ID

VAR-201710-1116


CVE

CVE-2017-12730


TITLE

mySCADA myPRO Vulnerabilities related to unquoted search paths or elements

Trust: 0.8

sources: JVNDB: JVNDB-2017-009274

DESCRIPTION

An Unquoted Search Path issue was discovered in mySCADA myPRO Versions 7.0.26 and prior. Application services utilize unquoted search path elements, which could allow an attacker to execute arbitrary code with elevated privileges. mySCADA myPRO Contains vulnerabilities related to unquoted search paths or elements.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. myPRO is an HMI/SCADA system for the visualization and control of industrial processes. mySCADA myPRO is prone to a local privilege-escalation vulnerability. mySCADA myPRO Versions 7.0.26 and prior are vulnerable

Trust: 2.61

sources: NVD: CVE-2017-12730 // JVNDB: JVNDB-2017-009274 // CNVD: CNVD-2017-26426 // BID: 100815 // IVD: 98037459-60aa-4d28-ad7c-d0eb6becd959

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 98037459-60aa-4d28-ad7c-d0eb6becd959 // CNVD: CNVD-2017-26426

AFFECTED PRODUCTS

vendor:myscadamodel:myproscope:lteversion:7.0.26

Trust: 1.8

vendor:myscadamodel:myproscope:eqversion:7.0.26

Trust: 0.9

vendor:myscadamodel:myproscope:lteversion:<=7.0.26

Trust: 0.6

vendor:myscadamodel:myproscope:eqversion:0

Trust: 0.3

vendor:mypromodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 98037459-60aa-4d28-ad7c-d0eb6becd959 // CNVD: CNVD-2017-26426 // BID: 100815 // JVNDB: JVNDB-2017-009274 // CNNVD: CNNVD-201709-873 // NVD: CVE-2017-12730

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-12730
value: HIGH

Trust: 1.0

NVD: CVE-2017-12730
value: HIGH

Trust: 0.8

CNVD: CNVD-2017-26426
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201709-873
value: HIGH

Trust: 0.6

IVD: 98037459-60aa-4d28-ad7c-d0eb6becd959
value: HIGH

Trust: 0.2

nvd@nist.gov: CVE-2017-12730
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-26426
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 98037459-60aa-4d28-ad7c-d0eb6becd959
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2017-12730
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: IVD: 98037459-60aa-4d28-ad7c-d0eb6becd959 // CNVD: CNVD-2017-26426 // JVNDB: JVNDB-2017-009274 // CNNVD: CNNVD-201709-873 // NVD: CVE-2017-12730

PROBLEMTYPE DATA

problemtype:CWE-428

Trust: 1.8

sources: JVNDB: JVNDB-2017-009274 // NVD: CVE-2017-12730

THREAT TYPE

local

Trust: 0.9

sources: BID: 100815 // CNNVD: CNNVD-201709-873

TYPE

Code problem

Trust: 0.8

sources: IVD: 98037459-60aa-4d28-ad7c-d0eb6becd959 // CNNVD: CNNVD-201709-873

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-009274

PATCH

title:myPROurl:https://www.myscada.org/mypro/

Trust: 0.8

title:Patch for mySCADA myPRO privilege escalation vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/102111

Trust: 0.6

title:mySCADA myPRO Fixes for permission permissions and access control vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=74978

Trust: 0.6

sources: CNVD: CNVD-2017-26426 // JVNDB: JVNDB-2017-009274 // CNNVD: CNNVD-201709-873

EXTERNAL IDS

db:NVDid:CVE-2017-12730

Trust: 3.5

db:ICS CERTid:ICSA-17-255-01

Trust: 3.3

db:BIDid:100815

Trust: 1.9

db:CNVDid:CNVD-2017-26426

Trust: 0.8

db:CNNVDid:CNNVD-201709-873

Trust: 0.8

db:JVNDBid:JVNDB-2017-009274

Trust: 0.8

db:IVDid:98037459-60AA-4D28-AD7C-D0EB6BECD959

Trust: 0.2

sources: IVD: 98037459-60aa-4d28-ad7c-d0eb6becd959 // CNVD: CNVD-2017-26426 // BID: 100815 // JVNDB: JVNDB-2017-009274 // CNNVD: CNNVD-201709-873 // NVD: CVE-2017-12730

REFERENCES

url:https://ics-cert.us-cert.gov/advisories/icsa-17-255-01

Trust: 3.3

url:http://www.securityfocus.com/bid/100815

Trust: 1.6

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12730

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2017-12730

Trust: 0.8

url:https://www.myscada.org/mypro/

Trust: 0.3

sources: CNVD: CNVD-2017-26426 // BID: 100815 // JVNDB: JVNDB-2017-009274 // CNNVD: CNNVD-201709-873 // NVD: CVE-2017-12730

CREDITS

Karn Ganeshen.

Trust: 0.9

sources: BID: 100815 // CNNVD: CNNVD-201709-873

SOURCES

db:IVDid:98037459-60aa-4d28-ad7c-d0eb6becd959
db:CNVDid:CNVD-2017-26426
db:BIDid:100815
db:JVNDBid:JVNDB-2017-009274
db:CNNVDid:CNNVD-201709-873
db:NVDid:CVE-2017-12730

LAST UPDATE DATE

2024-11-23T22:17:46.925000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2017-26426date:2017-09-13T00:00:00
db:BIDid:100815date:2017-09-12T00:00:00
db:JVNDBid:JVNDB-2017-009274date:2017-11-07T00:00:00
db:CNNVDid:CNNVD-201709-873date:2019-10-17T00:00:00
db:NVDid:CVE-2017-12730date:2024-11-21T03:10:06.643

SOURCES RELEASE DATE

db:IVDid:98037459-60aa-4d28-ad7c-d0eb6becd959date:2017-09-13T00:00:00
db:CNVDid:CNVD-2017-26426date:2017-09-13T00:00:00
db:BIDid:100815date:2017-09-12T00:00:00
db:JVNDBid:JVNDB-2017-009274date:2017-11-07T00:00:00
db:CNNVDid:CNNVD-201709-873date:2017-09-21T00:00:00
db:NVDid:CVE-2017-12730date:2017-10-06T04:29:00.217