Details of VAR-201703-1342

ID

VAR-201703-1342

CVE

CVE-2017-6864

TITLE

Siemens RUGGEDCOM ROX I Port 10000/TCP Integration Web Server cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-002724

DESCRIPTION

The integrated web server in Siemens RUGGEDCOM ROX I (all versions) at port 10000/TCP could allow an authenticated user to perform stored Cross-Site Scripting attacks. SiemensRuggedCom's ROX-based firewall devices are used to connect devices in harsh environments such as substations, traffic management chassis, and more. Siemens RUGGEDCOM ROX I is prone to the following security vulnerabilities: : 1. A HTML-injection vulnerability 2. An information-disclosure vulnerability 4. An authorization-bypass vulnerability 5. A cross-site request-forgery vulnerability An attacker may leverage these issues to execute HTML and script code in the browser of an unsuspecting user in the context of the affected site, disclose sensitive information, perform certain unauthorized actions actions, gain unauthorized access, or bypass certain security restrictions

Trust: 2.61

sources: NVD: CVE-2017-6864 // JVNDB: JVNDB-2017-002724 // CNVD: CNVD-2017-03649 // BID: 97170 // IVD: 86ad737f-9403-4a1a-ab35-f47fd0ebabb7

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: 86ad737f-9403-4a1a-ab35-f47fd0ebabb7 // CNVD: CNVD-2017-03649

AFFECTED PRODUCTS

vendor:	siemens	model:	ruggedcom rox i	scope:	lte	version:	2.9.0	Trust: 1.0
vendor:	siemens	model:	ruggedcom rox i	scope:	eq	version:	-	Trust: 0.8
vendor:	siemens	model:	ruggedcom rox i	scope:	-	version:	-	Trust: 0.6
vendor:	siemens	model:	ruggedcom rox i	scope:	eq	version:	2.9.0	Trust: 0.6
vendor:	siemens	model:	ruggedcom rox i	scope:	eq	version:	0	Trust: 0.3
vendor:	ruggedcom rox i	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 86ad737f-9403-4a1a-ab35-f47fd0ebabb7 // CNVD: CNVD-2017-03649 // BID: 97170 // JVNDB: JVNDB-2017-002724 // CNNVD: CNNVD-201703-633 // NVD: CVE-2017-6864

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-6864
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-6864
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-03649
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201703-633
value:	LOW
Trust: 0.6
IVD:	86ad737f-9403-4a1a-ab35-f47fd0ebabb7
value:	LOW
Trust: 0.2

nvd@nist.gov:	CVE-2017-6864
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-03649
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	86ad737f-9403-4a1a-ab35-f47fd0ebabb7
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2017-6864
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: IVD: 86ad737f-9403-4a1a-ab35-f47fd0ebabb7 // CNVD: CNVD-2017-03649 // JVNDB: JVNDB-2017-002724 // CNNVD: CNNVD-201703-633 // NVD: CVE-2017-6864

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2017-002724 // NVD: CVE-2017-6864

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201703-633

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201703-633

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-002724

PATCH

title:	SSA-327980	url:	https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-327980.pdf	Trust: 0.8
title:	Patch for SiemensRUGGEDCOMROXI Cross-Site Scripting Vulnerability (CNVD-2017-03649)	url:	https://www.cnvd.org.cn/patchInfo/show/91175	Trust: 0.6

sources: CNVD: CNVD-2017-03649 // JVNDB: JVNDB-2017-002724

EXTERNAL IDS

db:	NVD	id:	CVE-2017-6864	Trust: 3.5
db:	SIEMENS	id:	SSA-327980	Trust: 2.5
db:	ICS CERT	id:	ICSA-17-087-01	Trust: 1.3
db:	BID	id:	97170	Trust: 1.3
db:	SECTRACK	id:	1038160	Trust: 1.0
db:	CNVD	id:	CNVD-2017-03649	Trust: 0.8
db:	CNNVD	id:	CNNVD-201703-633	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-002724	Trust: 0.8
db:	IVD	id:	86AD737F-9403-4A1A-AB35-F47FD0EBABB7	Trust: 0.2

sources: IVD: 86ad737f-9403-4a1a-ab35-f47fd0ebabb7 // CNVD: CNVD-2017-03649 // BID: 97170 // JVNDB: JVNDB-2017-002724 // CNNVD: CNNVD-201703-633 // NVD: CVE-2017-6864

REFERENCES

url:	https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-327980.pdf	Trust: 2.5
url:	https://ics-cert.us-cert.gov/advisories/icsa-17-087-01	Trust: 1.3
url:	http://www.securityfocus.com/bid/97170	Trust: 1.0
url:	http://www.securitytracker.com/id/1038160	Trust: 1.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6864	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-6864	Trust: 0.8
url:	http://subscriber.communications.siemens.com/	Trust: 0.3

sources: CNVD: CNVD-2017-03649 // BID: 97170 // JVNDB: JVNDB-2017-002724 // CNNVD: CNNVD-201703-633 // NVD: CVE-2017-6864

CREDITS

Maxim Rupp

Trust: 0.3

sources: BID: 97170

SOURCES

db:	IVD	id:	86ad737f-9403-4a1a-ab35-f47fd0ebabb7
db:	CNVD	id:	CNVD-2017-03649
db:	BID	id:	97170
db:	JVNDB	id:	JVNDB-2017-002724
db:	CNNVD	id:	CNNVD-201703-633
db:	NVD	id:	CVE-2017-6864

LAST UPDATE DATE

2025-04-20T23:20:05.146000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-03649	date:	2017-03-29T00:00:00
db:	BID	id:	97170	date:	2017-03-28T00:00:00
db:	JVNDB	id:	JVNDB-2017-002724	date:	2017-04-26T00:00:00
db:	CNNVD	id:	CNNVD-201703-633	date:	2017-03-30T00:00:00
db:	NVD	id:	CVE-2017-6864	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	IVD	id:	86ad737f-9403-4a1a-ab35-f47fd0ebabb7	date:	2017-03-29T00:00:00
db:	CNVD	id:	CNVD-2017-03649	date:	2017-03-29T00:00:00
db:	BID	id:	97170	date:	2017-03-28T00:00:00
db:	JVNDB	id:	JVNDB-2017-002724	date:	2017-04-26T00:00:00
db:	CNNVD	id:	CNNVD-201703-633	date:	2017-03-16T00:00:00
db:	NVD	id:	CVE-2017-6864	date:	2017-03-29T01:59:02.720