Sign-up

ID

VAR-201702-0859


CVE

CVE-2016-9360


TITLE

plural General Electric Proficy Vulnerability to obtain user password in product

Trust: 0.8

sources: JVNDB: JVNDB-2016-007952

DESCRIPTION

An issue was discovered in General Electric (GE) Proficy HMI/SCADA iFIX Version 5.8 SIM 13 and prior versions, Proficy HMI/SCADA CIMPLICITY Version 9.0 and prior versions, and Proficy Historian Version 6.0 and prior versions. An attacker may be able to retrieve user passwords if he or she has access to an authenticated session. GE Proficy HMI/SCADA-CIMPLICITY is a client/server based HMI/SCADA solution from General Electric (GE). The solution captures and shares real-time and historical data across all levels of the enterprise, enabling visualization of processes, equipment, and resource monitoring operations. Proficy Historian is a factory system that collects, archives and distributes a large amount of real-time data at high speed, which significantly improves operational visibility and profit and loss settlement lines. Local vulnerabilities can exploit this vulnerability to obtain sensitive information. Multiple GE products are prone to a local information-disclosure vulnerability

Trust: 2.61

sources: NVD: CVE-2016-9360 // JVNDB: JVNDB-2016-007952 // CNVD: CNVD-2017-00906 // BID: 95630 // IVD: 8e677a52-d1d3-4559-96bd-040386314b48

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 8e677a52-d1d3-4559-96bd-040386314b48 // CNVD: CNVD-2017-00906

AFFECTED PRODUCTS

vendor:gemodel:ifixscope:lteversion:5.8

Trust: 1.0

vendor:gemodel:historianscope:lteversion:6.0

Trust: 1.0

vendor:gemodel:cimplicityscope:lteversion:9.0

Trust: 1.0

vendor:general electricmodel:cimplicityscope:lteversion:9.0

Trust: 0.8

vendor:general electricmodel:historianscope:lteversion:6.0

Trust: 0.8

vendor:general electricmodel:ifixscope:lteversion:5.8 sim 13

Trust: 0.8

vendor:generalmodel:electric proficy historianscope:lteversion:<=6.0

Trust: 0.6

vendor:generalmodel:electric proficy hmi/scada cimplicityscope:lteversion:<=9.0

Trust: 0.6

vendor:generalmodel:electric proficy hmi/scada ifix simscope:lteversion:<=5.813

Trust: 0.6

vendor:general electricmodel:historianscope:eqversion:6.0

Trust: 0.6

vendor:general electricmodel:ifixscope:eqversion:5.8

Trust: 0.6

vendor:general electricmodel:cimplicityscope:eqversion:9.0

Trust: 0.6

vendor:gemodel:proficy hmi/scada ifix simscope:eqversion:5.813

Trust: 0.3

vendor:gemodel:proficy hmi/scada ifixscope:eqversion:5.5

Trust: 0.3

vendor:gemodel:proficy hmi/scada ifixscope:eqversion:5.1

Trust: 0.3

vendor:gemodel:proficy hmi/scada ifixscope:eqversion:5.0

Trust: 0.3

vendor:gemodel:proficy hmi/scada ifixscope:eqversion:4.0

Trust: 0.3

vendor:gemodel:proficy hmi/scada cimplicityscope:eqversion:9.0

Trust: 0.3

vendor:gemodel:proficy hmi/scada cimplicityscope:eqversion:8.0

Trust: 0.3

vendor:gemodel:proficy hmi/scada cimplicityscope:eqversion:7.0

Trust: 0.3

vendor:gemodel:proficy historianscope:eqversion:6.0

Trust: 0.3

vendor:gemodel:proficy historianscope:eqversion:5.5

Trust: 0.3

vendor:gemodel:proficy historianscope:eqversion:4.5

Trust: 0.3

vendor:gemodel:proficy historianscope:eqversion:4.0

Trust: 0.3

vendor:gemodel:proficy historianscope:eqversion:3.5

Trust: 0.3

vendor:gemodel:proficy hmi/scada ifix simscope:neversion:5.814

Trust: 0.3

vendor:gemodel:proficy hmi/scada cimplicityscope:neversion:9.5

Trust: 0.3

vendor:gemodel:proficy historianscope:neversion:7.0

Trust: 0.3

vendor:cimplicitymodel: - scope:eqversion:*

Trust: 0.2

vendor:historianmodel: - scope:eqversion:*

Trust: 0.2

vendor:ifixmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 8e677a52-d1d3-4559-96bd-040386314b48 // CNVD: CNVD-2017-00906 // BID: 95630 // JVNDB: JVNDB-2016-007952 // CNNVD: CNNVD-201701-692 // NVD: CVE-2016-9360

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-9360
value: MEDIUM

Trust: 1.0

NVD: CVE-2016-9360
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2017-00906
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201701-692
value: MEDIUM

