Sign-up

ID

VAR-201710-1115


CVE

CVE-2017-12728


TITLE

iniNet Solutions SCADA Web Server Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2017-009408

DESCRIPTION

An Improper Privilege Management issue was discovered in SpiderControl SCADA Web Server Version 2.02.0007 and prior. Authenticated, non-administrative local users are able to alter service executables with escalated privileges, which could allow an attacker to execute arbitrary code under the context of the current system services. iniNet Solutions SCADA Web Server Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Failed attempts may lead to denial-of-service conditions

Trust: 2.61

sources: NVD: CVE-2017-12728 // JVNDB: JVNDB-2017-009408 // CNVD: CNVD-2017-25725 // BID: 100668 // IVD: 318edf6e-d1a4-4e3c-80de-a908117a2cea

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 318edf6e-d1a4-4e3c-80de-a908117a2cea // CNVD: CNVD-2017-25725

AFFECTED PRODUCTS

vendor:spidercontrolmodel:scada webserverscope:lteversion:2.02.0007

Trust: 1.0

vendor:ininetmodel:scada web serverscope:lteversion:2.02.0007

Trust: 0.8

vendor:spidercontrolmodel:scada web serverscope:lteversion:<=2.02.0007

Trust: 0.6

vendor:spidercontrolmodel:scada web serverscope:eqversion:2.02.0007

Trust: 0.6

vendor:spidercontrolmodel:scada web serverscope:eqversion:2.2.7

Trust: 0.3

vendor:spidercontrolmodel:scada web serverscope:eqversion:0

Trust: 0.3

vendor:spidercontrolmodel:scada web serverscope:neversion:2.02.0100

Trust: 0.3

vendor:scada web servermodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 318edf6e-d1a4-4e3c-80de-a908117a2cea // CNVD: CNVD-2017-25725 // BID: 100668 // JVNDB: JVNDB-2017-009408 // CNNVD: CNNVD-201709-518 // NVD: CVE-2017-12728

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-12728
value: HIGH

Trust: 1.0

NVD: CVE-2017-12728
value: HIGH

Trust: 0.8

CNVD: CNVD-2017-25725
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201709-518
value: HIGH

Trust: 0.6

IVD: 318edf6e-d1a4-4e3c-80de-a908117a2cea
value: HIGH

Trust: 0.2

nvd@nist.gov: CVE-2017-12728
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-25725
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 318edf6e-d1a4-4e3c-80de-a908117a2cea
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2017-12728
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2017-12728
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: 318edf6e-d1a4-4e3c-80de-a908117a2cea // CNVD: CNVD-2017-25725 // JVNDB: JVNDB-2017-009408 // CNNVD: CNNVD-201709-518 // NVD: CVE-2017-12728

PROBLEMTYPE DATA

problemtype:CWE-269

Trust: 1.0

problemtype:CWE-264

Trust: 0.8

sources: JVNDB: JVNDB-2017-009408 // NVD: CVE-2017-12728

THREAT TYPE

local

Trust: 0.9

sources: BID: 100668 // CNNVD: CNNVD-201709-518

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201709-518

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-009408

PATCH
title:Top Pageurl:http://spidercontrol.net/?lang=en
Trust: 0.8
title:Patch for SpiderControl SCADA Web Server Privilege Escalation Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/101789
Trust: 0.6
title:iniNet Solutions SpiderControl SCADA Web Server Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=74855
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-25725 // 
            
            
            
            JVNDB: JVNDB-2017-009408 // 
            
            
            
            CNNVD: CNNVD-201709-518

EXTERNAL IDS
db:NVDid:CVE-2017-12728
Trust: 3.5
db:ICS CERTid:ICSA-17-250-01
Trust: 3.3
db:BIDid:100668
Trust: 1.9
db:CNVDid:CNVD-2017-25725
Trust: 0.8
db:CNNVDid:CNNVD-201709-518
Trust: 0.8
db:JVNDBid:JVNDB-2017-009408
Trust: 0.8
db:IVDid:318EDF6E-D1A4-4E3C-80DE-A908117A2CEA
Trust: 0.2
sources:
            
            
            IVD: 318edf6e-d1a4-4e3c-80de-a908117a2cea // 
            
            
            
            CNVD: CNVD-2017-25725 // 
            
            
            
            BID: 100668 // 
            
            
            
            JVNDB: JVNDB-2017-009408 // 
            
            
            
            CNNVD: CNNVD-201709-518 // 
            
            
            
            NVD: CVE-2017-12728

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-17-250-01
Trust: 3.3
url:http://www.securityfocus.com/bid/100668
Trust: 1.6
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12728
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-12728
Trust: 0.8
url:http://spidercontrol.net/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2017-25725 // 
            
            
            
            BID: 100668 // 
            
            
            
            JVNDB: JVNDB-2017-009408 // 
            
            
            
            CNNVD: CNNVD-201709-518 // 
            
            
            
            NVD: CVE-2017-12728

CREDITS
Karn Ganeshen.
Trust: 0.9
sources:
            
            
            BID: 100668 // 
            
            
            
            CNNVD: CNNVD-201709-518

SOURCES
db:IVDid:318edf6e-d1a4-4e3c-80de-a908117a2cea
db:CNVDid:CNVD-2017-25725
db:BIDid:100668
db:JVNDBid:JVNDB-2017-009408
db:CNNVDid:CNNVD-201709-518
db:NVDid:CVE-2017-12728

LAST UPDATE DATE
2025-04-20T23:35:41.291000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-25725date:2017-09-08T00:00:00
db:BIDid:100668date:2017-09-07T00:00:00
db:JVNDBid:JVNDB-2017-009408date:2017-11-10T00:00:00
db:CNNVDid:CNNVD-201709-518date:2019-10-17T00:00:00
db:NVDid:CVE-2017-12728date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:IVDid:318edf6e-d1a4-4e3c-80de-a908117a2ceadate:2017-09-08T00:00:00
db:CNVDid:CNVD-2017-25725date:2017-09-08T00:00:00
db:BIDid:100668date:2017-09-07T00:00:00
db:JVNDBid:JVNDB-2017-009408date:2017-11-10T00:00:00
db:CNNVDid:CNNVD-201709-518date:2017-09-18T00:00:00
db:NVDid:CVE-2017-12728date:2017-10-05T01:29:05.117