VARIoT IoT vulnerabilities database
VAR-201112-0099 | CVE-2011-5009 |
3S CoDeSys CmpWebServer.dll Module Denial of Service Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201111-0008, VAR-E-201111-0006, VAR-E-201111-0009, VAR-E-201111-0007 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The CmpWebServer.dll module in the Control service in 3S CoDeSys 3.4 SP4 Patch 2 allows remote attackers to cause a denial of service (NULL pointer dereference) via (1) a crafted Content-Length in an HTTP POST or (2) an invalid HTTP request method. CoDeSys Automation Suite is a comprehensive software tool for industrial automation technology. CoDeSys has multiple remote denial of service vulnerabilities in its implementation, which can be exploited by remote attackers to crash applications and deny legitimate users. A vulnerability exists in the CmpWebServer.dll module in the Control service in the 3S CoDeSys 3.4 SP4 Patch 2 release. CoDeSys is prone to multiple denial-of-service vulnerabilities. ----------------------------------------------------------------------
Secunia is hiring!
Find your next job here:
http://secunia.com/company/jobs/
----------------------------------------------------------------------
TITLE:
CoDeSys Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA47018
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/47018/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=47018
RELEASE DATE:
2011-12-01
DISCUSS ADVISORY:
http://secunia.com/advisories/47018/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/47018/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=47018
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Luigi Auriemma has discovered multiple vulnerabilities in CoDeSys,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and compromise a vulnerable system.
1) An integer overflow error in the Gateway service when processing
certain requests can be exploited to cause a heap-based buffer
overflow via a specially crafted packet sent to TCP port 1217.
2) A boundary error in the Control service when processing web
requests can be exploited to cause a stack-based buffer overflow via
an overly long URL sent to TCP port 8080.
5) An error in the Control service when processing web requests
containing a non-existent directory can be exploited to create
arbitrary directories within the webroot via requests sent to TCP
port 8080.
Successful exploitation of vulnerabilities #1 and #2 allows execution
of arbitrary code.
The vulnerabilities are confirmed in version 3.4 SP4 Patch 2. Other
versions may also be affected.
SOLUTION:
Restrict access to trusted hosts only.
PROVIDED AND/OR DISCOVERED BY:
Luigi Auriemma
ORIGINAL ADVISORY:
http://aluigi.altervista.org/adv/codesys_1-adv.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-190001-0977 | No CVE | Check Point UTM-1 Edge and Safe Multiple Security Vulnerabilities |
CVSS V2: - CVSS V3: - Severity: - |
Check Point UTM-1 Edge and Safe is a security device for small and medium-sized businesses. The WebUI provided by UTM-1 Edge and Safe@Office has multiple security vulnerabilities, allowing attackers to perform cross-site scripting, cross-site request forgery, information disclosure, and offline site redirection. Multiple cross-site scripting vulnerabilities
2. Multiple HTML-injection vulnerabilities
3. Multiple URI-redirection vulnerabilities
5. An information-disclosure vulnerability
An attacker may leverage these issues to access sensitive information, redirect an unsuspecting victim to an attacker-controlled site, or steal cookie-based authentication credentials, to perform unauthorized actions in the context of a user's session
VAR-190001-1140 | No CVE | Trendmicro IWSS Local Privilege Escalation Vulnerability |
CVSS V2: - CVSS V3: - Severity: MEDIUM |
Trendmicro IWSS provides dynamic, integrated security for enterprise networks at the gateway for Web-based attacks. Trendmicro IWSS has a security hole that allows an attacker to gain root access. The program \"patchCmd\" sets the corresponding \"setuid\" and \"setgid\" to allow all users to execute. The code executes setuid(0) before system() to allow ROOT permission to be executed during execution without the user's corresponding permission. According to the input parameter system() of 'patchCmd', two scripts are called: \"./PatchExe.sh\" and \"./RollbackExe.sh\". You can see that the string \"./\" indicates execution in the current directory, and the attacker passes the other PATH creates arbitrary scripts to execute with ROOT privileges. Trendmicro IWSS is prone to a local privilege-escalation vulnerability.
