ID CVE-2013-3633 Type cve Reporter cve@mitre.org Modified 2019-12-12T20:15:00
Description
A vulnerability has been identified in SCALANCE X-200 switch family (incl. SIPLUS NET variants) (Versions < V5.0.0 for CVE-2013-3633 and versions < V4.5.0 for CVE-2013-3634), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5.1.0). The user privileges for the web interface are only enforced on client side and not properly verified on server side. Therefore, an attacker is able to execute privileged commands using an unprivileged account.
{"openvas": [{"lastseen": "2019-06-07T12:48:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-3634", "CVE-2013-3633"], "description": "Siemens Scalance X200 series switches are prone to multiple vulnerabilities.", "modified": "2019-06-06T00:00:00", "published": "2013-05-30T00:00:00", "id": "OPENVAS:1361412562310103724", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103724", "type": "openvas", "title": "Siemens Scalance X200 Series Switches Multiple Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Siemens Scalance X200 Series Switches Multiple Vulnerabilities.\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103724\");\n script_bugtraq_id(60168, 60165);\n script_cve_id(\"CVE-2013-3634\", \"CVE-2013-3633\");\n script_tag(name:\"cvss_base\", value:\"8.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:C\");\n script_version(\"2019-06-06T07:39:31+0000\");\n\n script_name(\"Siemens Scalance X200 Series Switches Multiple Vulnerabilities\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/60165\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/60168\");\n script_xref(name:\"URL\", value:\"http://subscriber.communications.siemens.com/\");\n script_xref(name:\"URL\", value:\"http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-170686.pdf\");\n\n script_tag(name:\"last_modification\", value:\"2019-06-06 07:39:31 +0000 (Thu, 06 Jun 2019)\");\n script_tag(name:\"creation_date\", value:\"2013-05-30 17:50:28 +0200 (Thu, 30 May 2013)\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_family(\"General\");\n script_copyright(\"This script is Copyright (C) 2013 Greenbone Networks GmbH\");\n\n script_dependencies(\"telnetserver_detect_type_nd_version.nasl\");\n script_require_ports(23);\n script_mandatory_keys(\"telnet/siemens/scalance_x200/detected\");\n\n script_tag(name:\"solution\", value:\"Updates are available. Please see the references or vendor advisory\n for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"summary\", value:\"Siemens Scalance X200 series switches are prone to multiple vulnerabilities.\");\n\n script_tag(name:\"insight\", value:\"The following flaws exist:\n\n 1. a remote security bypass vulnerability.\n\n An attacker can exploit this issue to bypass certain security\n restrictions and execute SNMP commands without proper credentials.\n\n 2. a remote privilege-escalation vulnerability.\n\n An attacker can exploit this issue to gain elevated privileges\n within the application and execute commands with escalated privileges.\");\n\n exit(0);\n}\n\ninclude(\"telnet_func.inc\");\ninclude(\"version_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"dump.inc\");\n\nport = 23;\nif(!get_port_state(port))exit(0);\nbanner = telnet_get_banner(port:port);\n\nif(!banner || \"SCALANCE X200\" >!< banner || \"Device type\" >!< banner || \"Firmware\" >!< banner)\n exit(0);\n\ndv = eregmatch(pattern:string(\"Device type.*:.*SCALANCE ([^\\r\\n ]+)\"), string:banner);\nif(isnull(dv[1]))exit(0);\n\ndevice = dv[1];\n\nvuln_devices = make_list(\"X204\",\"X202-2\",\"X201-3\",\"X200-4\");\n\nforeach vd (vuln_devices) {\n\n if(vd == device) {\n affected_device = TRUE;\n break;\n }\n}\n\nif(!affected_device)exit(0);\n\nfw = eregmatch(pattern:string(\"Firmware.*: V ([^\\r\\n ]+)\"), string:banner);\nif(isnull(fw[1]))exit(0);\n\nfirmware = fw[1];\n\nif(version_is_less(version:firmware, test_version:\"5.1.0\")) {\n security_message(port:port);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 8.0, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:C"}}], "ics": [{"lastseen": "2020-12-18T03:22:25", "bulletinFamily": "info", "cvelist": ["CVE-2013-3634", "CVE-2013-3633"], "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 7.6**\n * **ATTENTION: **Exploitable remotely; low skill level to exploit\n * **Vendor:** Siemens\n * **Equipment: **SCALANCE X-200 switch family and SCALANCE X-200IRT switch family\n * **Vulnerabilities:** Privilege Escalation, Improper Authentication\n\n## 2\\. UPDATE INFORMATION\n\nThis updated advisory is a follow-up to the original advisory titled ICSA-13-149-01 Siemens SCALANCE Privilege Escalation Vulnerabilities that was published May 29, 2013, on the ICS webpage on us-cert.gov.\n\n## 3\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could allow an attacker to escalate his privileges within the web interface. Users with administrator privileges can change configuration of the switches.