Details of VAR-201401-0730

ID

VAR-201401-0730

TITLE

Schneider Electric Accutech Manager RFManagerService SQL Injection Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2014-00132

DESCRIPTION

Schneider Electric Accutech Manager is a real-time monitoring and management software based on windows services. Schneider Electric Accutech Manager failed to properly filter the input submitted to the RFManagerService service listening on port 2536, allowing remote attackers to use the vulnerability to submit specially crafted SQL queries that can obtain or manipulate database data. Accutech Manager is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Versions prior to Accutech Manager 2.00.4 are vulnerable

Trust: 0.81

sources: CNVD: CNVD-2014-00132 // BID: 64684

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-00132

AFFECTED PRODUCTS

vendor:	schneider	model:	electric accutech manager	scope:	eq	version:	2.x	Trust: 0.6
vendor:	schneider electric	model:	accutech manager	scope:	eq	version:	2.00.2	Trust: 0.3
vendor:	schneider electric	model:	accutech manager	scope:	ne	version:	2.0.4	Trust: 0.3

sources: CNVD: CNVD-2014-00132 // BID: 64684

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD:	CNVD-2014-00132
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2014-00132
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	8.5
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CNVD: CNVD-2014-00132

THREAT TYPE

network

Trust: 0.3

sources: BID: 64684

TYPE

Input Validation Error

Trust: 0.3

sources: BID: 64684

PATCH

title:

Patch for Schneider Electric Accutech Manager RFManagerService SQL Injection Vulnerability

url:

https://www.cnvd.org.cn/patchinfo/show/42197

Trust: 0.6

sources: CNVD: CNVD-2014-00132

EXTERNAL IDS

db:	BID	id:	64684	Trust: 0.9
db:	SCHNEIDER	id:	SEVD-2013-352-01	Trust: 0.6
db:	SECUNIA	id:	55832	Trust: 0.6
db:	CNVD	id:	CNVD-2014-00132	Trust: 0.6

sources: CNVD: CNVD-2014-00132 // BID: 64684

REFERENCES

url:	http://download.schneider-electric.com/files?p_file_id=319573692&p_file_name=sevd-2013-352-01.pdf	Trust: 0.6
url:	http://secunia.com/advisories/55832/	Trust: 0.6
url:	http://www.hnqcms.com/	Trust: 0.3

sources: CNVD: CNVD-2014-00132 // BID: 64684

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 64684

SOURCES

db:	CNVD	id:	CNVD-2014-00132
db:	BID	id:	64684

LAST UPDATE DATE

2022-05-17T02:01:13.147000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-00132	date:	2014-01-09T00:00:00
db:	BID	id:	64684	date:	2013-12-18T00:00:00

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2014-00132	date:	2014-01-09T00:00:00
db:	BID	id:	64684	date:	2013-12-18T00:00:00