Details of VAR-201703-0644

ID

VAR-201703-0644

CVE

CVE-2017-2687

TITLE

Siemens RUGGEDCOM ROX I Cross-Site Scripting Vulnerability

Trust: 0.8

sources: IVD: 2f332dd1-8155-4d9b-81db-31bf76d9ed5e // CNVD: CNVD-2017-03651

DESCRIPTION

Siemens RUGGEDCOM ROX I (all versions) contain a vulnerability in the integrated web server at port 10000/TCP which is prone to reflected Cross-Site Scripting attacks if an unsuspecting user is induced to click on a malicious link. SiemensRuggedCom's ROX-based firewall devices are used to connect devices in harsh environments such as substations, traffic management chassis, and more. Siemens RUGGEDCOM ROX I is prone to the following security vulnerabilities: : 1. A HTML-injection vulnerability 2. An information-disclosure vulnerability 4. An authorization-bypass vulnerability 5. A cross-site request-forgery vulnerability An attacker may leverage these issues to execute HTML and script code in the browser of an unsuspecting user in the context of the affected site, disclose sensitive information, perform certain unauthorized actions actions, gain unauthorized access, or bypass certain security restrictions

Trust: 2.61

sources: NVD: CVE-2017-2687 // JVNDB: JVNDB-2017-002721 // CNVD: CNVD-2017-03651 // BID: 97170 // IVD: 2f332dd1-8155-4d9b-81db-31bf76d9ed5e

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: 2f332dd1-8155-4d9b-81db-31bf76d9ed5e // CNVD: CNVD-2017-03651

AFFECTED PRODUCTS

vendor:	siemens	model:	ruggedcom rox i	scope:	lte	version:	2.9.0	Trust: 1.0
vendor:	siemens	model:	ruggedcom rox i	scope:	eq	version:	-	Trust: 0.8
vendor:	siemens	model:	ruggedcom rox i	scope:	-	version:	-	Trust: 0.6
vendor:	siemens	model:	ruggedcom rox i	scope:	eq	version:	2.9.0	Trust: 0.6
vendor:	siemens	model:	ruggedcom rox i	scope:	eq	version:	0	Trust: 0.3
vendor:	ruggedcom rox i	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 2f332dd1-8155-4d9b-81db-31bf76d9ed5e // CNVD: CNVD-2017-03651 // BID: 97170 // JVNDB: JVNDB-2017-002721 // CNNVD: CNNVD-201703-1334 // NVD: CVE-2017-2687

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-2687
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-2687
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-03651
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201703-1334
value:	MEDIUM
Trust: 0.6
IVD:	2f332dd1-8155-4d9b-81db-31bf76d9ed5e
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2017-2687
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-03651
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	2f332dd1-8155-4d9b-81db-31bf76d9ed5e
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2017-2687
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: IVD: 2f332dd1-8155-4d9b-81db-31bf76d9ed5e // CNVD: CNVD-2017-03651 // JVNDB: JVNDB-2017-002721 // CNNVD: CNNVD-201703-1334 // NVD: CVE-2017-2687

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2017-002721 // NVD: CVE-2017-2687

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201703-1334

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201703-1334

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-002721

PATCH

title:	SSA-327980	url:	https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-327980.pdf	Trust: 0.8
title:	Patch for SiemensRUGGEDCOMROXI Cross-Site Scripting Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/91178	Trust: 0.6
title:	Siemens RUGGEDCOM ROX I Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=68862	Trust: 0.6

sources: CNVD: CNVD-2017-03651 // JVNDB: JVNDB-2017-002721 // CNNVD: CNNVD-201703-1334

EXTERNAL IDS

db:	NVD	id:	CVE-2017-2687	Trust: 3.5
db:	SIEMENS	id:	SSA-327980	Trust: 2.5
db:	ICS CERT	id:	ICSA-17-087-01	Trust: 1.3
db:	BID	id:	97170	Trust: 1.3
db:	SECTRACK	id:	1038160	Trust: 1.0
db:	CNVD	id:	CNVD-2017-03651	Trust: 0.8
db:	CNNVD	id:	CNNVD-201703-1334	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-002721	Trust: 0.8
db:	IVD	id:	2F332DD1-8155-4D9B-81DB-31BF76D9ED5E	Trust: 0.2

sources: IVD: 2f332dd1-8155-4d9b-81db-31bf76d9ed5e // CNVD: CNVD-2017-03651 // BID: 97170 // JVNDB: JVNDB-2017-002721 // CNNVD: CNNVD-201703-1334 // NVD: CVE-2017-2687

REFERENCES

url:	https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-327980.pdf	Trust: 2.5
url:	https://ics-cert.us-cert.gov/advisories/icsa-17-087-01	Trust: 1.3
url:	http://www.securityfocus.com/bid/97170	Trust: 1.0
url:	http://www.securitytracker.com/id/1038160	Trust: 1.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-2687	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2687	Trust: 0.8
url:	http://subscriber.communications.siemens.com/	Trust: 0.3

sources: CNVD: CNVD-2017-03651 // BID: 97170 // JVNDB: JVNDB-2017-002721 // CNNVD: CNNVD-201703-1334 // NVD: CVE-2017-2687

CREDITS

Maxim Rupp

Trust: 0.3

sources: BID: 97170

SOURCES

db:	IVD	id:	2f332dd1-8155-4d9b-81db-31bf76d9ed5e
db:	CNVD	id:	CNVD-2017-03651
db:	BID	id:	97170
db:	JVNDB	id:	JVNDB-2017-002721
db:	CNNVD	id:	CNNVD-201703-1334
db:	NVD	id:	CVE-2017-2687

LAST UPDATE DATE

2025-04-20T23:20:05.220000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-03651	date:	2017-03-29T00:00:00
db:	BID	id:	97170	date:	2017-03-28T00:00:00
db:	JVNDB	id:	JVNDB-2017-002721	date:	2017-04-26T00:00:00
db:	CNNVD	id:	CNNVD-201703-1334	date:	2017-03-30T00:00:00
db:	NVD	id:	CVE-2017-2687	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	IVD	id:	2f332dd1-8155-4d9b-81db-31bf76d9ed5e	date:	2017-03-29T00:00:00
db:	CNVD	id:	CNVD-2017-03651	date:	2017-03-29T00:00:00
db:	BID	id:	97170	date:	2017-03-28T00:00:00
db:	JVNDB	id:	JVNDB-2017-002721	date:	2017-04-26T00:00:00
db:	CNNVD	id:	CNNVD-201703-1334	date:	2017-03-30T00:00:00
db:	NVD	id:	CVE-2017-2687	date:	2017-03-29T01:59:01.737