Details of VAR-201710-0792

ID

VAR-201710-0792

CVE

CVE-2017-13995

TITLE

iniNet Solutions GmbH SCADA Webserver Unauthorized Access Vulnerability

Trust: 0.8

sources: IVD: f360a512-61e8-46a7-9a28-c8f631a2e303 // CNVD: CNVD-2017-28914

DESCRIPTION

An Improper Authentication issue was discovered in iniNet Solutions iniNet Webserver, all versions prior to V2.02.0100. The webserver does not properly authenticate users, which may allow a malicious attacker to access sensitive information such as HMI pages or modify PLC variables. iniNet Solutions SCADA Web Server Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SCADA Webserver is a third-party web-based server software. IniNet Solutions SCADA Web Server is prone to an authentication-bypass vulnerability. An attacker can exploit this issue to bypass the authentication mechanism and perform unauthorized actions. This may lead to further attacks. IniNet Solutions SCADA Web Server prior to 2.02.0100 are vulnerable

Trust: 2.7

sources: NVD: CVE-2017-13995 // JVNDB: JVNDB-2017-009407 // CNVD: CNVD-2017-28914 // BID: 100951 // IVD: f360a512-61e8-46a7-9a28-c8f631a2e303 // VULMON: CVE-2017-13995

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: f360a512-61e8-46a7-9a28-c8f631a2e303 // CNVD: CNVD-2017-28914

AFFECTED PRODUCTS

vendor:	spidercontrol	model:	ininet webserver	scope:	lte	version:	2.02.0000	Trust: 1.0
vendor:	ininet	model:	scada web server	scope:	lt	version:	2.02.0100	Trust: 0.8
vendor:	ininet	model:	scada webserver	scope:	lt	version:	2.02.0100	Trust: 0.6
vendor:	spidercontrol	model:	ininet webserver	scope:	eq	version:	2.02.0000	Trust: 0.6
vendor:	ininet	model:	scada web server	scope:	eq	version:	2.02	Trust: 0.3
vendor:	ininet	model:	scada web server	scope:	eq	version:	2.01	Trust: 0.3
vendor:	ininet	model:	scada web server	scope:	eq	version:	2.0	Trust: 0.3
vendor:	ininet	model:	scada web server	scope:	ne	version:	2.02.0100	Trust: 0.3
vendor:	ininet webserver	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: f360a512-61e8-46a7-9a28-c8f631a2e303 // CNVD: CNVD-2017-28914 // BID: 100951 // JVNDB: JVNDB-2017-009407 // CNNVD: CNNVD-201709-1089 // NVD: CVE-2017-13995

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-13995
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2017-13995
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2017-28914
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201709-1089
value:	CRITICAL
Trust: 0.6
IVD:	f360a512-61e8-46a7-9a28-c8f631a2e303
value:	CRITICAL
Trust: 0.2
VULMON:	CVE-2017-13995
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2017-13995
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2017-28914
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	f360a512-61e8-46a7-9a28-c8f631a2e303
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2017-13995
baseSeverity:	CRITICAL
baseScore:	10.0
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	6.0
version:	3.0
Trust: 1.8

sources: IVD: f360a512-61e8-46a7-9a28-c8f631a2e303 // CNVD: CNVD-2017-28914 // VULMON: CVE-2017-13995 // JVNDB: JVNDB-2017-009407 // CNNVD: CNNVD-201709-1089 // NVD: CVE-2017-13995

PROBLEMTYPE DATA

problemtype:

CWE-287

Trust: 1.8

sources: JVNDB: JVNDB-2017-009407 // NVD: CVE-2017-13995

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201709-1089

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201709-1089

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-009407

PATCH

title:	Top Page	url:	http://spidercontrol.net/?lang=en	Trust: 0.8
title:	iniNet Solutions GmbH SCADA Webserver Unauthorized Access Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/102631	Trust: 0.6
title:	IniNet Solutions SCADA Web Server Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=75076	Trust: 0.6

sources: CNVD: CNVD-2017-28914 // JVNDB: JVNDB-2017-009407 // CNNVD: CNNVD-201709-1089

EXTERNAL IDS

db:	NVD	id:	CVE-2017-13995	Trust: 3.6
db:	ICS CERT	id:	ICSA-17-264-04	Trust: 3.4
db:	BID	id:	100951	Trust: 2.0
db:	CNVD	id:	CNVD-2017-28914	Trust: 0.8
db:	CNNVD	id:	CNNVD-201709-1089	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-009407	Trust: 0.8
db:	IVD	id:	F360A512-61E8-46A7-9A28-C8F631A2E303	Trust: 0.2
db:	VULMON	id:	CVE-2017-13995	Trust: 0.1

sources: IVD: f360a512-61e8-46a7-9a28-c8f631a2e303 // CNVD: CNVD-2017-28914 // VULMON: CVE-2017-13995 // BID: 100951 // JVNDB: JVNDB-2017-009407 // CNNVD: CNNVD-201709-1089 // NVD: CVE-2017-13995

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-17-264-04	Trust: 3.4
url:	http://www.securityfocus.com/bid/100951	Trust: 1.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-13995	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-13995	Trust: 0.8
url:	http://spidercontrol.net/ininet/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/287.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2017-28914 // VULMON: CVE-2017-13995 // BID: 100951 // JVNDB: JVNDB-2017-009407 // CNNVD: CNNVD-201709-1089 // NVD: CVE-2017-13995

CREDITS

both of Augsburg University of Applied Sciences.,Matthias Niedermaier and Florian Fischer

Trust: 0.6

sources: CNNVD: CNNVD-201709-1089

SOURCES

db:	IVD	id:	f360a512-61e8-46a7-9a28-c8f631a2e303
db:	CNVD	id:	CNVD-2017-28914
db:	VULMON	id:	CVE-2017-13995
db:	BID	id:	100951
db:	JVNDB	id:	JVNDB-2017-009407
db:	CNNVD	id:	CNNVD-201709-1089
db:	NVD	id:	CVE-2017-13995

LAST UPDATE DATE

2025-04-20T23:30:51.758000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-28914	date:	2017-09-22T00:00:00
db:	VULMON	id:	CVE-2017-13995	date:	2019-10-09T00:00:00
db:	BID	id:	100951	date:	2017-09-21T00:00:00
db:	JVNDB	id:	JVNDB-2017-009407	date:	2017-11-10T00:00:00
db:	CNNVD	id:	CNNVD-201709-1089	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-13995	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	IVD	id:	f360a512-61e8-46a7-9a28-c8f631a2e303	date:	2017-09-22T00:00:00
db:	CNVD	id:	CNVD-2017-28914	date:	2017-09-22T00:00:00
db:	VULMON	id:	CVE-2017-13995	date:	2017-10-05T00:00:00
db:	BID	id:	100951	date:	2017-09-21T00:00:00
db:	JVNDB	id:	JVNDB-2017-009407	date:	2017-11-10T00:00:00
db:	CNNVD	id:	CNNVD-201709-1089	date:	2017-09-26T00:00:00
db:	NVD	id:	CVE-2017-13995	date:	2017-10-05T01:29:05.227