Details of VAR-201511-0019

ID

VAR-201511-0019

CVE

CVE-2015-7913

TITLE

Tibbo AggreGate of AggreGate Server Service of ag_server_service.exe In any Java Code execution vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2015-006004

DESCRIPTION

ag_server_service.exe in the AggreGate Server Service in Tibbo AggreGate before 5.30.06 allows local users to execute arbitrary Java code with SYSTEM privileges by using the Apache Axis AdminService deployment method to publish a class. Supplementary information : CWE Vulnerability type by CWE-434: Unrestricted Upload of File with Dangerous Type ( Unlimited upload of dangerous types of files ) Has been identified. This vulnerability allows attackers to elevate privileges on vulnerable installations of Tibbo AggreGate SCADA/HMI. An attacker can leverage this vulnerability to execute code under the context of SYSTEM. Tibbo Technology AggreGate is a set of IoT platforms that Tibbo Technology uses to configure and monitor different electronic devices through network technology. AggreGate Platform is prone to multiple arbitrary file-upload vulnerabilities

Trust: 3.6

sources: NVD: CVE-2015-7913 // JVNDB: JVNDB-2015-006004 // ZDI: ZDI-15-572 // CNVD: CNVD-2015-07767 // CNNVD: CNNVD-201511-387 // BID: 77658

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2015-07767

AFFECTED PRODUCTS

vendor:	tibbo	model:	aggregate	scope:	lte	version:	5.21.02	Trust: 1.0
vendor:	tibbo	model:	aggregate	scope:	lt	version:	(scada/hmi) 5.30.06	Trust: 0.8
vendor:	tibbo	model:	aggregate scada/hmi	scope:	-	version:	-	Trust: 0.7
vendor:	tibbo	model:	technology aggregate platform	scope:	lt	version:	5.30.06	Trust: 0.6
vendor:	tibbo	model:	aggregate	scope:	eq	version:	5.21.02	Trust: 0.6

sources: ZDI: ZDI-15-572 // CNVD: CNVD-2015-07767 // JVNDB: JVNDB-2015-006004 // CNNVD: CNNVD-201511-387 // NVD: CVE-2015-7913

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-7913
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-7913
value:	HIGH
Trust: 0.8
ZDI:	CVE-2015-7913
value:	HIGH
Trust: 0.7
CNVD:	CNVD-2015-07767
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201511-387
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2015-7913
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 2.5
CNVD:	CNVD-2015-07767
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: ZDI: ZDI-15-572 // CNVD: CNVD-2015-07767 // JVNDB: JVNDB-2015-006004 // CNNVD: CNNVD-201511-387 // NVD: CVE-2015-7913

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	CWE-Other	Trust: 0.8

sources: JVNDB: JVNDB-2015-006004 // NVD: CVE-2015-7913

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201511-387

TYPE

Input Validation Error

Trust: 0.3

sources: BID: 77658

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-006004

PATCH

title:	AggreGate	url:	http://aggregate.tibbo.com/	Trust: 0.8
title:	Tibbo has issued an update to correct this vulnerability.	url:	https://ics-cert.us-cert.gov/advisories/ICSA-15-323-01	Trust: 0.7
title:	Patch for Tibbo Technology AggreGate Privilege Escalation Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/67105	Trust: 0.6
title:	Tibbo Technology AggreGate Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=58836	Trust: 0.6

sources: ZDI: ZDI-15-572 // CNVD: CNVD-2015-07767 // JVNDB: JVNDB-2015-006004 // CNNVD: CNNVD-201511-387

EXTERNAL IDS

db:	NVD	id:	CVE-2015-7913	Trust: 4.0
db:	ICS CERT	id:	ICSA-15-323-01	Trust: 3.0
db:	ZDI	id:	ZDI-15-572	Trust: 2.9
db:	JVNDB	id:	JVNDB-2015-006004	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-3135	Trust: 0.7
db:	CNVD	id:	CNVD-2015-07767	Trust: 0.6
db:	CNNVD	id:	CNNVD-201511-387	Trust: 0.6
db:	BID	id:	77658	Trust: 0.3

sources: ZDI: ZDI-15-572 // CNVD: CNVD-2015-07767 // BID: 77658 // JVNDB: JVNDB-2015-006004 // CNNVD: CNNVD-201511-387 // NVD: CVE-2015-7913

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-15-323-01	Trust: 3.7
url:	http://zerodayinitiative.com/advisories/zdi-15-572/	Trust: 2.2
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7913	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-7913	Trust: 0.8

sources: ZDI: ZDI-15-572 // CNVD: CNVD-2015-07767 // JVNDB: JVNDB-2015-006004 // CNNVD: CNNVD-201511-387 // NVD: CVE-2015-7913

CREDITS

rgod

Trust: 0.7

sources: ZDI: ZDI-15-572

SOURCES

db:	ZDI	id:	ZDI-15-572
db:	CNVD	id:	CNVD-2015-07767
db:	BID	id:	77658
db:	JVNDB	id:	JVNDB-2015-006004
db:	CNNVD	id:	CNNVD-201511-387
db:	NVD	id:	CVE-2015-7913

LAST UPDATE DATE

2025-04-12T23:04:31.704000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-15-572	date:	2015-11-20T00:00:00
db:	CNVD	id:	CNVD-2015-07767	date:	2015-11-25T00:00:00
db:	BID	id:	77658	date:	2015-12-07T22:25:00
db:	JVNDB	id:	JVNDB-2015-006004	date:	2015-11-24T00:00:00
db:	CNNVD	id:	CNNVD-201511-387	date:	2015-11-23T00:00:00
db:	NVD	id:	CVE-2015-7913	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-15-572	date:	2015-11-20T00:00:00
db:	CNVD	id:	CNVD-2015-07767	date:	2015-11-25T00:00:00
db:	BID	id:	77658	date:	2015-11-19T00:00:00
db:	JVNDB	id:	JVNDB-2015-006004	date:	2015-11-24T00:00:00
db:	CNNVD	id:	CNNVD-201511-387	date:	2015-11-23T00:00:00
db:	NVD	id:	CVE-2015-7913	date:	2015-11-21T11:59:25.923