Sign-up

ID

VAR-201602-0088


CVE

CVE-2015-7916


TITLE

Sauter moduWeb Vision Web Server Cross-Site Scripting Vulnerability

Trust: 0.8

sources: IVD: 624a92fa-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2016-00979

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Sauter EY-WS505F0x0 moduWeb Vision before 1.6.0 allows remote authenticated users to inject arbitrary web script or HTML via a crafted query. Sauter moduWeb Vision is an embedded web-based SCADA system for HVAC. Sauter moduWeb Vision is prone to multiple security vulnerabilities: 1. Multiple information-disclosure vulnerabilities 2. Other attacks may also be possible. Vulnerabilities --------------- CVSS 10 - INSECURE CREDENTIAL STORAGE (Pass the Hash) CVE-2015-7914 CVSS 10 - INSECURE TRANSMISSION OF CREDENTIALS CVE-2015-7915 CVSS 7.4 - CROSS-SITE SCRIPTING CVE-2015-7916 Other risk exposures --------------- Undocumented default accounts Note that default accounts with changeable passwords, even when those are undocumented and do not look as user accounts neither in interface or documentation, constitute a formal vulnerability. It is at worst a misconfiguration. References (Source) --------------- This advisory: https://www.outpost24.com/critical-scada-vulnerabilities-sauter-moduweb/ ICS CERT: https://ics-cert.us-cert.gov/advisories/ICSA-16-033-01 Summary of the issues --------------- In short \x96 By obtaining access to a system using undocumented accounts, it is possible to obtain a low privilege level. By exploiting the fact that the cashed credentials used for the \x93remember me\x94 function of the web application employ the same encryption as the one used for protection of passwords included in backups, a user can elevate privileges to administrator level. The backups also contain other encrypted configuration information which can further an attacker\x92s access to also affect for example email accounts used for notifications. By accessing the system as an administrator, an attacker can obtain those credentials in plain text from the system as they are included in the configuration details, protected only by the use of \x93password\x94 field-types in the forms. In essence this constitute a pass the hash vulnerability. Just as with https://www.outpost24.com/cve-2014-2717-attacking-the-honeywell-falcon-xlweb/ which used hashed inputs to generate secure transfer of credentials over non encrypted connections, applying the same protection scheme to its stored, and exposed, secrets. Don\x92t do your own cryptography. A bit more details, sufficient for the interested reader to recreate but not a straight forward guide, available at the provided references. Martin Jartelius \x96 CSO \x96 Outpost24 John Stock \x96 Technology Program Director \x96 Outpost24

Trust: 2.7

sources: NVD: CVE-2015-7916 // JVNDB: JVNDB-2015-006867 // CNVD: CNVD-2016-00979 // BID: 82408 // IVD: 624a92fa-2351-11e6-abef-000c29c66e3d // PACKETSTORM: 135615

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 624a92fa-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2016-00979

AFFECTED PRODUCTS

vendor:sauter controlsmodel:moduweb visionscope:lteversion:1.5

Trust: 1.0

vendor:fr sautermodel:moduweb visionscope:ltversion:(ey-ws505f0x0) 1.6.0

Trust: 0.8

vendor:sautermodel:ey-ws505f0x0 moduweb visionscope:ltversion:1.6.0

Trust: 0.6

vendor:sautermodel:moduweb visionscope:eqversion:1.5

Trust: 0.6

vendor:moduweb visionmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 624a92fa-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2016-00979 // JVNDB: JVNDB-2015-006867 // CNNVD: CNNVD-201602-126 // NVD: CVE-2015-7916

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-7916
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-7916
value: LOW

Trust: 0.8

CNVD: CNVD-2016-00979
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201602-126
value: MEDIUM

Trust: 0.6

IVD: 624a92fa-2351-11e6-abef-000c29c66e3d
value: LOW

Trust: 0.2

nvd@nist.gov: CVE-2015-7916
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2016-00979
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 624a92fa-2351-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2015-7916
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 2.3
impactScore: 3.7
version: 3.1

