CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
58.5%
**ATTENTION:**Remotely exploitable/low skill level to exploit.
Vendor: iniNet Solutions GmbH
Equipment: SCADA Webserver
Vulnerability: Improper Authentication
The following versions of iniNet Solutions GmbH’s SCADA Webserver, a third-party web-based server software, are affected:
Successful exploitation of this vulnerability could allow malicious users to access human-machine interface (HMI) pages or to modify programmable logic controller (PLC) variables without authentication.
IniNet Solutions GmbH has released a new version of the SCADA Webserver, V2.02.0100, which allows users to implement basic authentication. It can be found at the following location (login required):
<http://spidercontrol.net/download/downloadarea/?lang=en>
Instructions for implementing basic authentication can be found in the user manual for V2.02.0100.
IniNet Solutions GmbH reminds users that the webserver is designed to be used in a protected environment.
As a third-party software, the iniNet Webserver is used in many different vendors’ products. Asset owners should determine if they are using a vulnerable version of the iniNet Webserver and follow the recommended practices below.
IniNet Solutions GmbH recommends that users never connect PLCs to the Internet. If a user must connect to the Internet, IniNet Solutions GmbH recommends using a managed infrastructure to do so.
NCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
No known public exploits specifically target this vulnerability.
The webserver does not properly authenticate users, which may allow a malicious attacker to access sensitive information such as HMI pages or modify PLC variables.
CVE-2017-13995 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Matthias Niedermaier and Florian Fischer, both of Augsburg University of Applied Sciences, reported this vulnerability.
Critical Infrastructure Sector: Critical Manufacturing
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Switzerland
spidercontrol.net/download/downloadarea/?lang=en
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13995
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/ics-advisories/icsa-17-264-04
cwe.mitre.org/data/definitions/287.html
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=iniNet%20Solutions%20GmbH%20SCADA%20Webserver+https://www.cisa.gov/news-events/ics-advisories/icsa-17-264-04
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-17-264-04&title=iniNet%20Solutions%20GmbH%20SCADA%20Webserver
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-17-264-04
www.oig.dhs.gov/
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=iniNet%20Solutions%20GmbH%20SCADA%20Webserver&body=www.cisa.gov/news-events/ics-advisories/icsa-17-264-04
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
58.5%