Details of VAR-201706-0364

ID

VAR-201706-0364

CVE

CVE-2016-9358

TITLE

plural Marel Food Processing System Vulnerabilities related to the use of hard-coded credentials in product firmware

Trust: 0.8

sources: JVNDB: JVNDB-2016-008743

DESCRIPTION

A Hard-Coded Passwords issue was discovered in Marel Food Processing Systems M3000 terminal associated with the following systems: A320, A325, A371, A520 Master, A520 Slave, A530, A542, A571, Check Bin Grader, FlowlineQC T376, IPM3 Dual Cam v132, IPM3 Dual Cam v139, IPM3 Single Cam v132, P520, P574, SensorX13 QC flow line, SensorX23 QC Master, SensorX23 QC Slave, Speed Batcher, T374, T377, V36, V36B, and V36C; M3210 terminal associated with the same systems as the M3000 terminal identified above; M3000 desktop software associated with the same systems as the M3000 terminal identified above; MAC4 controller associated with the same systems as the M3000 terminal identified above; SensorX23 X-ray machine; SensorX25 X-ray machine; and MWS2 weighing system. The end user does not have the ability to change system passwords. plural Marel Food Processing System The product firmware contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. MarelSensorX25X-rayMachine and others are products of the medical industry of Iceland Marel that provide various medical tests. A security bypass vulnerability exists in several Marel products that originated from the use of hard-coded certificates by programs. A remote attacker could exploit the vulnerability to gain unauthorized access to the affected device. Marel Food Processing Systems are prone to following security vulnerabilities: 1. A security-bypass vulnerability. 2. An arbitrary file-upload vulnerability. Marel SensorX25 X-ray Machine, etc

Trust: 2.79

sources: NVD: CVE-2016-9358 // JVNDB: JVNDB-2016-008743 // CNVD: CNVD-2017-05478 // BID: 97388 // IVD: b9677194-118b-4e66-8512-f5dc8b758b86 // VULHUB: VHN-98178 // VULMON: CVE-2016-9358

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: b9677194-118b-4e66-8512-f5dc8b758b86 // CNVD: CNVD-2017-05478

