CNVD: CNVD-2017-22827 // BID: 100452 // IVD: 76d5e604-c8b4-41c9-80ab-9973ddaca935 // ZSL: ZSL-2017-5431 // ZSL: ZSL-2017-5430 // ZSL: ZSL-2017-5429

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 76d5e604-c8b4-41c9-80ab-9973ddaca935 // CNVD: CNVD-2017-22827

AFFECTED PRODUCTS

vendor:webctrlmodel: - scope:eqversion:*

Trust: 1.0

vendor:automatedlogicmodel:sitescan webscope:lteversion:6.1

Trust: 1.0

vendor:carriermodel:automatedlogic webctrlscope:lteversion:6.0

Trust: 1.0

vendor:carriermodel:automatedlogic webctrlscope:lteversion:6.1

Trust: 1.0

vendor:automatedlogicmodel:i-vuscope:lteversion:5.5

Trust: 1.0

vendor:automatedlogicmodel:sitescan webscope:lteversion:5.2

Trust: 1.0

vendor:carriermodel:automatedlogic webctrlscope:lteversion:5.2

Trust: 1.0

vendor:automatedlogicmodel:i-vuscope:lteversion:5.2

Trust: 1.0

vendor:automatedlogicmodel:sitescan webscope:lteversion:6.5

Trust: 1.0

vendor:automatedlogicmodel:sitescan webscope:lteversion:5.5

Trust: 1.0

vendor:carriermodel:automatedlogic webctrlscope:lteversion:6.5

Trust: 1.0

vendor:automatedlogicmodel:i-vuscope:lteversion:6.5

Trust: 1.0

vendor:carriermodel:automatedlogic webctrlscope:lteversion:5.5

Trust: 1.0

vendor:automatedlogicmodel:i-vuscope:lteversion:6.0

Trust: 1.0

vendor:i vumodel: - scope:eqversion:*

Trust: 0.8

vendor:sitescan webmodel: - scope:eqversion:*

Trust: 0.8

vendor:automated logicmodel:i-vuscope:lteversion:5.2

Trust: 0.8

vendor:automated logicmodel:i-vuscope:lteversion:5.5

Trust: 0.8

vendor:automated logicmodel:i-vuscope:lteversion:6.0

Trust: 0.8

vendor:automated logicmodel:i-vuscope:lteversion:6.5

Trust: 0.8

vendor:automated logicmodel:sitescan webscope:lteversion:5.2

Trust: 0.8

vendor:automated logicmodel:sitescan webscope:lteversion:5.5

Trust: 0.8

vendor:automated logicmodel:sitescan webscope:lteversion:6.1

Trust: 0.8

vendor:automated logicmodel:sitescan webscope:lteversion:6.5

Trust: 0.8

vendor:automated logicmodel:webctrlscope:lteversion:5.2

Trust: 0.8

vendor:automated logicmodel:webctrlscope:lteversion:5.5

Trust: 0.8

vendor:automated logicmodel:webctrlscope:lteversion:6.0

Trust: 0.8

vendor:automated logicmodel:webctrlscope:lteversion:6.1

Trust: 0.8

vendor:automated logicmodel:webctrlscope:lteversion:6.5

Trust: 0.8

vendor:ibm automated logicmodel:sitescan webscope:lteversion:<=6.5

Trust: 0.6

vendor:automated logicmodel:alc webctrl i-vuscope:lteversion:<=6.0

Trust: 0.6

vendor:automated logicmodel:alc webctrl sitescan webscope:lteversion:<=6.1

Trust: 0.6

vendor:automated logicmodel:sitescan web i-vu alc webctrlscope:lteversion:<=6.5

Trust: 0.6

vendor:automated logicmodel:sitescan web i-vu alc webctrlscope:lteversion:<=5.5

Trust: 0.6

vendor:automated logicmodel:sitescan web i-vu alc webctrlscope:lteversion:<=5.2

Trust: 0.6

vendor:automatedlogicmodel:i-vuscope:eqversion:6.0

Trust: 0.6

vendor:automatedlogicmodel:sitescan webscope:eqversion:5.5

Trust: 0.6

vendor:automatedlogicmodel:sitescan webscope:eqversion:5.2

Trust: 0.6

vendor:automatedlogicmodel:i-vuscope:eqversion:6.5

Trust: 0.6

vendor:automatedlogicmodel:webctrlscope:eqversion:6.1

