Sign-up

ID

VAR-201504-0079


CVE

CVE-2015-0993


TITLE

Inductive Automation Ignition Invalid Session Expiration Vulnerability

Trust: 0.8

sources: IVD: 98e5f1ba-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02156

DESCRIPTION

Inductive Automation Ignition 7.7.2 does not terminate a session upon a logout action, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation. Supplementary information : CWE Vulnerability type by CWE-254: Security Features ( Security function ) Has been identified. http://cwe.mitre.org/data/definitions/254.htmlAccess restrictions may be avoided by using an unattended workstation by a third party. Ignition is an updated version of FactoryPMI, Human Interface/SCADA, from Inductive Automation. Ignition does not delete the session after the user quits, which allows the attacker to reuse the current session. Successful exploits may allow an attacker to gain unauthorized access to the affected application

Trust: 2.7

sources: NVD: CVE-2015-0993 // JVNDB: JVNDB-2015-002072 // CNVD: CNVD-2015-02156 // BID: 73474 // IVD: 98e5f1ba-2351-11e6-abef-000c29c66e3d // VULMON: CVE-2015-0993

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 98e5f1ba-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02156

AFFECTED PRODUCTS

vendor:inductiveautomationmodel:ignitionscope:eqversion:7.7.2

Trust: 1.6

vendor:inductivemodel:automation ignitionscope:eqversion:7.7.2

Trust: 0.9

vendor:inductive automationmodel:ignitionscope:eqversion:7.7.2

Trust: 0.8

vendor:ignitionmodel: - scope:eqversion:7.7.2

Trust: 0.2

sources: IVD: 98e5f1ba-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02156 // BID: 73474 // JVNDB: JVNDB-2015-002072 // CNNVD: CNNVD-201504-054 // NVD: CVE-2015-0993

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-0993
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-0993
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2015-02156
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201504-054
value: MEDIUM

Trust: 0.6

IVD: 98e5f1ba-2351-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

VULMON: CVE-2015-0993
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-0993
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2015-02156
severity: MEDIUM
baseScore: 5.0
vectorString: AV:A/AC:H/AU:S/C:P/I:C/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: HIGH
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 2.5
impactScore: 7.8
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 98e5f1ba-2351-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 5.0
vectorString: AV:A/AC:H/AU:S/C:P/I:C/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: HIGH
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 2.5
impactScore: 7.8
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

sources: IVD: 98e5f1ba-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02156 // VULMON: CVE-2015-0993 // JVNDB: JVNDB-2015-002072 // CNNVD: CNNVD-201504-054 // NVD: CVE-2015-0993

PROBLEMTYPE DATA

problemtype:CWE-254

Trust: 1.0

problemtype:CWE-Other

Trust: 0.8

sources: JVNDB: JVNDB-2015-002072 // NVD: CVE-2015-0993

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201504-054

TYPE

Design Error

Trust: 0.3

sources: BID: 73474

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-002072

PATCH
title:Downloadsurl:https://www.inductiveautomation.com/downloads/ignition
Trust: 0.8
title:Inductive Automation Ignition invalid session expiration vulnerability patchurl:https://www.cnvd.org.cn/patchInfo/show/56895
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2015-02156 // 
            
            
            
            JVNDB: JVNDB-2015-002072

EXTERNAL IDS
db:NVDid:CVE-2015-0993
Trust: 3.6
db:ICS CERTid:ICSA-15-090-01
Trust: 3.4
db:CNVDid:CNVD-2015-02156
Trust: 0.8
db:CNNVDid:CNNVD-201504-054
Trust: 0.8
db:JVNDBid:JVNDB-2015-002072
Trust: 0.8
db:BIDid:73474
Trust: 0.4
db:IVDid:98E5F1BA-2351-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:VULMONid:CVE-2015-0993
Trust: 0.1
sources:
            
            
            IVD: 98e5f1ba-2351-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2015-02156 // 
            
            
            
            VULMON: CVE-2015-0993 // 
            
            
            
            BID: 73474 // 
            
            
            
            JVNDB: JVNDB-2015-002072 // 
            
            
            
            CNNVD: CNNVD-201504-054 // 
            
            
            
            NVD: CVE-2015-0993

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-15-090-01
Trust: 3.5
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-0993
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-0993
Trust: 0.8
url:https://www.inductiveautomation.com/downloads/ignition
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/254.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://www.securityfocus.com/bid/73474
Trust: 0.1
url:https://www.rapid7.com/db/vulnerabilities/windows-hotfix-ms16-036
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2015-02156 // 
            
            
            
            VULMON: CVE-2015-0993 // 
            
            
            
            BID: 73474 // 
            
            
            
            JVNDB: JVNDB-2015-002072 // 
            
            
            
            CNNVD: CNNVD-201504-054 // 
            
            
            
            NVD: CVE-2015-0993

CREDITS
Evgeny Druzhinin, Alexey Osipov, Ilya Karpov, and Gleb Gritsai of Positive Technologies
Trust: 0.3
sources:
            
            
            BID: 73474

SOURCES
db:IVDid:98e5f1ba-2351-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2015-02156
db:VULMONid:CVE-2015-0993
db:BIDid:73474
db:JVNDBid:JVNDB-2015-002072
db:CNNVDid:CNNVD-201504-054
db:NVDid:CVE-2015-0993

LAST UPDATE DATE
2025-04-12T23:04:45.350000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2015-02156date:2015-04-03T00:00:00
db:VULMONid:CVE-2015-0993date:2015-04-03T00:00:00
db:BIDid:73474date:2015-03-31T00:00:00
db:JVNDBid:JVNDB-2015-002072date:2015-04-07T00:00:00
db:CNNVDid:CNNVD-201504-054date:2015-04-07T00:00:00
db:NVDid:CVE-2015-0993date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:IVDid:98e5f1ba-2351-11e6-abef-000c29c66e3ddate:2015-04-03T00:00:00
db:CNVDid:CNVD-2015-02156date:2015-04-03T00:00:00
db:VULMONid:CVE-2015-0993date:2015-04-03T00:00:00
db:BIDid:73474date:2015-03-31T00:00:00
db:JVNDBid:JVNDB-2015-002072date:2015-04-07T00:00:00
db:CNNVDid:CNNVD-201504-054date:2015-04-07T00:00:00
db:NVDid:CVE-2015-0993date:2015-04-03T10:59:15.427