Details of VAR-201212-0030

ID

VAR-201212-0030

CVE

CVE-2012-4688

TITLE

i-GEN opLYNX of Central Vulnerabilities that prevent authentication in applications

Trust: 0.8

sources: JVNDB: JVNDB-2012-005845

DESCRIPTION

The Central application in i-GEN opLYNX before 2.01.9 allows remote attackers to bypass authentication via vectors involving the disabling of browser JavaScript support. i-GEN is a human machine interface (HMI) and SCADA software. opLYNX Central is a web-based application, and the opLYNX Central deployment is typically deployed at the Canadian Energy Agency. opLYNX is prone to an authentication-bypass vulnerability. An attacker can exploit this issue to bypass the authentication process and gain unauthorized access to the system. Successfully exploiting this issue may lead to further attacks. opLYNX versions prior to 2.01.9 are vulnerable. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: i-GEN opLYNX Central Application Authentication Bypass Vulnerability SECUNIA ADVISORY ID: SA51673 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51673/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51673 RELEASE DATE: 2012-12-28 DISCUSS ADVISORY: http://secunia.com/advisories/51673/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51673/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51673 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in i-GEN opLYNX, which can be exploited by malicious people to bypass certain security restrictions. SOLUTION: Update to version 2.01.9. PROVIDED AND/OR DISCOVERED BY: ICS-CERT credits Anthony Cicalla. ORIGINAL ADVISORY: ICSA-12-362-01: http://www.us-cert.gov/control_systems/pdf/ICSA-12-362-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.7

sources: NVD: CVE-2012-4688 // JVNDB: JVNDB-2012-005845 // CNVD: CNVD-2012-9512 // BID: 57059 // IVD: 2a8f6776-2353-11e6-abef-000c29c66e3d // PACKETSTORM: 119141

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 2a8f6776-2353-11e6-abef-000c29c66e3d // CNVD: CNVD-2012-9512

AFFECTED PRODUCTS

vendor:	i gen	model:	oplynx	scope:	lte	version:	2.01.8	Trust: 1.0
vendor:	i gen	model:	oplynx	scope:	lt	version:	2.01.9	Trust: 0.8
vendor:	i gen	model:	oplynx	scope:	eq	version:	2.x	Trust: 0.6
vendor:	i gen	model:	oplynx	scope:	eq	version:	2.01.8	Trust: 0.6
vendor:	i gen	model:	solutions oplynx	scope:	eq	version:	2.1.8	Trust: 0.3
vendor:	i gen	model:	solutions oplynx	scope:	ne	version:	2.1.9	Trust: 0.3
vendor:	oplynx	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 2a8f6776-2353-11e6-abef-000c29c66e3d // CNVD: CNVD-2012-9512 // BID: 57059 // JVNDB: JVNDB-2012-005845 // CNNVD: CNNVD-201212-386 // NVD: CVE-2012-4688

CVSS

SEVERITY

CVSSV2

CVSSV3

ics-cert@hq.dhs.gov:	CVE-2012-4688
value:	HIGH
Trust: 1.0
nvd@nist.gov:	CVE-2012-4688
value:	HIGH
Trust: 1.0
NVD:	CVE-2012-4688
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201212-386
value:	HIGH
Trust: 0.6
IVD:	2a8f6776-2353-11e6-abef-000c29c66e3d
value:	HIGH
Trust: 0.2

ics-cert@hq.dhs.gov:	CVE-2012-4688
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 2.8
IVD:	2a8f6776-2353-11e6-abef-000c29c66e3d
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

sources: IVD: 2a8f6776-2353-11e6-abef-000c29c66e3d // JVNDB: JVNDB-2012-005845 // CNNVD: CNNVD-201212-386 // NVD: CVE-2012-4688 // NVD: CVE-2012-4688