Trendmicro IWSS 3.1 is vulnerable; other versions may also be affected
VAR-190001-1126 | No CVE | Tecomat Foxtrot Default Password Security Bypass Vulnerability |
CVSS V2: - CVSS V3: - Severity: MEDIUM |
Tecomat Foxtrot is a programmable controller for industrial control tasks. The application has 9 default users installed and uses the known default password: user 0 password 0 role 0 user 1 password 1 role 1user 2 password 2 role 2user 3 password 3 role 3user 4 password 4 role 4user 5 password 5 role 5user 6 Password 6 role 6user 7 password 7 role 7user 8 password 8 role 8user 9 password 9 role 9 Many PLC devices can be accessed remotely through these default passwords. Tecomat Foxtrot is prone to a security-bypass vulnerability.
Successful attacks can allow an attacker to gain access to the affected application using the default authentication credentials
VAR-201305-0007 | CVE-2011-4519 | MICROSYS PROMOTIC ActiveX Component Stack Buffer Overflow Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Stack-based buffer overflow in an ActiveX component in MICROSYS PROMOTIC before 8.1.5 allows remote attackers to cause a denial of service via a crafted web page. MICROSYS PROMOTIC is a SCADA software. PROMOTIC is prone to multiple security vulnerabilities.
Exploiting these issues may allow remote attackers to execute arbitrary code within the context of the affected application or disclose sensitive information.
PROMOTIC 8.1.3 is vulnerable; other versions may also be affected
VAR-190001-0517 | No CVE | MiniWeb Directory Traversal Vulnerability |
CVSS V2: - CVSS V3: - Severity: MEDIUM |
MiniWeb is a micro Web Server developed for embedded applications written in C-voice. MiniWeb has a denial of service vulnerability. An attacker could exploit the vulnerability to cause the server to crash
VAR-201201-0026 | CVE-2011-4529 |
Siemens Automation License Manager Buffer Overflow Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201111-0076 |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Multiple buffer overflows in Siemens Automation License Manager (ALM) 4.0 through 5.1+SP1+Upd1 allow remote attackers to execute arbitrary code via a long serialid field in an _licensekey command, as demonstrated by the (1) check_licensekey or (2) read_licensekey command. The Siemens Automation License Manager is the authorization manager program for Siemens software. Some long fields can be used to trigger exceptions: The exception unknown software exception (0xc0000417) occurred in the application at location 0x????????. This exception is due to some functions using wcscpy_s to copy the value provided by the client to Caused by the stack buffer. The get_target_ocx_param and send_target_ocx_param commands have a null pointer reference error that can cause the service to crash.
Remote attackers can exploit these issues to execute arbitrary code in the context of the application or cause denial-of-service conditions. This vulnerability has been confirmed in (1) check_licensekey or (2) read_licensekey command
VAR-201201-0027 | CVE-2011-4530 |
Siemens Automation License Manager Buffer Overflow and Denial of Service Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-201111-0076 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Siemens Automation License Manager (ALM) 4.0 through 5.1+SP1+Upd1 does not properly copy fields obtained from clients, which allows remote attackers to cause a denial of service (exception and daemon crash) via long fields, as demonstrated by fields to the (1) open_session->workstation->NAME or (2) grant->VERSION function. The Siemens Automation License Manager is the authorization manager program for Siemens software. Some long fields can be used to trigger exceptions: The exception unknown software exception (0xc0000417) occurred in the application at location 0x????????. This exception is due to some functions using wcscpy_s to copy the value provided by the client to Caused by the stack buffer. The get_target_ocx_param and send_target_ocx_param commands have a null pointer reference error that can cause the service to crash.
