Sign-up

ID

VAR-201702-0308


CVE

CVE-2016-8361


TITLE

Lynxspring JENEsys BAS Bridge Vulnerabilities that can be compromised without authentication

Trust: 0.8

sources: JVNDB: JVNDB-2016-007647

DESCRIPTION

An issue was discovered in Lynxspring JENEsys BAS Bridge versions 1.1.8 and older. The application uses a hard-coded username with no password allowing an attacker into the system without authentication. Lynxspring is an American company. BAS Bridge is a web-based SCADA system. BAS server deployment areas include commercial facilities, manufacturing, energy, water and wastewater systems, and more. There is a verification bypass vulnerability in Lynxspring JENEsys BAS Bridge. A privilege-escalation vulnerability 2. An authentication-bypass vulnerability 3. A security-bypass vulnerability 3. A cross-site request-forgery vulnerability An attackers may exploit these issues to gain unauthorized access to restricted content, bypass intended security restrictions, gain elevated privileges or perform certain unauthorized actions and gain access to the affected application that may aid in launching further attacks

Trust: 2.61

sources: NVD: CVE-2016-8361 // JVNDB: JVNDB-2016-007647 // CNVD: CNVD-2016-11245 // BID: 94344 // IVD: 0384feda-a6af-4e8e-8c57-5b6f09b68081

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 0384feda-a6af-4e8e-8c57-5b6f09b68081 // CNVD: CNVD-2016-11245

AFFECTED PRODUCTS

vendor:lynxspringmodel:jenesys bas bridgescope:lteversion:1.1.8

Trust: 1.8

vendor:lynxspringmodel:bas bridgescope:eqversion:1.1.8

Trust: 0.9

vendor:lynxspringmodel:jenesys bas bridgescope:eqversion:1.1.8

Trust: 0.6

vendor:jenesys bas bridgemodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 0384feda-a6af-4e8e-8c57-5b6f09b68081 // CNVD: CNVD-2016-11245 // BID: 94344 // JVNDB: JVNDB-2016-007647 // CNNVD: CNNVD-201611-547 // NVD: CVE-2016-8361

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-8361
value: HIGH

Trust: 1.0

NVD: CVE-2016-8361
value: HIGH

Trust: 0.8

CNVD: CNVD-2016-11245
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201611-547
value: HIGH

Trust: 0.6

IVD: 0384feda-a6af-4e8e-8c57-5b6f09b68081
value: HIGH

Trust: 0.2

nvd@nist.gov: CVE-2016-8361
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2016-11245
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:N/C:P/I:C/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: COMPLETE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 8.5
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 0384feda-a6af-4e8e-8c57-5b6f09b68081
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:N/C:P/I:C/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: COMPLETE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 8.5
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2016-8361
baseSeverity: HIGH
baseScore: 8.6
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: HIGH
availabilityImpact: LOW
exploitabilityScore: 3.9
impactScore: 4.7
version: 3.0

Trust: 1.8

sources: IVD: 0384feda-a6af-4e8e-8c57-5b6f09b68081 // CNVD: CNVD-2016-11245 // JVNDB: JVNDB-2016-007647 // CNNVD: CNNVD-201611-547 // NVD: CVE-2016-8361

PROBLEMTYPE DATA

problemtype:CWE-798

Trust: 1.8

sources: JVNDB: JVNDB-2016-007647 // NVD: CVE-2016-8361

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201611-547

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201611-547

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-007647

PATCH
title:Top Pageurl:http://www.lynxspring.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2016-007647

EXTERNAL IDS
db:NVDid:CVE-2016-8361
Trust: 3.5
db:ICS CERTid:ICSA-16-320-01
Trust: 3.3
db:BIDid:94344
Trust: 2.5
db:CNVDid:CNVD-2016-11245
Trust: 0.8
db:CNNVDid:CNNVD-201611-547
Trust: 0.8
db:JVNDBid:JVNDB-2016-007647
Trust: 0.8
db:IVDid:0384FEDA-A6AF-4E8E-8C57-5B6F09B68081
Trust: 0.2
sources:
            
            
            IVD: 0384feda-a6af-4e8e-8c57-5b6f09b68081 // 
            
            
            
            CNVD: CNVD-2016-11245 // 
            
            
            
            BID: 94344 // 
            
            
            
            JVNDB: JVNDB-2016-007647 // 
            
            
            
            CNNVD: CNNVD-201611-547 // 
            
            
            
            NVD: CVE-2016-8361

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-16-320-01
Trust: 3.3
url:http://www.securityfocus.com/bid/94344
Trust: 1.6
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-8361
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-8361
Trust: 0.8
url:http://www.lynxspring.com/technology/jenesys
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2016-11245 // 
            
            
            
            BID: 94344 // 
            
            
            
            JVNDB: JVNDB-2016-007647 // 
            
            
            
            CNNVD: CNNVD-201611-547 // 
            
            
            
            NVD: CVE-2016-8361

CREDITS
Maxim Rupp
Trust: 0.9
sources:
            
            
            BID: 94344 // 
            
            
            
            CNNVD: CNNVD-201611-547

SOURCES
db:IVDid:0384feda-a6af-4e8e-8c57-5b6f09b68081
db:CNVDid:CNVD-2016-11245
db:BIDid:94344
db:JVNDBid:JVNDB-2016-007647
db:CNNVDid:CNNVD-201611-547
db:NVDid:CVE-2016-8361

LAST UPDATE DATE
2025-04-20T23:29:45.709000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2016-11245date:2016-11-17T00:00:00
db:BIDid:94344date:2016-11-24T01:10:00
db:JVNDBid:JVNDB-2016-007647date:2017-03-08T00:00:00
db:CNNVDid:CNNVD-201611-547date:2016-11-25T00:00:00
db:NVDid:CVE-2016-8361date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:IVDid:0384feda-a6af-4e8e-8c57-5b6f09b68081date:2016-11-17T00:00:00
db:CNVDid:CNVD-2016-11245date:2016-11-17T00:00:00
db:BIDid:94344date:2016-11-15T00:00:00
db:JVNDBid:JVNDB-2016-007647date:2017-03-08T00:00:00
db:CNNVDid:CNNVD-201611-547date:2016-11-25T00:00:00
db:NVDid:CVE-2016-8361date:2017-02-13T21:59:01.033