Trust: 0.6

vendor:automatedlogicmodel:sitescan webscope:eqversion:6.5

Trust: 0.6

vendor:automatedlogicmodel:sitescan webscope:eqversion:6.1

Trust: 0.6

vendor:automatedlogicmodel:i-vuscope:eqversion:5.2

Trust: 0.6

vendor:automatedlogicmodel:i-vuscope:eqversion:5.5

Trust: 0.6

vendor:automatedlogicmodel:webctrlscope:eqversion:6.0

Trust: 0.6

vendor:automated logicmodel:webctrlscope:lteversion: sitescan web 6.1 and prior

Trust: 0.3

vendor:automated logicmodel:webctrlscope:lteversion: i-vu 6.0 and prior

Trust: 0.3

vendor:automated logicmodel:webctrlscope:lteversion: sitescan web 5.5 and prior

Trust: 0.3

vendor:automated logicmodel:webctrlscope:lteversion: sitescan web 5.2 and prior

Trust: 0.3

vendor:automated logicmodel:webctrlscope:eqversion:6.1 and 6.0

Trust: 0.3

vendor:automated logicmodel:webctrlscope:eqversion:6.5

Trust: 0.3

vendor:automated logicmodel:webctrlscope:eqversion:6.1

Trust: 0.3

vendor:automated logicmodel:webctrlscope:eqversion:6.0

Trust: 0.3

vendor:automated logicmodel:webctrlscope:eqversion:5.5

Trust: 0.3

vendor:automated logicmodel:webctrlscope:eqversion:5.2

Trust: 0.3

vendor:automated logicmodel:sitescan webscope:eqversion:6.5

Trust: 0.3

vendor:automated logicmodel:sitescan webscope:eqversion:6.1

Trust: 0.3

vendor:automated logicmodel:sitescan webscope:eqversion:5.5

Trust: 0.3

vendor:automated logicmodel:sitescan webscope:eqversion:5.2

Trust: 0.3

vendor:automated logicmodel:i-vuscope:eqversion:6.5

Trust: 0.3

vendor:automated logicmodel:i-vuscope:eqversion:6.0

Trust: 0.3

vendor:automated logicmodel:i-vuscope:eqversion:5.5

Trust: 0.3

vendor:automated logicmodel:i-vuscope:eqversion:5.2

Trust: 0.3

vendor:automated logicmodel:webctrlscope:lteversion: sitescan web 6.5 and prior

Trust: 0.2

sources: ZSL: ZSL-2017-5431 // ZSL: ZSL-2017-5430 // ZSL: ZSL-2017-5429 // IVD: 76d5e604-c8b4-41c9-80ab-9973ddaca935 // CNVD: CNVD-2017-22827 // BID: 100452 // JVNDB: JVNDB-2017-007660 // CNNVD: CNNVD-201706-587 // NVD: CVE-2017-9650

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-9650
value: HIGH

Trust: 1.0

NVD: CVE-2017-9650
value: HIGH

Trust: 0.8

CNVD: CNVD-2017-22827
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201706-587
value: HIGH

Trust: 0.6

IVD: 76d5e604-c8b4-41c9-80ab-9973ddaca935
value: HIGH

Trust: 0.2

ZSL: ZSL-2017-5431
value: (4/5)

Trust: 0.1

ZSL: ZSL-2017-5430
value: (3/5)

Trust: 0.1

ZSL: ZSL-2017-5429
value: (3/5)

Trust: 0.1

nvd@nist.gov: CVE-2017-9650
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-22827
severity: MEDIUM
baseScore: 6.6
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 9.2
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 76d5e604-c8b4-41c9-80ab-9973ddaca935
severity: MEDIUM
baseScore: 6.6
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 9.2
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2017-9650
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: ZSL: ZSL-2017-5431 // ZSL: ZSL-2017-5430 // ZSL: ZSL-2017-5429 // IVD: 76d5e604-c8b4-41c9-80ab-9973ddaca935 // CNVD: CNVD-2017-22827 // JVNDB: JVNDB-2017-007660 // CNNVD: CNNVD-201706-587 // NVD: CVE-2017-9650

