Details of VAR-201708-1518

ID

VAR-201708-1518

CVE

CVE-2017-9941

TITLE

Siemens SiPass integrated Access control vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-006973

DESCRIPTION

A vulnerability was discovered in Siemens SiPass integrated (All versions before V2.70) that could allow an attacker in a Man-in-the-Middle position between the SiPass integrated server and SiPass integrated clients to read or modify the network communication. Siemens SiPass integrated Contains an access control vulnerability.Information may be obtained and information may be altered. The SiPass server is a component of the SiPass centralized access control system that receives the client's connection for communication. Siemens SiPass integrated is prone to the following security vulnerabilities: 1. An authentication-bypass vulnerability 2. A privilege-escalation vulnerability 3. A man-in-the-middle security bypass vulnerability 4. An information-disclosure vulnerability An attacker may leverage these issues to disclose sensitive information, perform certain unauthorized actions by conducting a man-in-the-middle attack, gain unauthorized access or elevated privileges. Versions prior to SiPass integrated 2.70 are vulnerable. An attacker could exploit this vulnerability to read and alter network communications

Trust: 2.7

sources: NVD: CVE-2017-9941 // JVNDB: JVNDB-2017-006973 // CNVD: CNVD-2017-14602 // BID: 99578 // IVD: 776376b5-c94b-4524-9a3a-ecd13c2dfe59 // VULHUB: VHN-118144

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 776376b5-c94b-4524-9a3a-ecd13c2dfe59 // CNVD: CNVD-2017-14602

AFFECTED PRODUCTS

vendor:	siemens	model:	sipass integrated	scope:	lte	version:	2.65	Trust: 1.0
vendor:	siemens	model:	sipass integrated	scope:	eq	version:	2.70	Trust: 0.8
vendor:	siemens	model:	sipass integrated	scope:	lt	version:	2.70	Trust: 0.6
vendor:	siemens	model:	sipass integrated	scope:	eq	version:	2.65	Trust: 0.6
vendor:	siemens	model:	sipass integrated mp2.6	scope:	-	version:	-	Trust: 0.3
vendor:	siemens	model:	sipass integrated mp2.5	scope:	-	version:	-	Trust: 0.3
vendor:	siemens	model:	sipass integrated mp2.4	scope:	-	version:	-	Trust: 0.3
vendor:	siemens	model:	sipass integrated	scope:	ne	version:	2.70	Trust: 0.3
vendor:	sipass integrated	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 776376b5-c94b-4524-9a3a-ecd13c2dfe59 // CNVD: CNVD-2017-14602 // BID: 99578 // JVNDB: JVNDB-2017-006973 // CNNVD: CNNVD-201707-605 // NVD: CVE-2017-9941

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-9941
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-9941
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2017-14602
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201707-605
value:	HIGH
Trust: 0.6
IVD:	776376b5-c94b-4524-9a3a-ecd13c2dfe59
value:	HIGH
Trust: 0.2
VULHUB:	VHN-118144
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-9941
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-14602
severity:	HIGH
baseScore:	7.1
vectorString:	AV:N/AC:H/AU:N/C:C/I:C/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	NONE
exploitabilityScore:	4.9
impactScore:	9.2
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	776376b5-c94b-4524-9a3a-ecd13c2dfe59
severity:	HIGH
baseScore:	7.1
vectorString:	AV:N/AC:H/AU:N/C:C/I:C/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	NONE
exploitabilityScore:	4.9
impactScore:	9.2
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-118144
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-9941
baseSeverity:	HIGH
baseScore:	7.4
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.2
impactScore:	5.2
version:	3.0
Trust: 1.8

sources: IVD: 776376b5-c94b-4524-9a3a-ecd13c2dfe59 // CNVD: CNVD-2017-14602 // VULHUB: VHN-118144 // JVNDB: JVNDB-2017-006973 // CNNVD: CNNVD-201707-605 // NVD: CVE-2017-9941