Trust: 0.6

IVD: 8e677a52-d1d3-4559-96bd-040386314b48
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2016-9360
severity: MEDIUM
baseScore: 4.4
vectorString: AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.4
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-00906
severity: MEDIUM
baseScore: 5.2
vectorString: AV:L/AC:H/AU:N/C:C/I:P/A:P
accessVector: LOCAL
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 1.9
impactScore: 8.5
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 8e677a52-d1d3-4559-96bd-040386314b48
severity: MEDIUM
baseScore: 5.2
vectorString: AV:L/AC:H/AU:N/C:C/I:P/A:P
accessVector: LOCAL
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 1.9
impactScore: 8.5
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2016-9360
baseSeverity: MEDIUM
baseScore: 6.7
vectorString: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: HIGH
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 0.8
impactScore: 5.3
version: 3.1

Trust: 1.0

NVD: CVE-2016-9360
baseSeverity: MEDIUM
baseScore: 6.7
vectorString: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: HIGH
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: 8e677a52-d1d3-4559-96bd-040386314b48 // CNVD: CNVD-2017-00906 // JVNDB: JVNDB-2016-007952 // CNNVD: CNNVD-201701-692 // NVD: CVE-2016-9360

PROBLEMTYPE DATA

problemtype:CWE-522

Trust: 1.0

problemtype:CWE-200

Trust: 0.8

sources: JVNDB: JVNDB-2016-007952 // NVD: CVE-2016-9360

THREAT TYPE

local

Trust: 0.9

sources: BID: 95630 // CNNVD: CNNVD-201701-692

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201701-692

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-007952

PATCH
title:Top Pageurl:https://digitalsupport.ge.com/communities/CC_Home
Trust: 0.8
title:Patches for multiple GE product local information disclosure vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/88599
Trust: 0.6
title:Multiple GE Product security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=67287
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-00906 // 
            
            
            
            JVNDB: JVNDB-2016-007952 // 
            
            
            
            CNNVD: CNNVD-201701-692

EXTERNAL IDS
db:NVDid:CVE-2016-9360
Trust: 3.5
db:BIDid:95630
Trust: 2.5
db:ICS CERTid:ICSA-16-336-05
Trust: 1.7
db:SECTRACKid:1037809
Trust: 1.6
db:ICS CERTid:ICSA-16-336-05A
Trust: 1.6
db:CNVDid:CNVD-2017-00906
Trust: 0.8
db:CNNVDid:CNNVD-201701-692
Trust: 0.8
db:JVNDBid:JVNDB-2016-007952
Trust: 0.8
db:IVDid:8E677A52-D1D3-4559-96BD-040386314B48
Trust: 0.2
sources:
            
            
            IVD: 8e677a52-d1d3-4559-96bd-040386314b48 // 
            
            
            
            CNVD: CNVD-2017-00906 // 
            
            
            
            BID: 95630 // 
            
            
            
            JVNDB: JVNDB-2016-007952 // 
            
            
            
            CNNVD: CNNVD-201701-692 // 
            
            
            
            NVD: CVE-2016-9360

REFERENCES
url:http://www.securityfocus.com/bid/95630
Trust: 1.6
url:https://ics-cert.us-cert.gov/advisories/icsa-16-336-05a
Trust: 1.6
url:http://www.securitytracker.com/id/1037809
Trust: 1.6
url:https://ics-cert.us-cert.gov/advisories/icsa-16-336-05
Trust: 1.4
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-9360
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2016-9360
Trust: 0.8
url:https://www.ge.com/
Trust: 0.3
url:https://ics-cert.us-cert.gov/advisories/icsa-16-336-05 
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2017-00906 // 
            
            
            
            BID: 95630 // 
            
            
            
            JVNDB: JVNDB-2016-007952 // 
            
            
            
            CNNVD: CNNVD-201701-692 // 
            
            
            
            NVD: CVE-2016-9360

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 95630

SOURCES
db:IVDid:8e677a52-d1d3-4559-96bd-040386314b48
db:CNVDid:CNVD-2017-00906
db:BIDid:95630
db:JVNDBid:JVNDB-2016-007952
db:CNNVDid:CNNVD-201701-692
db:NVDid:CVE-2016-9360

LAST UPDATE DATE
2025-04-20T23:33:01.126000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-00906date:2017-02-05T00:00:00
db:BIDid:95630date:2017-01-23T03:11:00
db:JVNDBid:JVNDB-2016-007952date:2017-03-31T00:00:00
db:CNNVDid:CNNVD-201701-692date:2022-02-07T00:00:00
db:NVDid:CVE-2016-9360date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:IVDid:8e677a52-d1d3-4559-96bd-040386314b48date:2017-02-05T00:00:00
db:CNVDid:CNVD-2017-00906date:2017-02-05T00:00:00
db:BIDid:95630date:2017-01-17T00:00:00
db:JVNDBid:JVNDB-2016-007952date:2017-03-31T00:00:00
db:CNNVDid:CNNVD-201701-692date:2017-01-19T00:00:00
db:NVDid:CVE-2016-9360date:2017-02-13T21:59:02.050