\n\n## 4\\. TECHNICAL DETAILS\n\n### 4.1 AFFECTED PRODUCTS\n\n**\\--------- Begin Update A Part 1 of 2 ---------**\n\nSiemens reports the vulnerabilities affect the following versions of SCALANCE:\n\n * SCALANCE X-200 switch family (incl. SIPLUS NET variants): versions prior to v4.5.0\n * SCALANCE X-200IRT switch family (incl. SIPLUS NET variants): versions prior to v5.1.0\n\n**\\--------- End Update A Part 1 of 2 ---------**\n\n### 4.2 VULNERABILITY OVERVIEW\n\n#### 4.2.1 [PRIVILEGE ESCALATION CWE-264](<https://cwe.mitre.org/data/definitions/264.html>)\n\nThe user privileges for the web interface are enforced on the client side and not properly verified on the server side. Therefore, an attacker may be able to execute privileged commands using an unprivileged account.\n\n[CVE-2013-3633](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3633>) has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been calculated the CVSS vector string is ([AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H>)).\n\n#### 4.2.2 [IMPROPER AUTHENTICATION CWE-287](<https://cwe.mitre.org/data/definitions/287.html>)\n\nThe implementation of SNMPv3 does not sufficiently check user credentials. Therefore, an attacker may be able to execute SNMP commands without correct credentials. \n\n[CVE-2013-3634](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3634>) has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L>)).\n\n### 4.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Chemical, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Energy, Food and Agriculture, Government Facilities, Transportation Systems, and Water\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **Germany\n\n### 4.4 RESEARCHER\n\nHay Mizrachi from OTORIO and Artem Zinenko from Kaspersky reported these vulnerabilities to Siemens.\n\n## 5\\. MITIGATIONS\n\n**\\--------- Begin Update A Part 2 of 2 ---------**\n\nSiemens recommends updating these products:\n\n * SCALANCE X-200 switch family: [Update to v5.0.0 (released in 2013), or any later version (currently v5.2.4](<https://support.industry.siemens.com/cs/ document/109767965>)) \n\n * SCALANCE X-200IRT switch family: [Update to v5.1.0 (released in 2013), or any later version (currently v5.4.2)](<https://support.industry.siemens.com/cs/ document/109763309>)\n\n**\\--------- End Update A Part 2 of 2 ---------**\n\nIf it is not possible to install the firmware update, mitigate the SNMP vulnerability by either disabling SNMP or completely disabling read-write access.\n\nAs a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens\u2019\n\nOperational Guidelines for Industrial Security and to follow the recommendations in the product manuals.\n\nAdditional information on industrial security by Siemens can be found at:\n\n<https://www.siemens.com/industrialsecurity>\n\nFor more information on this vulnerability and more detailed mitigation instructions, please see Siemens security advisory SSA-170686 at the following location:\n\n<http://www.siemens.com/cert/advisories>\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://www.us-cert.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n * Exercise principles of least privilege.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://www.us-cert.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.gov](<https://www.us-cert.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.gov](<https://www.us-cert.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://www.us-cert.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://surveymonkey.com/r/G8STDRY?product=https://us-cert.cisa.gov/ics/advisories/ICSA-13-149-01>); we'd welcome your feedback.\n", "edition": 17, "modified": "2019-12-10T00:00:00", "published": "2019-12-10T00:00:00", "id": "ICSA-13-149-01", "href": "https://www.us-cert.gov//ics/advisories/ICSA-13-149-01", "title": "Siemens SCALANCE Privilege Escalation Vulnerabilities (Update A)", "type": "ics", "cvss": {"score": 8.0, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:C"}}, {"lastseen": "2020-12-18T03:21:43", "bulletinFamily": "info", "cvelist": ["CVE-2013-3634", "CVE-2013-3633"], "description": "## OVERVIEW\n\nThis advisory provides mitigation details for vulnerabilities that impact the Siemens Scalance X200 IRT.\n\nSiemens has identified multiple vulnerabilities in Siemens Scalance X200 IRT. Siemens has produced an update that mitigates these vulnerabilities. Siemens has tested the update to validate that it resolves the vulnerabilities. Exploitation of these vulnerabilities could allow an attacker to execute privileged commands using an unprivileged account. This could affect multiple industries, including food and beverage, water and wastewater, oil and gas, and chemical sectors worldwide.\n\nThese vulnerabilities could be exploited remotely.