Details of VAR-201702-0848

ID

VAR-201702-0848

CVE

CVE-2016-9345

TITLE

Emerson DeltaV Easy Security Management Vulnerability in which privileges are elevated

Trust: 0.8

sources: JVNDB: JVNDB-2016-007966

DESCRIPTION

An issue was discovered in Emerson DeltaV Easy Security Management DeltaV V12.3, DeltaV V12.3.1, and DeltaV V13.3. Critical vulnerabilities may allow a local attacker to elevate privileges within the DeltaV control system. Emerson DeltaV is a digital automation system from Emerson, USA. The system provides I/O on-demand configuration, embedded intelligent control and alarm panel functions. There is an elevation of privilege vulnerability in Emerson DeltaV

Trust: 2.61

sources: NVD: CVE-2016-9345 // JVNDB: JVNDB-2016-007966 // CNVD: CNVD-2016-11817 // BID: 94584 // IVD: 8e3727f3-4c57-46fa-b531-77ba29b04434

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 8e3727f3-4c57-46fa-b531-77ba29b04434 // CNVD: CNVD-2016-11817

AFFECTED PRODUCTS

vendor:	emerson	model:	deltav	scope:	eq	version:	13.3	Trust: 2.7
vendor:	emerson	model:	deltav	scope:	eq	version:	12.3.1	Trust: 2.7
vendor:	emerson	model:	deltav	scope:	eq	version:	12.3	Trust: 2.7
vendor:	emerson	model:	deltav	scope:	-	version:	-	Trust: 0.6
vendor:	deltav	model:	-	scope:	eq	version:	12.3	Trust: 0.2
vendor:	deltav	model:	-	scope:	eq	version:	12.3.1	Trust: 0.2
vendor:	deltav	model:	-	scope:	eq	version:	13.3	Trust: 0.2

sources: IVD: 8e3727f3-4c57-46fa-b531-77ba29b04434 // CNVD: CNVD-2016-11817 // BID: 94584 // JVNDB: JVNDB-2016-007966 // CNNVD: CNNVD-201611-704 // NVD: CVE-2016-9345

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-9345
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2016-9345
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2016-11817
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201611-704
value:	MEDIUM
Trust: 0.6
IVD:	8e3727f3-4c57-46fa-b531-77ba29b04434
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2016-9345
severity:	MEDIUM
baseScore:	4.9
vectorString:	AV:A/AC:M/AU:S/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	4.4
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2016-11817
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	8e3727f3-4c57-46fa-b531-77ba29b04434
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2016-9345
baseSeverity:	MEDIUM
baseScore:	6.8
vectorString:	CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L
attackVector:	ADJACENT
attackComplexity:	HIGH
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	1.0
impactScore:	5.3
version:	3.0
Trust: 1.8

sources: IVD: 8e3727f3-4c57-46fa-b531-77ba29b04434 // CNVD: CNVD-2016-11817 // JVNDB: JVNDB-2016-007966 // CNNVD: CNNVD-201611-704 // NVD: CVE-2016-9345

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.8

sources: JVNDB: JVNDB-2016-007966 // NVD: CVE-2016-9345

THREAT TYPE

specific network environment

Trust: 0.6

sources: CNNVD: CNNVD-201611-704

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201611-704

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-007966

PATCH

title:	分散型制御システム（DCS） DeltaVシステム	url:	http://www.emerson.co.jp/div/epm/product5_1.html	Trust: 0.8
title:	Emerson DeltaV privilege patch	url:	https://www.cnvd.org.cn/patchInfo/show/84831	Trust: 0.6
title:	Emerson DeltaV Repair measures for privilege escalation	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=65971	Trust: 0.6

sources: CNVD: CNVD-2016-11817 // JVNDB: JVNDB-2016-007966 // CNNVD: CNNVD-201611-704

EXTERNAL IDS

db:	NVD	id:	CVE-2016-9345	Trust: 3.5
db:	ICS CERT	id:	ICSA-16-334-02	Trust: 2.7
db:	BID	id:	94584	Trust: 2.5
db:	BID	id:	105767	Trust: 1.0
db:	CNVD	id:	CNVD-2016-11817	Trust: 0.8
db:	CNNVD	id:	CNNVD-201611-704	Trust: 0.8
db:	JVNDB	id:	JVNDB-2016-007966	Trust: 0.8
db:	IVD	id:	8E3727F3-4C57-46FA-B531-77BA29B04434	Trust: 0.2

sources: IVD: 8e3727f3-4c57-46fa-b531-77ba29b04434 // CNVD: CNVD-2016-11817 // BID: 94584 // JVNDB: JVNDB-2016-007966 // CNNVD: CNNVD-201611-704 // NVD: CVE-2016-9345

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-16-334-02	Trust: 2.7
url:	http://www.securityfocus.com/bid/94584	Trust: 2.2
url:	http://www.securityfocus.com/bid/105767	Trust: 1.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-9345	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2016-9345	Trust: 0.8
url:	http://www2.emersonprocess.com/en-us/brands/edservices/automationsystems/deltav/pages/deltavtraining.aspx	Trust: 0.3

sources: CNVD: CNVD-2016-11817 // BID: 94584 // JVNDB: JVNDB-2016-007966 // CNNVD: CNNVD-201611-704 // NVD: CVE-2016-9345

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 94584

SOURCES

db:	IVD	id:	8e3727f3-4c57-46fa-b531-77ba29b04434
db:	CNVD	id:	CNVD-2016-11817
db:	BID	id:	94584
db:	JVNDB	id:	JVNDB-2016-007966
db:	CNNVD	id:	CNNVD-201611-704
db:	NVD	id:	CVE-2016-9345

LAST UPDATE DATE

2025-04-20T23:25:06.873000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2016-11817	date:	2016-12-02T00:00:00
db:	BID	id:	94584	date:	2016-12-20T02:03:00
db:	JVNDB	id:	JVNDB-2016-007966	date:	2017-04-03T00:00:00
db:	CNNVD	id:	CNNVD-201611-704	date:	2016-12-06T00:00:00
db:	NVD	id:	CVE-2016-9345	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	IVD	id:	8e3727f3-4c57-46fa-b531-77ba29b04434	date:	2016-12-02T00:00:00
db:	CNVD	id:	CNVD-2016-11817	date:	2016-12-02T00:00:00
db:	BID	id:	94584	date:	2016-11-29T00:00:00
db:	JVNDB	id:	JVNDB-2016-007966	date:	2017-04-03T00:00:00
db:	CNNVD	id:	CNNVD-201611-704	date:	2016-11-29T00:00:00
db:	NVD	id:	CVE-2016-9345	date:	2017-02-13T21:59:01.767