Details of VAR-201505-0376

ID

VAR-201505-0376

CVE

CVE-2015-3610

TITLE

Siemens HomeControl for Room Automation for Android SSL Certificate man-in-the-middle attack vulnerability

Trust: 1.0

sources: IVD: 91ec9fbc-2351-11e6-abef-000c29c66e3d // IVD: 92660d4e-1e82-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02960

DESCRIPTION

The Siemens HomeControl for Room Automation application before 2.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information or modify data via a crafted certificate. Siemens HomeControl for Room Automation for Android is an Android-based in-house automation control software. The software supports remote control of indoor heating, ventilation and air conditioning systems, etc. The vulnerability stems from the fact that the program does not verify the X.509 certificate from the SSL server

Trust: 2.61

sources: NVD: CVE-2015-3610 // JVNDB: JVNDB-2015-002539 // CNVD: CNVD-2015-02960 // IVD: 91ec9fbc-2351-11e6-abef-000c29c66e3d // IVD: 92660d4e-1e82-11e6-abef-000c29c66e3d // VULHUB: VHN-81571

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 1.0

sources: IVD: 91ec9fbc-2351-11e6-abef-000c29c66e3d // IVD: 92660d4e-1e82-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02960

AFFECTED PRODUCTS

vendor:	siemens	model:	homecontrol for room automation	scope:	lte	version:	2.0.0	Trust: 1.0
vendor:	siemens	model:	android app homecontrol for room automation	scope:	lt	version:	2.0.1	Trust: 0.8
vendor:	siemens	model:	homecontrol for room automation for android	scope:	-	version:	-	Trust: 0.6
vendor:	siemens	model:	homecontrol for room automation	scope:	eq	version:	2.0.0	Trust: 0.6
vendor:	homecontrol for room automation	model:	-	scope:	eq	version:	*	Trust: 0.4

sources: IVD: 91ec9fbc-2351-11e6-abef-000c29c66e3d // IVD: 92660d4e-1e82-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02960 // JVNDB: JVNDB-2015-002539 // CNNVD: CNNVD-201505-049 // NVD: CVE-2015-3610

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-3610
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2015-3610
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2015-02960
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201505-049
value:	MEDIUM
Trust: 0.6
IVD:	91ec9fbc-2351-11e6-abef-000c29c66e3d
value:	MEDIUM
Trust: 0.2
IVD:	92660d4e-1e82-11e6-abef-000c29c66e3d
value:	MEDIUM
Trust: 0.2
VULHUB:	VHN-81571
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2015-3610
severity:	MEDIUM
baseScore:	5.4
vectorString:	AV:A/AC:M/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	5.5
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2015-02960
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	91ec9fbc-2351-11e6-abef-000c29c66e3d
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
IVD:	92660d4e-1e82-11e6-abef-000c29c66e3d
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-81571
severity:	MEDIUM
baseScore:	5.4
vectorString:	AV:A/AC:M/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	5.5
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: IVD: 91ec9fbc-2351-11e6-abef-000c29c66e3d // IVD: 92660d4e-1e82-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02960 // VULHUB: VHN-81571 // JVNDB: JVNDB-2015-002539 // CNNVD: CNNVD-201505-049 // NVD: CVE-2015-3610

PROBLEMTYPE DATA

problemtype:

CWE-310

Trust: 1.9

sources: VULHUB: VHN-81571 // JVNDB: JVNDB-2015-002539 // NVD: CVE-2015-3610

THREAT TYPE

specific network environment

Trust: 0.6

sources: CNNVD: CNNVD-201505-049

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201505-049

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-002539

PATCH

title:	SSA-311412	url:	http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-311412.pdf	Trust: 0.8
title:	Siemens HomeControl for Room Automation for Android SSL Certificate Man-in-the-Middle Attack Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/58313	Trust: 0.6

sources: CNVD: CNVD-2015-02960 // JVNDB: JVNDB-2015-002539

EXTERNAL IDS

db:	NVD	id:	CVE-2015-3610	Trust: 3.5
db:	SIEMENS	id:	SSA-311412	Trust: 1.7
db:	CNNVD	id:	CNNVD-201505-049	Trust: 1.1
db:	CNVD	id:	CNVD-2015-02960	Trust: 1.0
db:	JVNDB	id:	JVNDB-2015-002539	Trust: 0.8
db:	OSVDB	id:	121603	Trust: 0.6
db:	IVD	id:	91EC9FBC-2351-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	IVD	id:	92660D4E-1E82-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	VULHUB	id:	VHN-81571	Trust: 0.1

REFERENCES

url:	http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-311412.pdf	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-3610	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-3610	Trust: 0.8
url:	http://osvdb.org/show/osvdb/121603	Trust: 0.6

sources: CNVD: CNVD-2015-02960 // VULHUB: VHN-81571 // JVNDB: JVNDB-2015-002539 // CNNVD: CNNVD-201505-049 // NVD: CVE-2015-3610

SOURCES

db:	IVD	id:	91ec9fbc-2351-11e6-abef-000c29c66e3d
db:	IVD	id:	92660d4e-1e82-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2015-02960
db:	VULHUB	id:	VHN-81571
db:	JVNDB	id:	JVNDB-2015-002539
db:	CNNVD	id:	CNNVD-201505-049
db:	NVD	id:	CVE-2015-3610

LAST UPDATE DATE

2025-04-12T22:59:26.942000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2015-02960	date:	2015-05-13T00:00:00
db:	VULHUB	id:	VHN-81571	date:	2015-05-07T00:00:00
db:	JVNDB	id:	JVNDB-2015-002539	date:	2015-05-08T00:00:00
db:	CNNVD	id:	CNNVD-201505-049	date:	2015-05-08T00:00:00
db:	NVD	id:	CVE-2015-3610	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	IVD	id:	91ec9fbc-2351-11e6-abef-000c29c66e3d	date:	2015-05-13T00:00:00
db:	IVD	id:	92660d4e-1e82-11e6-abef-000c29c66e3d	date:	2015-05-13T00:00:00
db:	CNVD	id:	CNVD-2015-02960	date:	2015-05-13T00:00:00
db:	VULHUB	id:	VHN-81571	date:	2015-05-07T00:00:00
db:	JVNDB	id:	JVNDB-2015-002539	date:	2015-05-08T00:00:00
db:	CNNVD	id:	CNNVD-201505-049	date:	2015-05-08T00:00:00
db:	NVD	id:	CVE-2015-3610	date:	2015-05-07T10:59:00.093