AFFECTED PRODUCTS

vendor:	marel	model:	a542	scope:	eq	version:	-	Trust: 1.6
vendor:	marel	model:	check bin grader	scope:	eq	version:	-	Trust: 1.6
vendor:	marel	model:	a530	scope:	eq	version:	-	Trust: 1.6
vendor:	marel	model:	a325	scope:	eq	version:	-	Trust: 1.6
vendor:	marel	model:	a520 master	scope:	eq	version:	-	Trust: 1.6
vendor:	marel	model:	flowlineqc t376	scope:	eq	version:	-	Trust: 1.6
vendor:	marel	model:	a520 slave	scope:	eq	version:	-	Trust: 1.6
vendor:	marel	model:	a571	scope:	eq	version:	-	Trust: 1.6
vendor:	marel	model:	a371	scope:	eq	version:	-	Trust: 1.6
vendor:	marel	model:	a320	scope:	eq	version:	-	Trust: 1.6
vendor:	marel	model:	ipm3 dual cam	scope:	eq	version:	139	Trust: 1.0
vendor:	marel	model:	ipm3 dual cam	scope:	eq	version:	132	Trust: 1.0
vendor:	marel	model:	p520	scope:	eq	version:	-	Trust: 1.0
vendor:	marel	model:	sensorx13 qc flow line	scope:	eq	version:	-	Trust: 1.0
vendor:	marel	model:	sensorx23 qc slave	scope:	eq	version:	-	Trust: 1.0
vendor:	marel	model:	t374	scope:	eq	version:	-	Trust: 1.0
vendor:	marel	model:	t377	scope:	eq	version:	-	Trust: 1.0
vendor:	marel	model:	sensorx23 qc master	scope:	eq	version:	-	Trust: 1.0
vendor:	marel	model:	v36c	scope:	eq	version:	-	Trust: 1.0
vendor:	marel	model:	v36	scope:	eq	version:	-	Trust: 1.0
vendor:	marel	model:	v36b	scope:	eq	version:	-	Trust: 1.0
vendor:	marel	model:	p574	scope:	eq	version:	-	Trust: 1.0
vendor:	marel	model:	speed batcher	scope:	eq	version:	-	Trust: 1.0
vendor:	marel	model:	a320	scope:	-	version:	-	Trust: 0.8
vendor:	marel	model:	a325	scope:	-	version:	-	Trust: 0.8
vendor:	marel	model:	a371	scope:	-	version:	-	Trust: 0.8
vendor:	marel	model:	a520 master	scope:	-	version:	-	Trust: 0.8
vendor:	marel	model:	a520 slave	scope:	-	version:	-	Trust: 0.8
vendor:	marel	model:	a530	scope:	-	version:	-	Trust: 0.8
vendor:	marel	model:	a542	scope:	-	version:	-	Trust: 0.8
vendor:	marel	model:	a571	scope:	-	version:	-	Trust: 0.8
vendor:	marel	model:	check bin grader	scope:	-	version:	-	Trust: 0.8
vendor:	marel	model:	flowlineqc t376	scope:	-	version:	-	Trust: 0.8
vendor:	marel	model:	ipm3 dual cam	scope:	-	version:	-	Trust: 0.8
vendor:	marel	model:	ipm3 single cam	scope:	-	version:	-	Trust: 0.8
vendor:	marel	model:	p520	scope:	-	version:	-	Trust: 0.8
vendor:	marel	model:	p574	scope:	-	version:	-	Trust: 0.8
vendor:	marel	model:	sensorx13 qc flow line	scope:	-	version:	-	Trust: 0.8
vendor:	marel	model:	sensorx23 qc master	scope:	-	version:	-	Trust: 0.8
vendor:	marel	model:	sensorx23 qc slave	scope:	-	version:	-	Trust: 0.8
vendor:	marel	model:	speed batcher	scope:	-	version:	-	Trust: 0.8
vendor:	marel	model:	t374	scope:	-	version:	-	Trust: 0.8
vendor:	marel	model:	t377	scope:	-	version:	-	Trust: 0.8
vendor:	marel	model:	v36	scope:	-	version:	-	Trust: 0.8
vendor:	marel	model:	v36b	scope:	-	version:	-	Trust: 0.8
vendor:	marel	model:	v36c	scope:	-	version:	-	Trust: 0.8
vendor:	marel	model:	sensorx25 x-ray machine	scope:	-	version:	-	Trust: 0.6
vendor:	marel	model:	sensorx23 x-ray machine	scope:	-	version:	-	Trust: 0.6
vendor:	marel	model:	mws2 weighing system	scope:	-	version:	-	Trust: 0.6
vendor:	marel	model:	mac4 controller	scope:	-	version:	-	Trust: 0.6
vendor:	marel	model:	m3210 termina	scope:	-	version:	-	Trust: 0.6
vendor:	marel	model:	m3000 termina	scope:	-	version:	-	Trust: 0.6
vendor:	ipm3 dual cam	model:	-	scope:	eq	version:	132	Trust: 0.4
vendor:	marel	model:	sensorx25 x-ray machine	scope:	eq	version:	0	Trust: 0.3
vendor:	marel	model:	sensorx23 x-ray machine	scope:	eq	version:	0	Trust: 0.3
vendor:	marel	model:	mws2 weighing system	scope:	eq	version:	0	Trust: 0.3
vendor:	marel	model:	mac4 controller	scope:	eq	version:	0	Trust: 0.3
vendor:	marel	model:	m3210 terminal	scope:	eq	version:	0	Trust: 0.3
vendor:	marel	model:	m3000 terminal	scope:	eq	version:	0	Trust: 0.3
vendor:	a320	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	flowlineqc t376	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	ipm3 dual cam	model:	-	scope:	eq	version:	139	Trust: 0.2
vendor:	p520	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	p574	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	sensorx13 qc flow line	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	sensorx23 qc master	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	sensorx23 qc slave	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	speed batcher	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	a325	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	t374	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	t377	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	v36	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	v36b	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	v36c	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	a371	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	a520 master	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	a520 slave	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	a530	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	a542	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	a571	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	check bin grader	model:	-	scope:	eq	version:	-	Trust: 0.2

sources: IVD: b9677194-118b-4e66-8512-f5dc8b758b86 // CNVD: CNVD-2017-05478 // BID: 97388 // JVNDB: JVNDB-2016-008743 // NVD: CVE-2016-9358 // CNNVD: CNNVD-201704-557

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2016-9358
value:	CRITICAL
Trust: 1.8
CNVD:	CNVD-2017-05478
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201704-557
value:	CRITICAL
Trust: 0.6
IVD:	b9677194-118b-4e66-8512-f5dc8b758b86
value:	CRITICAL
Trust: 0.2
VULHUB:	VHN-98178
value:	HIGH
Trust: 0.1
VULMON:	CVE-2016-9358
value:	HIGH
Trust: 0.1

NVD:
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	FALSE
version:	2.0
Trust: 1.0
NVD:	CVE-2016-9358
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.9
CNVD:	CNVD-2017-05478
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	b9677194-118b-4e66-8512-f5dc8b758b86
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-98178
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