PROBLEMTYPE DATA

problemtype:CWE-434

Trust: 1.8

sources: JVNDB: JVNDB-2017-007660 // NVD: CVE-2017-9650

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201706-587

TYPE

Code problem

Trust: 0.8

sources: IVD: 76d5e604-c8b4-41c9-80ab-9973ddaca935 // CNNVD: CNNVD-201706-587

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-007660

EXPLOIT AVAILABILITY
sources:
            
            
            ZSL: ZSL-2017-5431 // 
            
            
            
            ZSL: ZSL-2017-5430 // 
            
            
            
            ZSL: ZSL-2017-5429

PATCH
title:Security Best Practices Checklists for Building Automation Systems (BAS)url:http://www.automatedlogic.com/Pages/Security.aspx
Trust: 0.8
title:ALC WebCTRL i-Vu/SiteScan Web File Unrestricted File Upload Vulnerability Patchurl:https://www.cnvd.org.cn/patchInfo/show/100835
Trust: 0.6
title:ALC WebCTRL , i-Vu  and SiteScan Web Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=99851
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-22827 // 
            
            
            
            JVNDB: JVNDB-2017-007660 // 
            
            
            
            CNNVD: CNNVD-201706-587

EXTERNAL IDS
db:ICS CERTid:ICSA-17-234-01
Trust: 3.6
db:NVDid:CVE-2017-9650
Trust: 3.6
db:BIDid:100452
Trust: 2.1
db:EXPLOIT-DBid:42544
Trust: 1.7
db:CNVDid:CNVD-2017-22827
Trust: 0.8
db:CNNVDid:CNNVD-201706-587
Trust: 0.8
db:JVNDBid:JVNDB-2017-007660
Trust: 0.8
db:IVDid:76D5E604-C8B4-41C9-80AB-9973DDACA935
Trust: 0.2
db:PACKETSTORMid:143897
Trust: 0.1
db:CXSECURITYid:WLB-2017080166
Trust: 0.1
db:ZSLid:ZSL-2017-5431
Trust: 0.1
db:AUSCERTid:ESB-2017.2113
Trust: 0.1
db:EXPLOIT-DBid:42543
Trust: 0.1
db:PACKETSTORMid:143896
Trust: 0.1
db:NVDid:CVE-2017-9640
Trust: 0.1
db:CXSECURITYid:WLB-2017080165
Trust: 0.1
db:ZSLid:ZSL-2017-5430
Trust: 0.1
db:CXSECURITYid:WLB-2017080167
Trust: 0.1
db:NVDid:CVE-2017-9644
Trust: 0.1
db:BIDid:100454
Trust: 0.1
db:EXPLOIT-DBid:42542
Trust: 0.1
db:PACKETSTORMid:143895
Trust: 0.1
db:ZSLid:ZSL-2017-5429
Trust: 0.1
sources:
            
            
            ZSL: ZSL-2017-5431 // 
            
            
            
            ZSL: ZSL-2017-5430 // 
            
            
            
            ZSL: ZSL-2017-5429 // 
            
            
            
            IVD: 76d5e604-c8b4-41c9-80ab-9973ddaca935 // 
            
            
            
            CNVD: CNVD-2017-22827 // 
            
            
            
            BID: 100452 // 
            
            
            
            JVNDB: JVNDB-2017-007660 // 
            
            
            
            CNNVD: CNNVD-201706-587 // 
            
            
            
