Details of VAR-201710-0789

ID

VAR-201710-0789

CVE

CVE-2017-13992

TITLE

LOYTEC LVIS-3ME Vulnerabilities related to lack of entropy

Trust: 0.8

sources: JVNDB: JVNDB-2017-008624

DESCRIPTION

An Insufficient Entropy issue was discovered in LOYTEC LVIS-3ME versions prior to 6.2.0. The application does not utilize sufficiently random number generation for the web interface authentication mechanism, which could allow remote code execution. LOYTEC LVIS-3ME Contains a vulnerability related to lack of entropy.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. LOYTEC LVIS-3ME is prone to the following security vulnerabilities: : 1. A directory-traversal vulnerability 2. An insufficient-entropy vulnerability 3. A cross-site scripting vulnerability 4. An information-disclosure vulnerability An attacker may leverage these issues to execute script code in the browser of an unsuspecting user in the context of the affected site, disclose sensitive information, execute arbitrary code within the context of the affected system or use specially crafted requests with directory-traversal sequences ('../') to read arbitrary files in the context of the application. LOYTEC LVIS-3ME is an HMI touch panel produced by LOYTEC in Germany. A remote attacker could exploit this vulnerability to execute code

Trust: 1.98

sources: NVD: CVE-2017-13992 // JVNDB: JVNDB-2017-008624 // BID: 100847 // VULHUB: VHN-104670

AFFECTED PRODUCTS

vendor:	loytec	model:	lvis-3me	scope:	lte	version:	6.1.1	Trust: 1.0
vendor:	loytec	model:	lvis-3me	scope:	lt	version:	6.2.0	Trust: 0.8
vendor:	loytec	model:	lvis-3me	scope:	eq	version:	6.1.1	Trust: 0.6
vendor:	loytec	model:	lvis-3me	scope:	eq	version:	0	Trust: 0.3
vendor:	loytec	model:	lvis-3me	scope:	ne	version:	6.2	Trust: 0.3

sources: BID: 100847 // JVNDB: JVNDB-2017-008624 // CNNVD: CNNVD-201709-869 // NVD: CVE-2017-13992

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-13992
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-13992
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201709-869
value:	HIGH
Trust: 0.6
VULHUB:	VHN-104670
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-13992
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-104670
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-13992
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.2
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-104670 // JVNDB: JVNDB-2017-008624 // CNNVD: CNNVD-201709-869 // NVD: CVE-2017-13992

PROBLEMTYPE DATA

problemtype:

CWE-331

Trust: 1.9

sources: VULHUB: VHN-104670 // JVNDB: JVNDB-2017-008624 // NVD: CVE-2017-13992

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201709-869

TYPE

security feature problem

Trust: 0.6

sources: CNNVD: CNNVD-201709-869

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-008624

PATCH

title:	トップページ	url:	https://www.loytec.com/jp/	Trust: 0.8
title:	LOYTEC LVIS-3ME Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=74974	Trust: 0.6

sources: JVNDB: JVNDB-2017-008624 // CNNVD: CNNVD-201709-869

EXTERNAL IDS

db:	NVD	id:	CVE-2017-13992	Trust: 2.8
db:	ICS CERT	id:	ICSA-17-257-01	Trust: 2.8
db:	BID	id:	100847	Trust: 2.0
db:	JVNDB	id:	JVNDB-2017-008624	Trust: 0.8
db:	CNNVD	id:	CNNVD-201709-869	Trust: 0.7
db:	VULHUB	id:	VHN-104670	Trust: 0.1

sources: VULHUB: VHN-104670 // BID: 100847 // JVNDB: JVNDB-2017-008624 // CNNVD: CNNVD-201709-869 // NVD: CVE-2017-13992

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-17-257-01	Trust: 2.8
url:	http://www.securityfocus.com/bid/100847	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-13992	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-13992	Trust: 0.8
url:	https://www.loytec.com/	Trust: 0.3

sources: VULHUB: VHN-104670 // BID: 100847 // JVNDB: JVNDB-2017-008624 // CNNVD: CNNVD-201709-869 // NVD: CVE-2017-13992

CREDITS

Davy Douhine of RandoriSec

Trust: 0.9

sources: BID: 100847 // CNNVD: CNNVD-201709-869

SOURCES

db:	VULHUB	id:	VHN-104670
db:	BID	id:	100847
db:	JVNDB	id:	JVNDB-2017-008624
db:	CNNVD	id:	CNNVD-201709-869
db:	NVD	id:	CVE-2017-13992

LAST UPDATE DATE

2025-04-20T23:22:09.963000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-104670	date:	2019-10-09T00:00:00
db:	BID	id:	100847	date:	2017-09-14T00:00:00
db:	JVNDB	id:	JVNDB-2017-008624	date:	2017-10-25T00:00:00
db:	CNNVD	id:	CNNVD-201709-869	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-13992	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-104670	date:	2017-10-05T00:00:00
db:	BID	id:	100847	date:	2017-09-14T00:00:00
db:	JVNDB	id:	JVNDB-2017-008624	date:	2017-10-25T00:00:00
db:	CNNVD	id:	CNNVD-201709-869	date:	2017-09-21T00:00:00
db:	NVD	id:	CVE-2017-13992	date:	2017-10-05T21:29:00.240