Remote attackers can exploit these issues to execute arbitrary code in the context of the application or cause denial-of-service conditions. This vulnerability has been confirmed in (1) open_session->workstation->NAME or (2) grant->VERSION function
VAR-201201-0028 | CVE-2011-4531 |
Siemens Automation License Manager Buffer Overflow and Denial of Service Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-201111-0076 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Siemens Automation License Manager (ALM) 4.0 through 5.1+SP1+Upd1 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via crafted content in a (1) get_target_ocx_param or (2) send_target_ocx_param command. The Siemens Automation License Manager is the authorization manager program for Siemens software. Some long fields can be used to trigger exceptions: The exception unknown software exception (0xc0000417) occurred in the application at location 0x????????. This exception is due to some functions using wcscpy_s to copy the value provided by the client to Caused by the stack buffer.
Remote attackers can exploit these issues to execute arbitrary code in the context of the application or cause denial-of-service conditions
VAR-201201-0029 | CVE-2011-4532 |
Siemens Automation License Manager 'almaxcx.dll' ActiveX Arbitrary File Overwrite Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201111-0076 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Absolute path traversal vulnerability in the ALMListView.ALMListCtrl ActiveX control in almaxcx.dll in the graphical user interface in Siemens Automation License Manager (ALM) 2.0 through 5.1+SP1+Upd2 allows remote attackers to overwrite arbitrary files via the Save method. The Siemens Automation License Manager is the authorization manager program for Siemens software. The save method provided by the almaxcx.dll ActiveX control (ALMListView.ALMListCtrlE57AF4A2-EF57-41D0-8512-FECDA78F1FE7) allows any file name to be saved. The attacker constructs a malicious WEB page to entice the user to access it. file
VAR-201201-0166 | CVE-2011-4055 | Siemens Tecnomatix FactoryLink ActiveX Buffer Overflow Vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Buffer overflow in the WebClient ActiveX control in Siemens Tecnomatix FactoryLink 6.6.1 (aka 6.6 SP1), 7.5.217 (aka 7.5 SP2), and 8.0.2.54 allows remote attackers to execute arbitrary code via a long string in a parameter associated with the location URL. Siemens Tecnomatix FactoryLink is an industrial automation software. Supervise, manage and control industrial processes. Siemens Tecnomatix FactoryLink ActiveX is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Attackers can exploit this issue to execute arbitrary code within the context of the application using the vulnerable control (typically Internet Explorer).
The following Siemens Tecnomatix FactoryLink versions are vulnerable:
V8.0.2.54
V7.5.217 (V7.5 SP2)
V6.6.1 (V6.6 SP1)
VAR-201201-0167 | CVE-2011-4056 | Siemens Tecnomatix FactoryLink ActiveX Arbitrary File Overwrite Vulnerability |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
An unspecified ActiveX control in ActBar.ocx in Siemens Tecnomatix FactoryLink 6.6.1 (aka 6.6 SP1), 7.5.217 (aka 7.5 SP2), and 8.0.2.54 allows remote attackers to create or overwrite arbitrary files via the save method. Siemens Tecnomatix FactoryLink is an industrial automation software. Supervise, manage and control industrial processes. Siemens Tecnomatix FactoryLink ActiveX has security vulnerabilities. By submitting arbitrary data, files can be saved to any specified location on the target system, and system files can be overwritten.
The following Siemens Tecnomatix FactoryLink versions are vulnerable:
V8.0.2.54
V7.5.217 (V7.5 SP2)
V6.6.1 (V6.6 SP1)
VAR-201202-0162 | CVE-2011-4875 |
Siemens SIMATIC WinCC Flexible Runtime 'HmiLoad.exe' Buffer Overflow Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201111-0178 |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in HmiLoad in the runtime loader in Siemens WinCC flexible 2004, 2005, 2007, and 2008; WinCC V11 (aka TIA portal); the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime, when Transfer Mode is enabled, allows remote attackers to execute arbitrary code via vectors related to Unicode strings. Miniweb has a security vulnerability that allows an attacker to submit a specially crafted HTTP POST request to allow the server to access any illegal memory area while checking the extension of the requested file. Siemens SIMATIC WinCC is a multi-user system that provides complete monitoring and data acquisition (SCADA) functionality for the industrial sector, from single-user systems to redundant server and remote web client solutions. HmiLoad has multiple security vulnerabilities that allow an attacker to stop a service or crash a service in multiple ways. Siemens SIMATIC is an automation software in a single engineering environment. A security vulnerability exists in the Siemens SIMATIC WinCC HMI web server. When the transfer mode is enabled, the runtime loader listens on the 2308/TCP or 50523/TCP port. Without the correct data segment length and Unicode string, a stack overflow can be triggered, causing arbitrary code execution. A directory traversal vulnerability exists in the HmiLoad server that allows reading, writing, and deleting arbitrary files outside of the specified directory.
