PT-2016-3300 · Siemens+1 · Simatic Wincc+13

Publicado

2016-11-15

·

Atualizado

2018-09-11

·

CVE-2016-7165

CVSS v2.0

6.9

Média

VetorAV:L/AC:M/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Primary Setup Tool (PST) versions prior to V4.2 HF1 SIMATIC IT Production Suite versions prior to V7.0 SP1 HFX 2 SIMATIC NET PC-Software versions prior to V14 SIMATIC PCS 7 V7.1 SIMATIC PCS 7 V8.0 SIMATIC PCS 7 V8.1 SIMATIC PCS 7 V8.2 versions prior to V8.2 SP1 SIMATIC STEP 7 (TIA Portal) V13 versions prior to V13 SP2 SIMATIC STEP 7 V5.X versions prior to V5.5 SP4 HF11 SIMATIC WinCC (TIA Portal) Basic, Comfort, Advanced versions prior to V14 SIMATIC WinCC (TIA Portal) Professional V13 versions prior to V13 SP2 SIMATIC WinCC (TIA Portal) Professional V14 versions prior to V14 SP1 SIMATIC WinCC Runtime Professional V13 versions prior to V13 SP2 SIMATIC WinCC Runtime Professional V14 versions prior to V14 SP1 SIMATIC WinCC V7.0 SP2 and earlier versions prior to V7.0 SP2 Upd 12 SIMATIC WinCC V7.0 SP3 versions prior to V7.0 SP3 Upd 8 SIMATIC WinCC V7.2 versions prior to V7.2 Upd 14 SIMATIC WinCC V7.3 versions prior to V7.3 Upd 11 SIMATIC WinCC V7.4 versions prior to V7.4 SP1 SIMIT V9.0 versions prior to V9.0 SP1 SINEMA Remote Connect Client versions prior to V1.0 SP3 SINEMA Server versions prior to V13 SP2 SOFTNET Security Client V5.0 Security Configuration Tool (SCT) versions prior to V4.3 HF1 TeleControl Server Basic versions prior to V3.0 SP2 WinAC RTX 2010 SP2 WinAC RTX F 2010 SP2
Description The issue is related to incorrect access control, allowing local Microsoft Windows operating system users to escalate their privileges if the affected products are not installed under their default path ("C:Program Files*" or the localized equivalent). Unquoted service paths could be exploited to gain elevated privileges.
Recommendations Primary Setup Tool (PST) versions prior to V4.2 HF1: Update to V4.2 HF1 or later. SIMATIC IT Production Suite versions prior to V7.0 SP1 HFX 2: Update to V7.0 SP1 HFX 2 or later. SIMATIC NET PC-Software versions prior to V14: Update to V14 or later. SIMATIC PCS 7 V7.1: Apply the recommended patch or update. SIMATIC PCS 7 V8.0: Apply the recommended patch or update. SIMATIC PCS 7 V8.1: Apply the recommended patch or update. SIMATIC PCS 7 V8.2 versions prior to V8.2 SP1: Update to V8.2 SP1 or later. SIMATIC STEP 7 (TIA Portal) V13 versions prior to V13 SP2: Update to V13 SP2 or later. SIMATIC STEP 7 V5.X versions prior to V5.5 SP4 HF11: Update to V5.5 SP4 HF11 or later. SIMATIC WinCC (TIA Portal) Basic, Comfort, Advanced versions prior to V14: Update to V14 or later. SIMATIC WinCC (TIA Portal) Professional V13 versions prior to V13 SP2: Update to V13 SP2 or later. SIMATIC WinCC (TIA Portal) Professional V14 versions prior to V14 SP1: Update to V14 SP1 or later. SIMATIC WinCC Runtime Professional V13 versions prior to V13 SP2: Update to V13 SP2 or later. SIMATIC WinCC Runtime Professional V14 versions prior to V14 SP1: Update to V14 SP1 or later. SIMATIC WinCC V7.0 SP2 and earlier versions prior to V7.0 SP2 Upd 12: Update to V7.0 SP2 Upd 12 or later. SIMATIC WinCC V7.0 SP3 versions prior to V7.0 SP3 Upd 8: Update to V7.0 SP3 Upd 8 or later. SIMATIC WinCC V7.2 versions prior to V7.2 Upd 14: Update to V7.2 Upd 14 or later. SIMATIC WinCC V7.3 versions prior to V7.3 Upd 11: Update to V7.3 Upd 11 or later. SIMATIC WinCC V7.4 versions prior to V7.4 SP1: Update to V7.4 SP1 or later. SIMIT V9.0 versions prior to V9.0 SP1: Update to V9.0 SP1 or later. SINEMA Remote Connect Client versions prior to V1.0 SP3: Update to V1.0 SP3 or later. SINEMA Server versions prior to V13 SP2: Update to V13 SP2 or later. SOFTNET Security Client V5.0: Apply the recommended patch or update. Security Configuration Tool (SCT) versions prior to V4.3 HF1: Update to V4.3 HF1 or later. TeleControl Server Basic versions prior to V3.0 SP2: Update to V3.0 SP2 or later. WinAC RTX 2010 SP2: Apply the recommended patch or update. WinAC RTX F 2010 SP2: Apply the recommended patch or update.

Correção

Improper Access Control

Improper Privilege Management

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-284CWE-254CWE-269

Identificadores relacionados

BDU:2019-04212
CVE-2016-7165

Produtos afetados

Primary Setup Tool
Simatic It Production Suite
Simatic Net Pc-Software
Simatic Pcs 7
Simatic Step 7
Simatic Wincc
Simit
Sinema Remote Connect Client
Sinema Server
Softnet Security Client
Security Configuration Tool
Telecontrol Server Basic
Winac Rtx
Windows