Details of VAR-201702-0676

ID

VAR-201702-0676

CVE

CVE-2017-5155

TITLE

Schneider Electric Wonderware Historian Unauthorized Access Vulnerability

Trust: 0.8

sources: IVD: 195abc78-1252-4e75-8ed2-fea0f775fa46 // CNVD: CNVD-2017-01759

DESCRIPTION

An issue was discovered in Schneider Electric Wonderware Historian 2014 R2 SP1 P01 and earlier. Wonderware Historian creates logins with default passwords, which can allow a malicious entity to compromise Historian databases. In some installation scenarios, resources beyond those created by Wonderware Historian may be compromised as well. Schneider Electric Wonderware Historian is a set of industrial data management software from Schneider Electric that combines high-speed data acquisition storage systems with traditional relational database management systems. A remote attacker could exploit this vulnerability to gain unauthorized access and perform unauthorized actions. This may aid in further attacks. The vulnerability is caused by the program using insecure default passwords

Trust: 2.7

sources: NVD: CVE-2017-5155 // JVNDB: JVNDB-2017-002220 // CNVD: CNVD-2017-01759 // BID: 95766 // IVD: 195abc78-1252-4e75-8ed2-fea0f775fa46 // VULHUB: VHN-113358

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 195abc78-1252-4e75-8ed2-fea0f775fa46 // CNVD: CNVD-2017-01759

AFFECTED PRODUCTS

vendor:	schneider electric	model:	wonderware historian	scope:	eq	version:	2014_r2_sp1_p01	Trust: 1.6
vendor:	schneider electric	model:	wonderware historian	scope:	lte	version:	2014 r2 sp1 p01	Trust: 0.8
vendor:	schneider electric	model:	wonderware historian r2 sp1 p01	scope:	lte	version:	<=2014	Trust: 0.6
vendor:	schneider electric	model:	wonderware historian r2 sp1 p01	scope:	eq	version:	2014	Trust: 0.3
vendor:	schneider electric	model:	wonderware historian	scope:	eq	version:	0	Trust: 0.3
vendor:	wonderware historian	model:	2014 r2 sp1 p01	scope:	-	version:	-	Trust: 0.2

sources: IVD: 195abc78-1252-4e75-8ed2-fea0f775fa46 // CNVD: CNVD-2017-01759 // BID: 95766 // JVNDB: JVNDB-2017-002220 // CNNVD: CNNVD-201702-272 // NVD: CVE-2017-5155

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-5155
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-5155
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2017-01759
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201702-272
value:	HIGH
Trust: 0.6
IVD:	195abc78-1252-4e75-8ed2-fea0f775fa46
value:	HIGH
Trust: 0.2
VULHUB:	VHN-113358
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2017-5155
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-01759
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	195abc78-1252-4e75-8ed2-fea0f775fa46
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-113358
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-5155
baseSeverity:	HIGH
baseScore:	7.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	3.9
impactScore:	3.4
version:	3.0
Trust: 1.8

sources: IVD: 195abc78-1252-4e75-8ed2-fea0f775fa46 // CNVD: CNVD-2017-01759 // VULHUB: VHN-113358 // JVNDB: JVNDB-2017-002220 // CNNVD: CNNVD-201702-272 // NVD: CVE-2017-5155

PROBLEMTYPE DATA

problemtype:	CWE-1188	Trust: 1.0
problemtype:	CWE-255	Trust: 0.9

sources: VULHUB: VHN-113358 // JVNDB: JVNDB-2017-002220 // NVD: CVE-2017-5155

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201702-272

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201702-272

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-002220

PATCH

title:	LFSEC00000115	url:	http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000115/	Trust: 0.8
title:	Schneider Electric Wonderware Historian Unauthorized Access Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/89596	Trust: 0.6
title:	Schneider Electric Wonderware Historian Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=67557	Trust: 0.6

sources: CNVD: CNVD-2017-01759 // JVNDB: JVNDB-2017-002220 // CNNVD: CNNVD-201702-272

EXTERNAL IDS

db:	NVD	id:	CVE-2017-5155	Trust: 3.6
db:	ICS CERT	id:	ICSA-17-024-01	Trust: 2.8
db:	BID	id:	95766	Trust: 2.6
db:	SECTRACK	id:	1037808	Trust: 1.7
db:	CNNVD	id:	CNNVD-201702-272	Trust: 0.9
db:	CNVD	id:	CNVD-2017-01759	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-002220	Trust: 0.8
db:	IVD	id:	195ABC78-1252-4E75-8ED2-FEA0F775FA46	Trust: 0.2
db:	VULHUB	id:	VHN-113358	Trust: 0.1

sources: IVD: 195abc78-1252-4e75-8ed2-fea0f775fa46 // CNVD: CNVD-2017-01759 // VULHUB: VHN-113358 // BID: 95766 // JVNDB: JVNDB-2017-002220 // CNNVD: CNNVD-201702-272 // NVD: CVE-2017-5155

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-17-024-01	Trust: 2.8
url:	http://www.securityfocus.com/bid/95766	Trust: 2.3
url:	http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000115/	Trust: 1.7
url:	http://www.securitytracker.com/id/1037808	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-5155	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-5155	Trust: 0.8
url:	www.controlmicrosystems.com	Trust: 0.3

sources: CNVD: CNVD-2017-01759 // VULHUB: VHN-113358 // BID: 95766 // JVNDB: JVNDB-2017-002220 // CNNVD: CNNVD-201702-272 // NVD: CVE-2017-5155

CREDITS

Ruslan Habalov and Jan Bee of the Google ISA Assessments Team.

Trust: 0.9

sources: BID: 95766 // CNNVD: CNNVD-201702-272

SOURCES

db:	IVD	id:	195abc78-1252-4e75-8ed2-fea0f775fa46
db:	CNVD	id:	CNVD-2017-01759
db:	VULHUB	id:	VHN-113358
db:	BID	id:	95766
db:	JVNDB	id:	JVNDB-2017-002220
db:	CNNVD	id:	CNNVD-201702-272
db:	NVD	id:	CVE-2017-5155

LAST UPDATE DATE

2025-04-21T23:39:59.427000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-01759	date:	2017-02-22T00:00:00
db:	VULHUB	id:	VHN-113358	date:	2019-10-03T00:00:00
db:	BID	id:	95766	date:	2017-02-02T01:01:00
db:	JVNDB	id:	JVNDB-2017-002220	date:	2017-04-04T00:00:00
db:	CNNVD	id:	CNNVD-201702-272	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2017-5155	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	IVD	id:	195abc78-1252-4e75-8ed2-fea0f775fa46	date:	2017-02-22T00:00:00
db:	CNVD	id:	CNVD-2017-01759	date:	2017-02-22T00:00:00
db:	VULHUB	id:	VHN-113358	date:	2017-02-13T00:00:00
db:	BID	id:	95766	date:	2017-01-24T00:00:00
db:	JVNDB	id:	JVNDB-2017-002220	date:	2017-04-04T00:00:00
db:	CNNVD	id:	CNNVD-201702-272	date:	2017-01-24T00:00:00
db:	NVD	id:	CVE-2017-5155	date:	2017-02-13T21:59:02.737