Attackers can exploit these issues to execute arbitrary code in the context of the affected application, read/write or delete arbitrary files outside of the server root directory, or cause denial-of-service conditions; other attacks may also be possible
VAR-201202-0163 | CVE-2011-4876 |
plural Siemens Product HmiLoad Vulnerable to directory traversal
Related entries in the VARIoT exploits database: VAR-E-201111-0178 |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Directory traversal vulnerability in HmiLoad in the runtime loader in Siemens WinCC flexible 2004, 2005, 2007, and 2008; WinCC V11 (aka TIA portal); the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime, when Transfer Mode is enabled, allows remote attackers to execute, read, create, modify, or delete arbitrary files via a .. (dot dot) in a string. plural Siemens Product runtime loader HmiLoad Is Transfer A directory traversal vulnerability exists when the mode is enabled.By a third party .. ( Dot dot ) Arbitrary files may be executed, read, created, modified, or deleted via strings containing. Miniweb has a security vulnerability that allows an attacker to submit a specially crafted HTTP POST request to allow the server to access any illegal memory area while checking the extension of the requested file. Siemens SIMATIC WinCC is a multi-user system that provides complete monitoring and data acquisition (SCADA) functionality for the industrial sector, from single-user systems to redundant server and remote web client solutions. HmiLoad provides functions that read data and unicode strings with stack-based buffer overflows, allowing an attacker to exploit a vulnerability to execute arbitrary code. HmiLoad has multiple security vulnerabilities that allow an attacker to stop a service or crash a service in multiple ways. A directory traversal vulnerability exists in the HmiLoad server that allows reading, writing, and deleting arbitrary files outside of the specified directory. Siemens SIMATIC is an automation software in a single engineering environment. A security vulnerability exists in the Siemens SIMATIC WinCC HMI web server. When the transfer mode is enabled, the runtime loader listens on the 2308/TCP or 50523/TCP port, but does not verify the submitted string, allowing the attacker to read and write any file in the file system.
Attackers can exploit these issues to execute arbitrary code in the context of the affected application, read/write or delete arbitrary files outside of the server root directory, or cause denial-of-service conditions; other attacks may also be possible. (dots) in strings. ----------------------------------------------------------------------
Secunia is hiring!
Find your next job here:
http://secunia.com/company/jobs/
----------------------------------------------------------------------
TITLE:
Siemens SIMATIC WinCC Flexible HMI Miniweb Two Vulnerabilities
SECUNIA ADVISORY ID:
SA46997
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46997/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46997
RELEASE DATE:
2011-11-30
DISCUSS ADVISORY:
http://secunia.com/advisories/46997/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46997/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46997
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Luigi Auriemma has discovered two vulnerabilities in Siemens SIMATIC
WinCC Flexible, which can be exploited by malicious people to
disclose potentially sensitive information and cause a DoS (Denial of
Service).
1) An input sanitisation error in Miniweb.exe when handling HTTP GET
requests can be exploited to download arbitrary files via directory
traversal attacks sent in a web request.
2) An input validation error in Miniweb.exe when handling HTTP POST
requests can be exploited to crash the process via specially crafted
content sent in a web request.
The vulnerabilities are confirmed in version 2008 SP2 Upd13
(K01.03.02.13_01.02.00.01). Other versions may also be affected.
SOLUTION:
Restrict access to trusted hosts only.