\n\n## AFFECTED PRODUCTS\n\nThe following Siemens products are affected:\n\n * SCALANCE X204IRT versions < V5.1.0\n * SCALANCE X204IRT PRO versions < V5.1.0\n * SCALANCE X202-2IRT versions < V5.1.0\n * SCALANCE X202-2P IRT versions < V5.1.0\n * SCALANCE X202-2P IRT PRO versions < V5.1.0\n * SCALANCE X201-3P IRT versions < V5.1.0\n * SCALANCE X201-3P IRT PRO versions < V5.1.0\n * SCALANCE X200-4P IRT versions < V5.1.0\n * SCALANCE XF204IRT versions < V5.1.0\n\n## IMPACT\n\nSuccessful exploitation of these vulnerabilities may result in an attacker executing privileged commands using an unprivileged account.\n\nImpact to individual organizations depends on many factors that are unique to each organization. ICS\u2011CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.\n\n## BACKGROUND\n\nSiemens is a multinational company headquartered in Munich, Germany. Siemens develops products mainly in the energy, transportation, and healthcare sectors.\n\nScalance X switches are used to connect industrial components like PLCs or HMIs. These switches have a Web interface to enable administrators to change the configuration using a common Web browser.\n\n## VULNERABILITY CHARACTERIZATION\n\n### VULNERABILITY OVERVIEW\n\n### PERMISSIONS, PRIVILEGES, AND ACCESS CONTROLSa\n\nThe Scalance X200 IRT user privileges for the Web interface are verified properly on the client side but not properly verified on the server side. This could allow the attacker to execute privileged commands using an unprivileged account.\n\nCVE-2013-3633b has been assigned to this vulnerability. A CVSS v2 base score of 8.0 has been assigned by the vendor; the CVSS vector string is (AV:N/AC:L/Au:S/C:P/I:P/A:C).c\n\n### PERMISSIONS, PRIVILEGES, AND ACCESS CONTROLSa\n\nThe Scalance SNMPv3 does not properly check user credentials. This could allow the attacker to execute privileged SNMP commands while only having unprivileged credentials.\n\nCVE-2013-3634d has been assigned to this vulnerability. A CVSS v2 base score of 7.5 has been assigned by the vendor; the CVSS vector string is (AV:N/AC:L/Au:N/C:P/I:P/A:P).e\n\n### VULNERABILITY DETAILS\n\n#### EXPLOITABILITY\n\nThese vulnerabilities could be exploited remotely.\n\n#### EXISTENCE OF EXPLOIT\n\nNo known public exploits specifically target these vulnerabilities.\n\n#### DIFFICULTY\n\nAn attacker with a low skill would be able to exploit these vulnerabilities.\n\n## MITIGATION\n\nSiemens has produced a software update, Scalance X-200IRT V5.1.0 that resolves these vulnerabilities. Siemens recommends that asset owners and operators contact Siemens customer support to acquire the update.\n\nSiemens update information is located here:\n\n<http://support.automation.siemens.com/WW/view/en/73470284>\n\nSiemens security advisory is located here:\n\n<http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-170686.pdf>\n\nSiemens suggests that if it is not possible to install the update, a workaround for CVE-2013-3634 is either to disable SNMP or to completely disable any read-write access.\n\nICS\u2011CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.\n\n * Minimize network exposure for all control system devices. Critical devices should not directly face the Internet.\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.\n\nICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT Web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies_.f_ ICS\u2011CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.\n\nAdditional mitigation guidance and recommended practices are publicly available in the ICS\u2011CERT Technical Information Paper, ICS-TIP-12-146-01B\u2014Targeted Cyber Intrusion Detection and Mitigation Strategies,g that is available for download from the ICS-CERT Web page (http://ics-cert.us-cert.gov/).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS\u2011CERT for tracking and correlation against other incidents.\n\n * a. CWE-264: Permissions, Privileges, and Access Controls, http://cwe.mitre.org/data/definitions/264.html, Web site last accessed June 18, 2013.\n * b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3633, Web site last accessed June 18, 2013.\n * c. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:S/C:P/I:P/A:C, Web site last accessed June 18, 2013.\n * d. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3634, Web site last accessed June 18, 2013.\n * e. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:P, Web site last accessed June 18, 2013.\n * f. CSSP Recommended Practices, , http://ics-cert.us-cert.gov/content/recommended-practices, Web site last accessed June 18, 2013.\n * g. Targeted Cyber Intrusion Detection and Mitigation Strategies, http://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B, Web site last accessed June 18, 2013.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://surveymonkey.com/r/G8STDRY?product=https://us-cert.cisa.gov/ics/advisories/ICSA-13-169-01>); we'd welcome your feedback.\n", "edition": 15, "modified": "2013-06-18T00:00:00", "published": "2013-06-18T00:00:00", "id": "ICSA-13-169-01", "href": "https://www.us-cert.gov//ics/advisories/ICSA-13-169-01", "title": "Siemens Scalance X200 IRT Multiple Vulnerabilities", "type": "ics", "cvss": {"score": 8.0, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:C"}}]}
