Details of VAR-E-200711-0386

ID

VAR-E-200711-0386

CVE

cve_id:

CVE-2007-6033

Trust: 0.3

sources: BID: 26496

TITLE

Invensys Wonderware InTouch Default Universal NetDDE Share Privilege Escalation Vulnerability

Trust: 0.3

sources: BID: 26496

DESCRIPTION

Invensys Wonderware InTouch is prone to a privilege-escalation vulnerability because of poor default permissions on a NetDDE share.
Attackers can exploit this issue to execute arbitrary applications that accept NetDDE connections. This can compromise the application and possibly the underlying computer.
InTouch 8.0 is vulnerable.

Trust: 0.3

sources: BID: 26496

AFFECTED PRODUCTS

vendor:

wonderware

model:

intouch

scope:

version:

8.0

Trust: 0.3

sources: BID: 26496

EXPLOIT

To exploit this issue, an attacker can use readily available NetDDE utilities.

Trust: 0.3

sources: BID: 26496

PRICE

Free

Trust: 0.3

sources: BID: 26496

TYPE

Design Error

Trust: 0.3

sources: BID: 26496

CREDITS

Neutralbit, with assistance from Digital Bond, discovered this issue.

Trust: 0.3

sources: BID: 26496

EXTERNAL IDS

db:	CERT/CC	id:	VU#138633	Trust: 0.3
db:	NVD	id:	CVE-2007-6033	Trust: 0.3
db:	BID	id:	26496	Trust: 0.3

sources: BID: 26496

REFERENCES

url:	http://pacwest.wonderware.com/web/news/newsdetails.aspx?newsthreadid=2&newsid=201804	Trust: 0.3
url:	http://us.wonderware.com/	Trust: 0.3
url:	http://www.kb.cert.org/vuls/id/138633	Trust: 0.3

sources: BID: 26496

SOURCES

db:

BID

id:

26496

LAST UPDATE DATE

2022-07-27T09:20:17.540000+00:00

SOURCES UPDATE DATE

db:

BID

id:

26496

date:

2007-12-18T20:06:00

SOURCES RELEASE DATE

db:

BID

id:

26496

date:

2007-11-19T00:00:00