Sign-up

ID

VAR-201805-0357


CVE

CVE-2017-9637


TITLE

Schneider Electric Ampla MES Information Disclosure Vulnerability

Trust: 0.8

sources: IVD: 890a1383-4ec0-4207-b781-5c333a42bed8 // CNVD: CNVD-2017-22831

DESCRIPTION

Schneider Electric Ampla MES 6.4 provides capability to interact with data from third party databases. When connectivity to those databases is configured to use a SQL user name and password, an attacker may be able to sniff details from the connection string. Schneider Electric recommends that users of Ampla MES versions 6.4 and prior should upgrade to Ampla MES version 6.5 as soon as possible. Ampla Manufacturing Execution System (MES) is a manufacturing execution system for on-site production management in production plants and production plants by Schneider Electric. information. Local attackers can exploit these issues to obtain sensitive information which may aid in further attacks

Trust: 2.61

sources: NVD: CVE-2017-9637 // JVNDB: JVNDB-2017-013475 // CNVD: CNVD-2017-22831 // BID: 99469 // IVD: 890a1383-4ec0-4207-b781-5c333a42bed8

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 890a1383-4ec0-4207-b781-5c333a42bed8 // CNVD: CNVD-2017-22831

AFFECTED PRODUCTS

vendor:schneider electricmodel:ampla manufacturing execution systemscope:lteversion:6.4

Trust: 1.8

vendor:schneider electricmodel:ampla manufacturing execution systemscope:eqversion:6.4

Trust: 0.9

vendor:schneidermodel:electric ampla messcope:lteversion:<=6.4

Trust: 0.6

vendor:schneider electricmodel:ampla manufacturing execution systemscope:eqversion:6.0

Trust: 0.3

vendor:schneider electricmodel:ampla manufacturing execution systemscope:neversion:6.5

Trust: 0.3

vendor:ampla manufacturing execution systemmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 890a1383-4ec0-4207-b781-5c333a42bed8 // CNVD: CNVD-2017-22831 // BID: 99469 // JVNDB: JVNDB-2017-013475 // CNNVD: CNNVD-201706-866 // NVD: CVE-2017-9637

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-9637
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-9637
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2017-22831
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201706-866
value: MEDIUM

Trust: 0.6

IVD: 890a1383-4ec0-4207-b781-5c333a42bed8
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2017-9637
severity: LOW
baseScore: 1.9
vectorString: AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.4
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-22831
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 890a1383-4ec0-4207-b781-5c333a42bed8
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2017-9637
baseSeverity: MEDIUM
baseScore: 4.1
vectorString: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 0.5
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: IVD: 890a1383-4ec0-4207-b781-5c333a42bed8 // CNVD: CNVD-2017-22831 // JVNDB: JVNDB-2017-013475 // CNNVD: CNNVD-201706-866 // NVD: CVE-2017-9637

PROBLEMTYPE DATA

problemtype:CWE-319

Trust: 1.0

problemtype:CWE-522

Trust: 1.0

problemtype:CWE-254

Trust: 0.8

sources: JVNDB: JVNDB-2017-013475 // NVD: CVE-2017-9637

THREAT TYPE

local

Trust: 0.9

sources: BID: 99469 // CNNVD: CNNVD-201706-866

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201706-866

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-013475

PATCH
title:Ampla MES  multiple vulnerabilitiesurl:https://cdn2.hubspot.net/hubfs/2900448/assets-2018/pdf/security-bulletin/LFSec00000118.pdf
Trust: 0.8
title:Schneider Electric Ampla MES Information Disclosure Vulnerability Patchurl:https://www.cnvd.org.cn/patchInfo/show/100849
Trust: 0.6
title:Schneider Electric Ampla MES Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=99874
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-22831 // 
            
            
            
            JVNDB: JVNDB-2017-013475 // 
            
            
            
            CNNVD: CNNVD-201706-866

EXTERNAL IDS
db:NVDid:CVE-2017-9637
Trust: 3.5
db:ICS CERTid:ICSA-17-187-05
Trust: 3.3
db:BIDid:99469
Trust: 2.5
db:CNVDid:CNVD-2017-22831
Trust: 0.8
db:CNNVDid:CNNVD-201706-866
Trust: 0.8
db:JVNDBid:JVNDB-2017-013475
Trust: 0.8
db:IVDid:890A1383-4EC0-4207-B781-5C333A42BED8
Trust: 0.2
sources:
            
            
            IVD: 890a1383-4ec0-4207-b781-5c333a42bed8 // 
            
            
            
            CNVD: CNVD-2017-22831 // 
            
            
            
            BID: 99469 // 
            
            
            
            JVNDB: JVNDB-2017-013475 // 
            
            
            
            CNNVD: CNNVD-201706-866 // 
            
            
            
            NVD: CVE-2017-9637

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-17-187-05
Trust: 3.3
url:http://www.securityfocus.com/bid/99469
Trust: 2.2
url:http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000118/
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9637
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-9637
Trust: 0.8
url:http://www.schneider-electric.com/site/home/index.cfm/ww/?selectcountry=true
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2017-22831 // 
            
            
            
            BID: 99469 // 
            
            
            
            JVNDB: JVNDB-2017-013475 // 
            
            
            
            CNNVD: CNNVD-201706-866 // 
            
            
            
            NVD: CVE-2017-9637

CREDITS
Ilya Karpov
Trust: 0.3
sources:
            
            
            BID: 99469

SOURCES
db:IVDid:890a1383-4ec0-4207-b781-5c333a42bed8
db:CNVDid:CNVD-2017-22831
db:BIDid:99469
db:JVNDBid:JVNDB-2017-013475
db:CNNVDid:CNNVD-201706-866
db:NVDid:CVE-2017-9637

LAST UPDATE DATE
2024-11-23T22:17:30.581000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-22831date:2017-08-25T00:00:00
db:BIDid:99469date:2017-07-06T00:00:00
db:JVNDBid:JVNDB-2017-013475date:2018-07-13T00:00:00
db:CNNVDid:CNNVD-201706-866date:2019-10-17T00:00:00
db:NVDid:CVE-2017-9637date:2024-11-21T03:36:33.920

SOURCES RELEASE DATE
db:IVDid:890a1383-4ec0-4207-b781-5c333a42bed8date:2017-08-25T00:00:00
db:CNVDid:CNVD-2017-22831date:2017-08-25T00:00:00
db:BIDid:99469date:2017-07-06T00:00:00
db:JVNDBid:JVNDB-2017-013475date:2018-07-13T00:00:00
db:CNNVDid:CNNVD-201706-866date:2017-06-21T00:00:00
db:NVDid:CVE-2017-9637date:2018-05-18T13:29:00.283