            NVD: CVE-2017-9650

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-17-234-01
Trust: 3.6
url:http://www.securityfocus.com/bid/100452
Trust: 1.8
url:https://www.exploit-db.com/exploits/42544/
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2017-9650
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9650
Trust: 0.9
url:http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9650
Trust: 0.6
url:http://www.automatedlogic.com/pages/security_commitment.aspx
Trust: 0.3
url:http://www.automatedlogic.com/specsheets/security_best_practices_checklists_for_building_automation_systems_(bas)pdf.pdf
Trust: 0.3
url:http://www.securityweek.com/automated-logic-patches-flaws-building-automation-system
Trust: 0.3
url:http://www.automatedlogic.com
Trust: 0.3
url:https://packetstormsecurity.com/files/143897
Trust: 0.1
url:https://cxsecurity.com/issue/wlb-2017080166
Trust: 0.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/130767
Trust: 0.1
url:http://www.vfocus.net/art/20170824/13802.html
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9640
Trust: 0.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9640
Trust: 0.1
url:https://www.exploit-db.com/exploits/42543/
Trust: 0.1
url:https://cxsecurity.com/issue/wlb-2017080165
Trust: 0.1
url:https://packetstormsecurity.com/files/143896
Trust: 0.1
url:https://www.auscert.org.au/bulletins/51482
Trust: 0.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/130766
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9644
Trust: 0.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9644
Trust: 0.1
url:https://packetstormsecurity.com/files/143895
Trust: 0.1
url:https://cxsecurity.com/issue/wlb-2017080167
Trust: 0.1
url:https://www.exploit-db.com/exploits/42542/
Trust: 0.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/130760
Trust: 0.1
url:http://www.securityfocus.com/bid/100454
Trust: 0.1
sources:
            
            
            ZSL: ZSL-2017-5431 // 
            
            
            
            ZSL: ZSL-2017-5430 // 
            
            
            
            ZSL: ZSL-2017-5429 // 
            
            
            
            CNVD: CNVD-2017-22827 // 
            
            
            
            BID: 100452 // 
            
            
            
            JVNDB: JVNDB-2017-007660 // 
            
            
            
            CNNVD: CNNVD-201706-587 // 
            
            
            
            NVD: CVE-2017-9650

CREDITS
Vulnerability discovered by Gjoko Krstic
Trust: 0.3
sources:
            
            
            ZSL: ZSL-2017-5431 // 
            
            
            
            ZSL: ZSL-2017-5430 // 
            
            
            
            ZSL: ZSL-2017-5429

SOURCES
db:ZSLid:ZSL-2017-5431
db:ZSLid:ZSL-2017-5430
db:ZSLid:ZSL-2017-5429
db:IVDid:76d5e604-c8b4-41c9-80ab-9973ddaca935
db:CNVDid:CNVD-2017-22827
db:BIDid:100452
db:JVNDBid:JVNDB-2017-007660
db:CNNVDid:CNNVD-201706-587
db:NVDid:CVE-2017-9650

LAST UPDATE DATE
2025-04-20T23:04:20.679000+00:00

SOURCES UPDATE DATE
db:ZSLid:ZSL-2017-5431date:2017-08-28T00:00:00
db:ZSLid:ZSL-2017-5430date:2017-08-25T00:00:00
db:ZSLid:ZSL-2017-5429date:2017-08-25T00:00:00
db:CNVDid:CNVD-2017-22827date:2017-08-25T00:00:00
db:BIDid:100452date:2017-08-22T00:00:00
db:JVNDBid:JVNDB-2017-007660date:2017-09-28T00:00:00
db:CNNVDid:CNNVD-201706-587date:2019-10-17T00:00:00
db:NVDid:CVE-2017-9650date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:ZSLid:ZSL-2017-5431date:2017-08-22T00:00:00
db:ZSLid:ZSL-2017-5430date:2017-08-22T00:00:00
db:ZSLid:ZSL-2017-5429date:2017-08-22T00:00:00
db:IVDid:76d5e604-c8b4-41c9-80ab-9973ddaca935date:2017-08-25T00:00:00
db:CNVDid:CNVD-2017-22827date:2017-08-25T00:00:00
db:BIDid:100452date:2017-08-22T00:00:00
db:JVNDBid:JVNDB-2017-007660date:2017-09-28T00:00:00
db:CNNVDid:CNNVD-201706-587date:2017-06-15T00:00:00
db:NVDid:CVE-2017-9650date:2017-08-25T19:29:00.487