CVE-2016-10041

Name of the Vulnerable Software and Affected Versions Sprecher Automation SPRECON-E Service Program versions prior to 3.43 SP0

Description An issue in the SPRECON-E Service Program allows a non-admin user to execute telegram simulation under certain preconditions. This can occur when a user with a valid engineering account and access to a service computer with the program running exploits incorrect caching of client data. The prerequisites for this issue include a user having created an online connection, authenticated and authorized as an administrator, and executed telegram simulation before closing the online connection. A potential attacker would need a valid engineering account and access to a service/maintenance computer with the SPRECON-E Service Program running. Additionally, a valid admin user must have closed the service connection without closing the program after executing telegram simulation. There is no risk from external attackers.

Recommendations For versions prior to 3.43 SP0, update to version 3.43 SP0 or later to resolve the issue. As a temporary workaround, consider restricting access to the SPRECON-E Service Program to authorized personnel and ensuring that admin users close the program after executing telegram simulation to prevent exploitation.