PROBLEMTYPE DATA

problemtype:	CWE-300	Trust: 1.0
problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-284	Trust: 0.9

sources: VULHUB: VHN-118144 // JVNDB: JVNDB-2017-006973 // NVD: CVE-2017-9941

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201707-605

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201707-605

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-006973

PATCH

title:	SSA-339433	url:	https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-339433.pdf	Trust: 0.8
title:	Siemens SiPass integrated patch for unauthorized operating vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/98175	Trust: 0.6
title:	Siemens SiPass integrated Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=71719	Trust: 0.6

sources: CNVD: CNVD-2017-14602 // JVNDB: JVNDB-2017-006973 // CNNVD: CNNVD-201707-605

EXTERNAL IDS

db:	NVD	id:	CVE-2017-9941	Trust: 3.6
db:	SIEMENS	id:	SSA-339433	Trust: 2.6
db:	BID	id:	99578	Trust: 2.0
db:	CNNVD	id:	CNNVD-201707-605	Trust: 0.9
db:	CNVD	id:	CNVD-2017-14602	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-006973	Trust: 0.8
db:	ICS CERT	id:	ICSA-17-194-01	Trust: 0.3
db:	IVD	id:	776376B5-C94B-4524-9A3A-ECD13C2DFE59	Trust: 0.2
db:	VULHUB	id:	VHN-118144	Trust: 0.1

sources: IVD: 776376b5-c94b-4524-9a3a-ecd13c2dfe59 // CNVD: CNVD-2017-14602 // VULHUB: VHN-118144 // BID: 99578 // JVNDB: JVNDB-2017-006973 // CNNVD: CNNVD-201707-605 // NVD: CVE-2017-9941

REFERENCES

url:	https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-339433.pdf	Trust: 2.6
url:	http://www.securityfocus.com/bid/99578	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9941	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-9941	Trust: 0.8
url:	http://subscriber.communications.siemens.com/	Trust: 0.3
url:	https://ics-cert.us-cert.gov/advisories/icsa-17-194-01	Trust: 0.3

sources: CNVD: CNVD-2017-14602 // VULHUB: VHN-118144 // BID: 99578 // JVNDB: JVNDB-2017-006973 // CNNVD: CNNVD-201707-605 // NVD: CVE-2017-9941

CREDITS

Siemens

Trust: 0.3

sources: BID: 99578

SOURCES

db:	IVD	id:	776376b5-c94b-4524-9a3a-ecd13c2dfe59
db:	CNVD	id:	CNVD-2017-14602
db:	VULHUB	id:	VHN-118144
db:	BID	id:	99578
db:	JVNDB	id:	JVNDB-2017-006973
db:	CNNVD	id:	CNNVD-201707-605
db:	NVD	id:	CVE-2017-9941

LAST UPDATE DATE

2024-11-23T21:53:48.780000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-14602	date:	2017-07-15T00:00:00
db:	VULHUB	id:	VHN-118144	date:	2019-10-09T00:00:00
db:	BID	id:	99578	date:	2017-07-13T00:00:00
db:	JVNDB	id:	JVNDB-2017-006973	date:	2017-09-07T00:00:00
db:	CNNVD	id:	CNNVD-201707-605	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-9941	date:	2024-11-21T03:37:13.287

SOURCES RELEASE DATE

db:	IVD	id:	776376b5-c94b-4524-9a3a-ecd13c2dfe59	date:	2017-07-15T00:00:00
db:	CNVD	id:	CNVD-2017-14602	date:	2017-07-15T00:00:00
db:	VULHUB	id:	VHN-118144	date:	2017-08-08T00:00:00
db:	BID	id:	99578	date:	2017-07-13T00:00:00
db:	JVNDB	id:	JVNDB-2017-006973	date:	2017-09-07T00:00:00
db:	CNNVD	id:	CNNVD-201707-605	date:	2017-07-14T00:00:00
db:	NVD	id:	CVE-2017-9941	date:	2017-08-08T00:29:00.447