PROBLEMTYPE DATA

problemtype:	CWE-287	Trust: 1.8
problemtype:	CWE-592	Trust: 1.0

sources: JVNDB: JVNDB-2012-005845 // NVD: CVE-2012-4688

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201212-386

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201212-386

CONFIGURATIONS

sources: JVNDB: JVNDB-2012-005845

PATCH

title:	opLYNX	url:	http://www.i-gen.com/products_oplynx.html	Trust: 0.8
title:	opLYNX verifies patches that bypass the vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/27074	Trust: 0.6

sources: CNVD: CNVD-2012-9512 // JVNDB: JVNDB-2012-005845

EXTERNAL IDS

db:	NVD	id:	CVE-2012-4688	Trust: 3.5
db:	ICS CERT	id:	ICSA-12-362-01	Trust: 2.8
db:	SECUNIA	id:	51673	Trust: 1.4
db:	CNVD	id:	CNVD-2012-9512	Trust: 0.8
db:	CNNVD	id:	CNNVD-201212-386	Trust: 0.8
db:	JVNDB	id:	JVNDB-2012-005845	Trust: 0.8
db:	BID	id:	57059	Trust: 0.3
db:	IVD	id:	2A8F6776-2353-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	PACKETSTORM	id:	119141	Trust: 0.1

sources: IVD: 2a8f6776-2353-11e6-abef-000c29c66e3d // CNVD: CNVD-2012-9512 // BID: 57059 // PACKETSTORM: 119141 // JVNDB: JVNDB-2012-005845 // CNNVD: CNNVD-201212-386 // NVD: CVE-2012-4688

REFERENCES

url:	http://www.us-cert.gov/control_systems/pdf/icsa-12-362-01.pdf	Trust: 2.8
url:	https://www.cisa.gov/news-events/ics-advisories/icsa-12-362-01	Trust: 1.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-4688	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2012-4688	Trust: 0.8
url:	http://secunia.com/advisories/51673/http	Trust: 0.6
url:	http://secunia.com/advisories/51673	Trust: 0.6
url:	http://www.i-gen.com/index.html	Trust: 0.3
url:	https://ca.secunia.com/?page=viewadvisory&vuln_id=51673	Trust: 0.1
url:	http://secunia.com/vulnerability_intelligence/	Trust: 0.1
url:	http://secunia.com/advisories/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/	Trust: 0.1
url:	http://secunia.com/advisories/51673/#comments	Trust: 0.1
url:	http://secunia.com/vulnerability_scanning/personal/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/blog/325/	Trust: 0.1
url:	http://secunia.com/advisories/51673/	Trust: 0.1
url:	http://secunia.com/advisories/about_secunia_advisories/	Trust: 0.1

sources: CNVD: CNVD-2012-9512 // BID: 57059 // PACKETSTORM: 119141 // JVNDB: JVNDB-2012-005845 // CNNVD: CNNVD-201212-386 // NVD: CVE-2012-4688

CREDITS

Anthony Cicalla

Trust: 0.3

sources: BID: 57059

SOURCES

db:	IVD	id:	2a8f6776-2353-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2012-9512
db:	BID	id:	57059
db:	PACKETSTORM	id:	119141
db:	JVNDB	id:	JVNDB-2012-005845
db:	CNNVD	id:	CNNVD-201212-386
db:	NVD	id:	CVE-2012-4688

LAST UPDATE DATE

2025-07-12T23:23:39.091000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2012-9512	date:	2013-05-27T00:00:00
db:	BID	id:	57059	date:	2012-12-27T00:00:00
db:	JVNDB	id:	JVNDB-2012-005845	date:	2013-01-04T00:00:00
db:	CNNVD	id:	CNNVD-201212-386	date:	2013-01-08T00:00:00
db:	NVD	id:	CVE-2012-4688	date:	2025-07-10T17:15:29.757

SOURCES RELEASE DATE

db:	IVD	id:	2a8f6776-2353-11e6-abef-000c29c66e3d	date:	2013-01-04T00:00:00
db:	CNVD	id:	CNVD-2012-9512	date:	2013-01-04T00:00:00
db:	BID	id:	57059	date:	2012-12-27T00:00:00
db:	PACKETSTORM	id:	119141	date:	2012-12-29T08:42:53
db:	JVNDB	id:	JVNDB-2012-005845	date:	2013-01-04T00:00:00
db:	CNNVD	id:	CNNVD-201212-386	date:	2012-12-28T00:00:00
db:	NVD	id:	CVE-2012-4688	date:	2012-12-31T11:50:27.220