Details of VAR-201508-0289

ID

VAR-201508-0289

CVE

CVE-2015-5084

TITLE

Siemens SIMATIC WinCC Sm@rtClient for Android Password Information Disclosure Vulnerability

Trust: 0.8

sources: IVD: 808c3b06-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-04982

DESCRIPTION

The Siemens SIMATIC WinCC Sm@rtClient and Sm@rtClient Lite applications before 01.00.01.00 for Android do not properly store passwords, which allows physically proximate attackers to obtain sensitive information via unspecified vectors. Siemens SIMATIC WinCC Sm@rtClient for Android is a client program on Android. Siemens SIMATIC is an automation software in a single engineering environment. Multiple Siemens products are prone to a local information-disclosure vulnerability. Local attackers can exploit this issue to disclose sensitive information. Information obtained may lead to further attacks. Siemens SIMATIC WinCC Sm@rtClient and Sm@rtClient Lite applications for Android are a set of client applications based on the Android platform of Siemens, Germany, which provide remote mobile operation and observation of the SIMATIC HMI system. The vulnerability stems from the fact that the program does not store passwords correctly

Trust: 2.7

sources: NVD: CVE-2015-5084 // JVNDB: JVNDB-2015-003966 // CNVD: CNVD-2015-04982 // BID: 75981 // IVD: 808c3b06-2351-11e6-abef-000c29c66e3d // VULHUB: VHN-83045

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 808c3b06-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-04982

AFFECTED PRODUCTS

vendor:	siemens	model:	simatic wincc sm\@rtclient	scope:	lte	version:	1.0	Trust: 1.0
vendor:	siemens	model:	simatic wincc sm\@rtclient lite	scope:	lte	version:	1.0	Trust: 1.0
vendor:	siemens	model:	simatic wincc sm@rtclient	scope:	lt	version:	01.00.01.00 (android)	Trust: 0.8
vendor:	siemens	model:	simatic wincc sm@rtclient lite	scope:	lt	version:	01.00.01.00 (android)	Trust: 0.8
vendor:	siemens	model:	simatic wincc sm@rtclient for android	scope:	-	version:	-	Trust: 0.6
vendor:	siemens	model:	simatic wincc sm\@rtclient lite	scope:	eq	version:	1.0	Trust: 0.6
vendor:	siemens	model:	simatic wincc sm\@rtclient	scope:	eq	version:	1.0	Trust: 0.6
vendor:	siemens	model:	simatic wincc smartclient lite for android	scope:	eq	version:	01.00.00.00	Trust: 0.3
vendor:	siemens	model:	simatic wincc smartclient for android	scope:	eq	version:	01.00.00.00	Trust: 0.3
vendor:	siemens	model:	simatic wincc smartclient lite for android	scope:	ne	version:	01.00.01.00	Trust: 0.3
vendor:	siemens	model:	simatic wincc smartclient for android	scope:	ne	version:	01.00.01.00	Trust: 0.3
vendor:	simatic wincc sm rtclient	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	simatic wincc sm rtclient lite	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 808c3b06-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-04982 // BID: 75981 // JVNDB: JVNDB-2015-003966 // CNNVD: CNNVD-201507-745 // NVD: CVE-2015-5084

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-5084
value:	LOW
Trust: 1.0
NVD:	CVE-2015-5084
value:	LOW
Trust: 0.8
CNVD:	CNVD-2015-04982
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-201507-745
value:	LOW
Trust: 0.6
IVD:	808c3b06-2351-11e6-abef-000c29c66e3d
value:	LOW
Trust: 0.2
VULHUB:	VHN-83045
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2015-5084
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2015-04982
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	808c3b06-2351-11e6-abef-000c29c66e3d
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-83045
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: IVD: 808c3b06-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-04982 // VULHUB: VHN-83045 // JVNDB: JVNDB-2015-003966 // CNNVD: CNNVD-201507-745 // NVD: CVE-2015-5084