PROVIDED AND/OR DISCOVERED BY:
Luigi Auriemma
ORIGINAL ADVISORY:
http://aluigi.altervista.org/adv/winccflex_1-adv.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201202-0164 | CVE-2011-4877 |
plural Siemens Product HmiLoad Service disruption in ( Application crash ) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-201111-0178 |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
HmiLoad in the runtime loader in Siemens WinCC flexible 2004, 2005, 2007, and 2008; WinCC V11 (aka TIA portal); the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime, when Transfer Mode is enabled, allows remote attackers to cause a denial of service (application crash) by sending crafted data over TCP. Miniweb has a security vulnerability that allows an attacker to submit a specially crafted HTTP POST request to allow the server to access any illegal memory area while checking the extension of the requested file. Siemens SIMATIC WinCC is a multi-user system that provides complete monitoring and data acquisition (SCADA) functionality for the industrial sector, from single-user systems to redundant server and remote web client solutions. HmiLoad provides functions that read data and unicode strings with stack-based buffer overflows, allowing an attacker to exploit a vulnerability to execute arbitrary code. Siemens SIMATIC is an automation software in a single engineering environment. A security vulnerability exists in the Siemens SIMATIC WinCC HMI web server. When the transfer mode is enabled, the runtime loader listens on the 2308/TCP or 50523/TCP port. Since the incoming data is not fully verified, there are multiple denial of service attacks that can crash the program. A directory traversal vulnerability exists in the HmiLoad server that allows reading, writing, and deleting arbitrary files outside of the specified directory.
Attackers can exploit these issues to execute arbitrary code in the context of the affected application, read/write or delete arbitrary files outside of the server root directory, or cause denial-of-service conditions; other attacks may also be possible
VAR-201202-0043 | CVE-2011-4508 | plural Siemens Product HMI Web Vulnerability that prevents authentication on the server |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
The HMI web server in Siemens WinCC flexible 2004, 2005, 2007, and 2008 before SP3; WinCC V11 (aka TIA portal) before SP2 Update 1; the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime generates predictable authentication tokens for cookies, which makes it easier for remote attackers to bypass authentication via a crafted cookie. plural Siemens Product HMI Web The server Cookie There is a vulnerability that prevents authentication because it generates a predictable authentication token.Skillfully crafted by a third party Cookie Authentication may be bypassed. Siemens SIMATIC WinCC is a multi-user system that provides complete monitoring and data acquisition (SCADA) functionality for the industrial sector, from single-user systems to redundant server and remote web client solutions. Multiple Siemens SIMATIC products have security vulnerabilities, and the insecure generation of authentication tokens (session COOKIE guesses) allows an attacker to bypass authentication checks and increase privileges without a username and password.
An attacker can exploit these issues to bypass intended security restrictions and gain access to the affected application. Successfully exploiting these issues may lead to further attacks. The Siemens SIMATIC HMI product family is used as the human-machine interface between the corresponding PLC and the operator
VAR-201202-0044 | CVE-2011-4509 | plural Siemens Product HMI Web Vulnerability to gain access rights on the server |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The HMI web server in Siemens WinCC flexible 2004, 2005, 2007, and 2008; WinCC V11 (aka TIA portal); the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime has an improperly selected default password for the administrator account, which makes it easier for remote attackers to obtain access via a brute-force approach involving many HTTP requests. Siemens SIMATIC WinCC is a multi-user system that provides complete monitoring and data acquisition (SCADA) functionality for the industrial sector, from single-user systems to redundant server and remote web client solutions. The default management password exists for multiple Siemens SIMATIC products. The default account password for the WEB interface is \"Administrator: 100\", and the password \"100\" can also be used for the VNC service. If the user changes the password containing special characters, the system will put the password. Reset to \"100\". The following products are affected by this vulnerability: SIMATIC WinCC Flexible 2004 through 2008 SP2SIMATIC WinCC V11, V11 SP1, and V11 SP2 SIMATIC HMI TP, OP, MP, Mobile, and Comfort Series Panels Successful exploits allow an attacker to log in with user or administrator privileges Affect the system.
