Detections
Analytics
Siemens WinCC and SIMATIC HMI Panels < 11.0.2.1 Multiple Vulnerabilities
critical Nessus Network Monitor Plugin ID 720014
Synopsis
Siemens WinCC and SIMATIC HMI panels are affected by multiple vulnerabilities.Description
Siemens WinCC and SIMATIC HMI Panels < 11.0.2.1 are affected by multiple vulnerabilities.- A directory traversal vulnerability in miniweb.exe in the HMI web server in Siemens WinCC flexible 2004, 2005, 2007, and 2008 before SP3; WinCC V11 (aka TIA portal) before SP2 Update 1; the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime allows remote attackers to read arbitrary files via a ..%5c (dot dot backslash) in a URI.
- The HMI web server in the affected products generates predictable authentication tokens for cookies, which makes it easier for remote attackers to bypass authentication via a crafted cookie.
- The HMI web server in the affected products has an improperly selected default password for the administrator account, which makes it easier for remote attackers to obtain access via a brute-force approach involving many HTTP requests.
- A Cross-site scripting (XSS) vulnerability in the HMI web server in Siemens WinCC flexible exists that allows remote attackers to inject arbitrary web script or HTML via unspecified vectors (CVE-2011-4510 and CVE-2011-4511).
- A CRLF injection vulnerability exists that allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. (CVE-2011-4512)
- The HMI web server in affected products allows user-assisted remote attackers to execute arbitrary code via a crafted project file, related to the HMI web server and runtime loader. (CVE-2011-4513)
- The TELNET daemon in the affected products does not perform authentication, which makes it easier for remote attackers to obtain access via a TCP session. (CVE-2011-4514)
- A stack-based buffer overflow in HmiLoad in the runtime loader in the affected products, when Transfer Mode is enabled, allows remote attackers to execute arbitrary code via vectors related to Unicode strings. (CVE-2011-4875)
- A directory traversal vulnerability in HmiLoad in the runtime loader in the affected products, when Transfer Mode is enabled, allows remote attackers to execute, read, create, modify, or delete arbitrary files via a .. (dot dot) in a string. (CVE-2011-4876)
- HmiLoad in the runtime loader in Siemens WinCC flexible 2004, 2005, 2007, and 2008; WinCC V11 (aka TIA portal); the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime, when Transfer Mode is enabled, allows remote attackers to cause a denial of service (application crash) by sending crafted data over TCP.(CVE-2011-4877)
- miniweb.exe in the HMI web server in the affected products does not properly handle URIs beginning with a 0xfa character, which allows remote attackers to read data from arbitrary memory locations or cause a denial of service (application crash) via a crafted POST request. (CVE-2011-4879)
Solution
Perform vendor recommended mitigations and apply available vendor upgrades.See Also
Plugin Details
Severity: Critical
ID: 720014
Family: SCADA
Published: 5/8/2019
Updated: 10/9/2019
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: Critical
Base Score: 10
Temporal Score: 7.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Vulnerability Information
Patch Publication Date: 4/18/2012
Vulnerability Publication Date: 4/18/2012
Reference Information
CVE: CVE-2011-4508, CVE-2011-4509, CVE-2011-4510, CVE-2011-4511, CVE-2011-4512, CVE-2011-4513, CVE-2011-4514, CVE-2011-4875, CVE-2011-4876, CVE-2011-4877, CVE-2011-4878, CVE-2011-4879