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.9

sources: VULHUB: VHN-83045 // JVNDB: JVNDB-2015-003966 // NVD: CVE-2015-5084

THREAT TYPE

local

Trust: 0.9

sources: BID: 75981 // CNNVD: CNNVD-201507-745

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201507-745

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-003966

PATCH

title:	SSA-267489	url:	http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-267489.pdf	Trust: 0.8
title:	Siemens SIMATIC WinCC Sm@rtClient for Android password information disclosure vulnerability patch	url:	https://www.cnvd.org.cn/patchInfo/show/61673	Trust: 0.6

sources: CNVD: CNVD-2015-04982 // JVNDB: JVNDB-2015-003966

EXTERNAL IDS

db:	NVD	id:	CVE-2015-5084	Trust: 3.6
db:	ICS CERT	id:	ICSA-15-202-02	Trust: 2.8
db:	BID	id:	75981	Trust: 2.6
db:	SIEMENS	id:	SSA-267489	Trust: 2.3
db:	SECTRACK	id:	1033021	Trust: 1.1
db:	CNNVD	id:	CNNVD-201507-745	Trust: 0.9
db:	CNVD	id:	CNVD-2015-04982	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-003966	Trust: 0.8
db:	IVD	id:	808C3B06-2351-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	VULHUB	id:	VHN-83045	Trust: 0.1

sources: IVD: 808c3b06-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-04982 // VULHUB: VHN-83045 // BID: 75981 // JVNDB: JVNDB-2015-003966 // CNNVD: CNNVD-201507-745 // NVD: CVE-2015-5084

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-15-202-02	Trust: 2.8
url:	http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-267489.pdf	Trust: 2.3
url:	http://www.securityfocus.com/bid/75981	Trust: 1.7
url:	http://www.securitytracker.com/id/1033021	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-5084	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-5084	Trust: 0.8
url:	http://subscriber.communications.siemens.com/	Trust: 0.3
url:	http://w3.siemens.com/topics/global/en/industry/future-of-manufacturing/industry-apps/wincc-smartclient/pages/simatic-wincc-smartclient.aspx	Trust: 0.3

sources: CNVD: CNVD-2015-04982 // VULHUB: VHN-83045 // BID: 75981 // JVNDB: JVNDB-2015-003966 // CNNVD: CNNVD-201507-745 // NVD: CVE-2015-5084

CREDITS

Karsten Sohr from Universit?t Bremen and Stephan Huber from Fraunhofer SIT

Trust: 0.6

sources: CNNVD: CNNVD-201507-745

SOURCES

db:	IVD	id:	808c3b06-2351-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2015-04982
db:	VULHUB	id:	VHN-83045
db:	BID	id:	75981
db:	JVNDB	id:	JVNDB-2015-003966
db:	CNNVD	id:	CNNVD-201507-745
db:	NVD	id:	CVE-2015-5084

LAST UPDATE DATE

2025-04-13T23:23:43.799000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2015-04982	date:	2015-07-29T00:00:00
db:	VULHUB	id:	VHN-83045	date:	2017-09-21T00:00:00
db:	BID	id:	75981	date:	2015-07-21T00:00:00
db:	JVNDB	id:	JVNDB-2015-003966	date:	2015-08-04T00:00:00
db:	CNNVD	id:	CNNVD-201507-745	date:	2015-08-03T00:00:00
db:	NVD	id:	CVE-2015-5084	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	IVD	id:	808c3b06-2351-11e6-abef-000c29c66e3d	date:	2015-07-29T00:00:00
db:	CNVD	id:	CNVD-2015-04982	date:	2015-07-28T00:00:00
db:	VULHUB	id:	VHN-83045	date:	2015-08-03T00:00:00
db:	BID	id:	75981	date:	2015-07-21T00:00:00
db:	JVNDB	id:	JVNDB-2015-003966	date:	2015-08-04T00:00:00
db:	CNNVD	id:	CNNVD-201507-745	date:	2015-07-24T00:00:00
db:	NVD	id:	CVE-2015-5084	date:	2015-08-03T01:59:00.090