An attacker can exploit these issues to bypass intended security restrictions and gain access to the affected application. Successfully exploiting these issues may lead to further attacks. The Siemens SIMATIC HMI product family is used as the human-machine interface between the corresponding PLC and the operator
VAR-201204-0173 | CVE-2012-0221 |
Rockwell Automation Allen-Bradley FactoryTalk Input validation vulnerability
Related entries in the VARIoT exploits database: VAR-E-201201-0167 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The FactoryTalk (FT) RNADiagReceiver service in Rockwell Automation Allen-Bradley FactoryTalk CPR9 through SR5 and RSLogix 5000 17 through 20 does not properly handle the return value from an unspecified function, which allows remote attackers to cause a denial of service (service outage) via a crafted packet. Rockwell Automation is a provider of industrial automation, control and information technology solutions. Rockwell Automation FactoryTalk Activation Server RNADiagReceiver has errors in processing packets. Submitting a packet containing more than 2000 bytes to UDP port 4445 can result in no subsequent connections.
An attacker can exploit these issues to crash the affected application, denying service to legitimate users
VAR-201204-0174 | CVE-2012-0222 |
Rockwell Automation Allen-Bradley FactoryTalk Buffer Overflow Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201201-0167 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The FactoryTalk (FT) RNADiagReceiver service in Rockwell Automation Allen-Bradley FactoryTalk CPR9 through SR5 and RSLogix 5000 17 through 20 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted packet. Rockwell Automation is a provider of industrial automation, control and information technology solutions. Rockwell Automation FactoryTalk Activation Server RNADiagReceiver has errors in processing packets. Submitting a packet containing more than 2000 bytes to UDP port 4445 can result in no subsequent connections.
An attacker can exploit these issues to crash the affected application, denying service to legitimate users
VAR-201201-0146 | CVE-2012-0929 |
Schneider Electric Modicon Quantum Multiple Security Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-201201-0278 |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
Multiple buffer overflows in Schneider Electric Modicon Quantum PLC allow remote attackers to cause a denial of service via malformed requests to the (1) FTP server or (2) HTTP server. Schneider Electric Modicon Quantum is an automated control platform with a full range of complete processors for complex process control and infrastructure. (2) There is a backdoor account that allows access to the system with user or administrator privileges. (5) There is also a cross-site scripting attack. Schneider Electric Modicon Quantum is prone to multiple vulnerabilities including:
1. A remote code-execution vulnerability.
2. Multiple buffer-overflow vulnerabilities.
3. A security-bypass vulnerability.
4. A cross site-scripting vulnerability.
Attackers can exploit these issues to execute arbitrary code in the context of the affected application, cause denial-of-service conditions, bypass some security restrictions, allow an attacker to steal cookie-based information, or execute script code in the context of the browser of an unsuspecting user; other attacks may also be possible. ----------------------------------------------------------------------
Secunia is hiring!
Find your next job here:
http://secunia.com/company/jobs/
----------------------------------------------------------------------
TITLE:
Schneider Electric Modicon Quantum Cross-Site Scripting and Buffer
Overflow Vulnerabilities
SECUNIA ADVISORY ID:
SA47723
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/47723/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=47723
RELEASE DATE:
2012-01-23
DISCUSS ADVISORY:
http://secunia.com/advisories/47723/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/47723/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=47723
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Schneider Electric
Modicon Quantum Series Modules, which can be exploited by malicious
people to conduct cross-site scripting attacks and cause a DoS
(Denial of Service).
1) Certain unspecified input is not properly sanitised before being
returned to the user.
SOLUTION:
Filter malicious characters and character sequences in a proxy.
Restrict access to trusted hosts only.
PROVIDED AND/OR DISCOVERED BY:
ICS-CERT credits Ruben Santamarta via Digital Bond\x92s SCADA Security
Scientific Symposium (S4).
ORIGINAL ADVISORY:
ICS-CERT:
http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-020-03.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------