Trust: 1.0

sources: IVD: 624a92fa-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2016-00979 // JVNDB: JVNDB-2015-006867 // CNNVD: CNNVD-201602-126 // NVD: CVE-2015-7916

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2015-006867 // NVD: CVE-2015-7916

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201602-126

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 135615 // CNNVD: CNNVD-201602-126

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-006867

PATCH
title:Web server for moduWeb Vision and moduWeb500 BACnet networksurl:http://www.sauter-controls.com/en/products-sauter/product-details/pdm/ey-ws-500-web-server-for-moduweb-vision-and-moduweb500-bacnet-networks.html
Trust: 0.8
title:Patch for Sauter moduWeb Vision Web Server Cross-Site Scripting Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/71353
Trust: 0.6
title:Sauter EY-WS505F0x0 moduWeb Vision Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60078
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2016-00979 // 
            
            
            
            JVNDB: JVNDB-2015-006867 // 
            
            
            
            CNNVD: CNNVD-201602-126

EXTERNAL IDS
db:NVDid:CVE-2015-7916
Trust: 3.6
db:ICS CERTid:ICSA-16-033-01
Trust: 3.4
db:CNVDid:CNVD-2016-00979
Trust: 0.8
db:CNNVDid:CNNVD-201602-126
Trust: 0.8
db:JVNDBid:JVNDB-2015-006867
Trust: 0.8
db:BIDid:82408
Trust: 0.3
db:IVDid:624A92FA-2351-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:PACKETSTORMid:135615
Trust: 0.1
sources:
            
            
            IVD: 624a92fa-2351-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2016-00979 // 
            
            
            
            BID: 82408 // 
            
            
            
            JVNDB: JVNDB-2015-006867 // 
            
            
            
            PACKETSTORM: 135615 // 
            
            
            
            CNNVD: CNNVD-201602-126 // 
            
            
            
            NVD: CVE-2015-7916

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-16-033-01
Trust: 3.4
url:http://seclists.org/fulldisclosure/2016/feb/25
Trust: 1.6
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7916
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-7916
Trust: 0.8
url:http://www.sauter-controls.com/en.html
Trust: 0.3
url:https://www.outpost24.com/critical-scada-vulnerabilities-sauter-moduweb/
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2015-7916
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2015-7915
Trust: 0.1
url:https://www.outpost24.com/cve-2014-2717-attacking-the-honeywell-falcon-xlweb/
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2015-7914
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2016-00979 // 
            
            
            
            BID: 82408 // 
            
            
            
            JVNDB: JVNDB-2015-006867 // 
            
            
            
            PACKETSTORM: 135615 // 
            
            
            
            CNNVD: CNNVD-201602-126 // 
            
            
            
            NVD: CVE-2015-7916

CREDITS
Martin Jartelius and John Stock of Outpost24.
Trust: 0.3
sources:
            
            
            BID: 82408

SOURCES
db:IVDid:624a92fa-2351-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2016-00979
db:BIDid:82408
db:JVNDBid:JVNDB-2015-006867
db:PACKETSTORMid:135615
db:CNNVDid:CNNVD-201602-126
db:NVDid:CVE-2015-7916

LAST UPDATE DATE
2025-04-13T23:03:16.466000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2016-00979date:2016-02-16T00:00:00
db:BIDid:82408date:2016-07-05T21:21:00
db:JVNDBid:JVNDB-2015-006867date:2016-02-17T00:00:00
db:CNNVDid:CNNVD-201602-126date:2020-06-28T00:00:00
db:NVDid:CVE-2015-7916date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:IVDid:624a92fa-2351-11e6-abef-000c29c66e3ddate:2016-02-16T00:00:00
db:CNVDid:CNVD-2016-00979date:2016-02-16T00:00:00
db:BIDid:82408date:2016-02-02T00:00:00
db:JVNDBid:JVNDB-2015-006867date:2016-02-17T00:00:00
db:PACKETSTORMid:135615date:2016-02-05T15:55:55
db:CNNVDid:CNNVD-201602-126date:2016-02-04T00:00:00
db:NVDid:CVE-2015-7916date:2016-02-06T05:59:02.323