NVD:
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.0
NVD:	CVE-2016-9358
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: b9677194-118b-4e66-8512-f5dc8b758b86 // CNVD: CNVD-2017-05478 // VULHUB: VHN-98178 // VULMON: CVE-2016-9358 // JVNDB: JVNDB-2016-008743 // NVD: CVE-2016-9358 // CNNVD: CNNVD-201704-557

PROBLEMTYPE DATA

problemtype:

CWE-798

Trust: 1.9

sources: VULHUB: VHN-98178 // JVNDB: JVNDB-2016-008743 // NVD: CVE-2016-9358

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201704-557

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201704-557

CONFIGURATIONS

sources: NVD: CVE-2016-9358

PATCH

title:

Top Page

url:

http://marel.com/

Trust: 0.8

sources: JVNDB: JVNDB-2016-008743

EXTERNAL IDS

db:	NVD	id:	CVE-2016-9358	Trust: 3.7
db:	BID	id:	97388	Trust: 2.7
db:	ICS CERT	id:	ICSA-17-094-02	Trust: 2.7
db:	ICS CERT	id:	ICSA-17-094-02B	Trust: 0.9
db:	CNVD	id:	CNVD-2017-05478	Trust: 0.8
db:	CNNVD	id:	CNNVD-201704-557	Trust: 0.8
db:	JVNDB	id:	JVNDB-2016-008743	Trust: 0.8
db:	IVD	id:	B9677194-118B-4E66-8512-F5DC8B758B86	Trust: 0.2
db:	VULHUB	id:	VHN-98178	Trust: 0.1
db:	VULMON	id:	CVE-2016-9358	Trust: 0.1

sources: IVD: b9677194-118b-4e66-8512-f5dc8b758b86 // CNVD: CNVD-2017-05478 // VULHUB: VHN-98178 // VULMON: CVE-2016-9358 // BID: 97388 // JVNDB: JVNDB-2016-008743 // NVD: CVE-2016-9358 // CNNVD: CNNVD-201704-557

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-17-094-02	Trust: 2.4
url:	http://www.securityfocus.com/bid/97388	Trust: 1.9
url:	https://ics-cert.us-cert.gov/advisories/icsa-17-094-02b	Trust: 0.9
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-9358	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2016-9358	Trust: 0.8
url:	http://marel.com/	Trust: 0.3
url:	https://ics-cert.us-cert.gov/advisories/icsa-17-094-02	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/798.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2017-05478 // VULHUB: VHN-98178 // VULMON: CVE-2016-9358 // BID: 97388 // JVNDB: JVNDB-2016-008743 // NVD: CVE-2016-9358 // CNNVD: CNNVD-201704-557

CREDITS

Daniel Lance

Trust: 0.3

sources: BID: 97388

SOURCES

db:	IVD	id:	b9677194-118b-4e66-8512-f5dc8b758b86
db:	CNVD	id:	CNVD-2017-05478
db:	VULHUB	id:	VHN-98178
db:	VULMON	id:	CVE-2016-9358
db:	BID	id:	97388
db:	JVNDB	id:	JVNDB-2016-008743
db:	NVD	id:	CVE-2016-9358
db:	CNNVD	id:	CNNVD-201704-557

LAST UPDATE DATE

2023-12-18T12:43:36.241000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-05478	date:	2017-04-27T00:00:00
db:	VULHUB	id:	VHN-98178	date:	2019-10-09T00:00:00
db:	VULMON	id:	CVE-2016-9358	date:	2019-10-09T00:00:00
db:	BID	id:	97388	date:	2017-04-11T00:02:00
db:	JVNDB	id:	JVNDB-2016-008743	date:	2017-08-17T00:00:00
db:	NVD	id:	CVE-2016-9358	date:	2019-10-09T23:20:25.397
db:	CNNVD	id:	CNNVD-201704-557	date:	2019-10-17T00:00:00

SOURCES RELEASE DATE

db:	IVD	id:	b9677194-118b-4e66-8512-f5dc8b758b86	date:	2017-04-27T00:00:00
db:	CNVD	id:	CNVD-2017-05478	date:	2017-04-27T00:00:00
db:	VULHUB	id:	VHN-98178	date:	2017-06-30T00:00:00
db:	VULMON	id:	CVE-2016-9358	date:	2017-06-30T00:00:00
db:	BID	id:	97388	date:	2017-04-04T00:00:00
db:	JVNDB	id:	JVNDB-2016-008743	date:	2017-08-17T00:00:00
db:	NVD	id:	CVE-2016-9358	date:	2017-06-30T03:29:00.187
db:	CNNVD	id:	CNNVD-201704-557	date:	2017-04-11T00:00:00