Sign-up

ID

VAR-201805-0356


CVE

CVE-2017-9635


TITLE

Schneider Electric Ampla MES Weak password vulnerability

Trust: 0.8

sources: IVD: ba0d2b77-ab21-4236-93a1-bb5f4b9f6f98 // CNVD: CNVD-2017-22830

DESCRIPTION

Schneider Electric Ampla MES 6.4 provides capability to configure users and their privileges. When Ampla MES users are configured to use Simple Security, a weakness in the password hashing algorithm could be exploited to reverse the user's password. Schneider Electric recommends that users of Ampla MES versions 6.4 and prior should upgrade to Ampla MES version 6.5 as soon as possible. Schneider Electric Ampla MES Contains a cryptographic strength vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Ampla Manufacturing Execution System (MES) is a manufacturing execution system for on-site production management in production plants and production plants by Schneider Electric. Local attackers can exploit these issues to obtain sensitive information which may aid in further attacks

Trust: 2.61

sources: NVD: CVE-2017-9635 // JVNDB: JVNDB-2017-013476 // CNVD: CNVD-2017-22830 // BID: 99469 // IVD: ba0d2b77-ab21-4236-93a1-bb5f4b9f6f98

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: ba0d2b77-ab21-4236-93a1-bb5f4b9f6f98 // CNVD: CNVD-2017-22830

AFFECTED PRODUCTS

vendor:schneider electricmodel:ampla manufacturing execution systemscope:lteversion:6.4

Trust: 1.8

vendor:schneider electricmodel:ampla manufacturing execution systemscope:eqversion:6.4

Trust: 0.9

vendor:schneidermodel:electric ampla messcope:lteversion:<=6.4

Trust: 0.6

vendor:schneider electricmodel:ampla manufacturing execution systemscope:eqversion:6.0

Trust: 0.3

vendor:schneider electricmodel:ampla manufacturing execution systemscope:neversion:6.5

Trust: 0.3

vendor:ampla manufacturing execution systemmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: ba0d2b77-ab21-4236-93a1-bb5f4b9f6f98 // CNVD: CNVD-2017-22830 // BID: 99469 // JVNDB: JVNDB-2017-013476 // CNNVD: CNNVD-201706-868 // NVD: CVE-2017-9635

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-9635
value: LOW

Trust: 1.0

NVD: CVE-2017-9635
value: LOW

Trust: 0.8

CNVD: CNVD-2017-22830
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201706-868
value: LOW

Trust: 0.6

IVD: ba0d2b77-ab21-4236-93a1-bb5f4b9f6f98
value: LOW

Trust: 0.2

nvd@nist.gov: CVE-2017-9635
severity: LOW
baseScore: 1.9
vectorString: AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.4
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-22830
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: ba0d2b77-ab21-4236-93a1-bb5f4b9f6f98
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2017-9635
baseSeverity: LOW
baseScore: 3.9
vectorString: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 0.5
impactScore: 3.4
version: 3.0

Trust: 1.8

sources: IVD: ba0d2b77-ab21-4236-93a1-bb5f4b9f6f98 // CNVD: CNVD-2017-22830 // JVNDB: JVNDB-2017-013476 // CNNVD: CNNVD-201706-868 // NVD: CVE-2017-9635

PROBLEMTYPE DATA

problemtype:CWE-326

Trust: 1.8

sources: JVNDB: JVNDB-2017-013476 // NVD: CVE-2017-9635

THREAT TYPE

local

Trust: 0.9

sources: BID: 99469 // CNNVD: CNNVD-201706-868

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201706-868

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-013476

PATCH
title:Ampla MES multiple vulnerabilitiesurl:https://cdn2.hubspot.net/hubfs/2900448/assets-2018/pdf/security-bulletin/LFSec00000118.pdf
Trust: 0.8
title:Schneider Electric Ampla Patch for MES Weak Password Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/100846
Trust: 0.6
title:Schneider Electric Ampla MES Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=99875
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-22830 // 
            
            
            
            JVNDB: JVNDB-2017-013476 // 
            
            
            
            CNNVD: CNNVD-201706-868

EXTERNAL IDS
db:NVDid:CVE-2017-9635
Trust: 3.5
db:ICS CERTid:ICSA-17-187-05
Trust: 3.3
db:BIDid:99469
Trust: 2.5
db:CNVDid:CNVD-2017-22830
Trust: 0.8
db:CNNVDid:CNNVD-201706-868
Trust: 0.8
db:JVNDBid:JVNDB-2017-013476
Trust: 0.8
db:IVDid:BA0D2B77-AB21-4236-93A1-BB5F4B9F6F98
Trust: 0.2
sources:
            
            
            IVD: ba0d2b77-ab21-4236-93a1-bb5f4b9f6f98 // 
            
            
            
            CNVD: CNVD-2017-22830 // 
            
            
            
            BID: 99469 // 
            
            
            
            JVNDB: JVNDB-2017-013476 // 
            
            
            
            CNNVD: CNNVD-201706-868 // 
            
            
            
            NVD: CVE-2017-9635

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-17-187-05
Trust: 3.3
url:http://www.securityfocus.com/bid/99469
Trust: 2.2
url:http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000118/
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9635
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-9635
Trust: 0.8
url:http://www.schneider-electric.com/site/home/index.cfm/ww/?selectcountry=true
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2017-22830 // 
            
            
            
            BID: 99469 // 
            
            
            
            JVNDB: JVNDB-2017-013476 // 
            
            
            
            CNNVD: CNNVD-201706-868 // 
            
            
            
            NVD: CVE-2017-9635

CREDITS
Ilya Karpov
Trust: 0.3
sources:
            
            
            BID: 99469

SOURCES
db:IVDid:ba0d2b77-ab21-4236-93a1-bb5f4b9f6f98
db:CNVDid:CNVD-2017-22830
db:BIDid:99469
db:JVNDBid:JVNDB-2017-013476
db:CNNVDid:CNNVD-201706-868
db:NVDid:CVE-2017-9635

LAST UPDATE DATE
2024-11-23T22:17:30.617000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-22830date:2017-08-25T00:00:00
db:BIDid:99469date:2017-07-06T00:00:00
db:JVNDBid:JVNDB-2017-013476date:2018-07-13T00:00:00
db:CNNVDid:CNNVD-201706-868date:2019-10-17T00:00:00
db:NVDid:CVE-2017-9635date:2024-11-21T03:36:33.690

SOURCES RELEASE DATE
db:IVDid:ba0d2b77-ab21-4236-93a1-bb5f4b9f6f98date:2017-08-25T00:00:00
db:CNVDid:CNVD-2017-22830date:2017-08-25T00:00:00
db:BIDid:99469date:2017-07-06T00:00:00
db:JVNDBid:JVNDB-2017-013476date:2018-07-13T00:00:00
db:CNNVDid:CNNVD-201706-868date:2017-06-21T00:00:00
db:NVDid:CVE-2017-9635date:2018-05-18T13:29:00.223