Details of VAR-201704-0598

ID

VAR-201704-0598

CVE

CVE-2017-5160

TITLE

Schneider Electric Wonderware InTouch Access Anywhere Vulnerabilities related to cryptographic strength

Trust: 0.8

sources: JVNDB: JVNDB-2017-003246

DESCRIPTION

An Inadequate Encryption Strength issue was discovered in Schneider Electric Wonderware InTouch Access Anywhere, version 11.5.2 and prior. The software will connect via Transport Layer Security without verifying the peer's SSL certificate properly. Wonderware InTouch Access Anywhere is a product that provides access to InTouch applications through a web browser. An attacker could exploit the vulnerability to perform operations as a user and gain access to resources. Other attacks are also possible

Trust: 2.61

sources: NVD: CVE-2017-5160 // JVNDB: JVNDB-2017-003246 // CNVD: CNVD-2017-05158 // BID: 97256 // IVD: 711b5d8e-4a5d-46f7-86c8-13a45d8f3ca1

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 711b5d8e-4a5d-46f7-86c8-13a45d8f3ca1 // CNVD: CNVD-2017-05158

AFFECTED PRODUCTS

vendor:	aveva	model:	wonderware intouch access anywhere	scope:	lte	version:	11.5.2	Trust: 1.0
vendor:	schneider electric	model:	wonderware intouch access anywhere 2014	scope:	lte	version:	r2 sp1b (11.5.2)	Trust: 0.8
vendor:	schneider	model:	electric wonderware intouch access anywhere	scope:	lte	version:	<=11.5.2	Trust: 0.6
vendor:	schneider electric	model:	wonderware intouch access anywhere 2014	scope:	eq	version:	11.5.2	Trust: 0.6
vendor:	schneider electric	model:	wonderware intouch access anywhere	scope:	eq	version:	11.5.2	Trust: 0.3
vendor:	schneider electric	model:	wonderware intouch access anywhere	scope:	ne	version:	17.0	Trust: 0.3
vendor:	wonderware intouch access anywhere 2014	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 711b5d8e-4a5d-46f7-86c8-13a45d8f3ca1 // CNVD: CNVD-2017-05158 // BID: 97256 // JVNDB: JVNDB-2017-003246 // NVD: CVE-2017-5160 // CNNVD: CNNVD-201703-1439

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2017-5160
value:	MEDIUM
Trust: 1.8
CNVD:	CNVD-2017-05158
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201703-1439
value:	MEDIUM
Trust: 0.6
IVD:	711b5d8e-4a5d-46f7-86c8-13a45d8f3ca1
value:	LOW
Trust: 0.2

NVD:
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	FALSE
version:	2.0
Trust: 1.0
NVD:	CVE-2017-5160
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2017-05158
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	711b5d8e-4a5d-46f7-86c8-13a45d8f3ca1
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

NVD:
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.6
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2017-5160
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: 711b5d8e-4a5d-46f7-86c8-13a45d8f3ca1 // CNVD: CNVD-2017-05158 // JVNDB: JVNDB-2017-003246 // NVD: CVE-2017-5160 // CNNVD: CNNVD-201703-1439

PROBLEMTYPE DATA

problemtype:

CWE-326

Trust: 1.8

sources: JVNDB: JVNDB-2017-003246 // NVD: CVE-2017-5160

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201703-1439

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201703-1439

CONFIGURATIONS

sources: NVD: CVE-2017-5160

PATCH

title:	Wonderware Security Bulletin LFSEC00000114	url:	http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000114/	Trust: 0.8
title:	Schneider Electric Wonderware InTouch Access Anywhere Permission to Obtain Vulnerability Patches	url:	https://www.cnvd.org.cn/patchinfo/show/92493	Trust: 0.6
title:	Schneider Electric Wonderware InTouch Access Anywhere Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=68929	Trust: 0.6

sources: CNVD: CNVD-2017-05158 // JVNDB: JVNDB-2017-003246 // CNNVD: CNNVD-201703-1439

EXTERNAL IDS

db:	NVD	id:	CVE-2017-5160	Trust: 3.5
db:	ICS CERT	id:	ICSA-17-089-01	Trust: 2.7
db:	BID	id:	97256	Trust: 2.5
db:	CNVD	id:	CNVD-2017-05158	Trust: 0.8
db:	CNNVD	id:	CNNVD-201703-1439	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-003246	Trust: 0.8
db:	IVD	id:	711B5D8E-4A5D-46F7-86C8-13A45D8F3CA1	Trust: 0.2

sources: IVD: 711b5d8e-4a5d-46f7-86c8-13a45d8f3ca1 // CNVD: CNVD-2017-05158 // BID: 97256 // JVNDB: JVNDB-2017-003246 // NVD: CVE-2017-5160 // CNNVD: CNNVD-201703-1439

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-17-089-01	Trust: 2.7
url:	http://www.securityfocus.com/bid/97256	Trust: 2.2
url:	http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000114/	Trust: 1.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-5160	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-5160	Trust: 0.8
url:	http://www.schneider-electric.com/products/ww/en/	Trust: 0.3

sources: CNVD: CNVD-2017-05158 // BID: 97256 // JVNDB: JVNDB-2017-003246 // NVD: CVE-2017-5160 // CNNVD: CNNVD-201703-1439

CREDITS

Ruslan Habalov and Jan Bee of the Google ISA Assessments Team

Trust: 0.9

sources: BID: 97256 // CNNVD: CNNVD-201703-1439

SOURCES

db:	IVD	id:	711b5d8e-4a5d-46f7-86c8-13a45d8f3ca1
db:	CNVD	id:	CNVD-2017-05158
db:	BID	id:	97256
db:	JVNDB	id:	JVNDB-2017-003246
db:	NVD	id:	CVE-2017-5160
db:	CNNVD	id:	CNNVD-201703-1439

LAST UPDATE DATE

2023-12-18T12:44:39.823000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-05158	date:	2017-04-24T00:00:00
db:	BID	id:	97256	date:	2017-04-04T00:02:00
db:	JVNDB	id:	JVNDB-2017-003246	date:	2017-05-22T00:00:00
db:	NVD	id:	CVE-2017-5160	date:	2021-08-31T19:49:09.993
db:	CNNVD	id:	CNNVD-201703-1439	date:	2021-09-01T00:00:00

SOURCES RELEASE DATE

db:	IVD	id:	711b5d8e-4a5d-46f7-86c8-13a45d8f3ca1	date:	2017-04-24T00:00:00
db:	CNVD	id:	CNVD-2017-05158	date:	2017-04-24T00:00:00
db:	BID	id:	97256	date:	2017-03-31T00:00:00
db:	JVNDB	id:	JVNDB-2017-003246	date:	2017-05-22T00:00:00
db:	NVD	id:	CVE-2017-5160	date:	2017-04-20T20:59:00.487
db:	CNNVD	id:	CNNVD-201703-1439	date:	2017-03-31T00:00:00