Details of VAR-201703-0462

ID

VAR-201703-0462

CVE

CVE-2016-9368

TITLE

Eaton xComfort Ethernet Communication Interface Unauthorized Access Vulnerability

Trust: 0.8

sources: IVD: ca995212-3594-4e10-b2bc-114358bb39bc // CNVD: CNVD-2017-03834

DESCRIPTION

An issue was discovered in Eaton xComfort Ethernet Communication Interface (ECI) Versions 1.07 and prior. By accessing a specific uniform resource locator (URL) on the webserver, a malicious user may be able to access files without authenticating. Eaton xComfort is a smart home solution from Eaton, USA. The program includes a wireless home automation system that provides home security and energy management features. There are security vulnerabilities in Eaton xComfort ECI 1.07 and earlier. An unauthorized attacker could exploit the vulnerability to access files

Trust: 2.34

sources: NVD: CVE-2016-9368 // JVNDB: JVNDB-2016-007967 // CNVD: CNVD-2017-03834 // IVD: ca995212-3594-4e10-b2bc-114358bb39bc

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: ca995212-3594-4e10-b2bc-114358bb39bc // CNVD: CNVD-2017-03834

AFFECTED PRODUCTS

vendor:	eaton	model:	xcomfort ethernet communication interface	scope:	lte	version:	1.07	Trust: 1.8
vendor:	eaton	model:	xcomfort ethernet communication interface	scope:	lte	version:	<=1.07	Trust: 0.6
vendor:	eaton	model:	xcomfort ethernet communication interface	scope:	eq	version:	1.07	Trust: 0.6
vendor:	xcomfort ethernet communication interface	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: ca995212-3594-4e10-b2bc-114358bb39bc // CNVD: CNVD-2017-03834 // JVNDB: JVNDB-2016-007967 // CNNVD: CNNVD-201703-593 // NVD: CVE-2016-9368

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-9368
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-9368
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2017-03834
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201703-593
value:	HIGH
Trust: 0.6
IVD:	ca995212-3594-4e10-b2bc-114358bb39bc
value:	HIGH
Trust: 0.2

nvd@nist.gov:	CVE-2016-9368
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-03834
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	ca995212-3594-4e10-b2bc-114358bb39bc
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2016-9368
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: IVD: ca995212-3594-4e10-b2bc-114358bb39bc // CNVD: CNVD-2017-03834 // JVNDB: JVNDB-2016-007967 // CNNVD: CNNVD-201703-593 // NVD: CVE-2016-9368

PROBLEMTYPE DATA

problemtype:

CWE-284

Trust: 1.8

sources: JVNDB: JVNDB-2016-007967 // NVD: CVE-2016-9368

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201703-593

TYPE

Access control error

Trust: 0.8

sources: IVD: ca995212-3594-4e10-b2bc-114358bb39bc // CNNVD: CNNVD-201703-593

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-007967

PATCH

title:

xComfort - RF Smart Home Solutions

url:

http://www.eaton.eu/Europe/Electrical/ProductsServices/Residential/xComfort-RFSmartHomeSolutions/index.htm?wtredirect=www.eaton.eu/xcomfort#tabs-11

Trust: 0.8

sources: JVNDB: JVNDB-2016-007967

EXTERNAL IDS

db:	NVD	id:	CVE-2016-9368	Trust: 3.2
db:	ICS CERT	id:	ICSA-17-061-01	Trust: 3.0
db:	CNVD	id:	CNVD-2017-03834	Trust: 0.8
db:	CNNVD	id:	CNNVD-201703-593	Trust: 0.8
db:	JVNDB	id:	JVNDB-2016-007967	Trust: 0.8
db:	IVD	id:	CA995212-3594-4E10-B2BC-114358BB39BC	Trust: 0.2

sources: IVD: ca995212-3594-4e10-b2bc-114358bb39bc // CNVD: CNVD-2017-03834 // JVNDB: JVNDB-2016-007967 // CNNVD: CNNVD-201703-593 // NVD: CVE-2016-9368

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-17-061-01	Trust: 3.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-9368	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2016-9368	Trust: 0.8

sources: CNVD: CNVD-2017-03834 // JVNDB: JVNDB-2016-007967 // CNNVD: CNNVD-201703-593 // NVD: CVE-2016-9368

SOURCES

db:	IVD	id:	ca995212-3594-4e10-b2bc-114358bb39bc
db:	CNVD	id:	CNVD-2017-03834
db:	JVNDB	id:	JVNDB-2016-007967
db:	CNNVD	id:	CNNVD-201703-593
db:	NVD	id:	CVE-2016-9368

LAST UPDATE DATE

2025-04-20T23:40:11.105000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-03834	date:	2017-04-02T00:00:00
db:	JVNDB	id:	JVNDB-2016-007967	date:	2017-04-03T00:00:00
db:	CNNVD	id:	CNNVD-201703-593	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2016-9368	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	IVD	id:	ca995212-3594-4e10-b2bc-114358bb39bc	date:	2017-04-02T00:00:00
db:	CNVD	id:	CNVD-2017-03834	date:	2017-04-02T00:00:00
db:	JVNDB	id:	JVNDB-2016-007967	date:	2017-04-03T00:00:00
db:	CNNVD	id:	CNNVD-201703-593	date:	2017-03-15T00:00:00
db:	NVD	id:	CVE-2016-9368	date:	2017-03-14T09:59:00.300