Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.TENABLE_OT_SIEMENS_CVE-2017-9947.NASL
HistoryFeb 07, 2022 - 12:00 a.m.

Siemens BACnet Field Panels Improper Limitation of a Pathname to a Restricted Directory (CVE-2017-9947)

2022-02-0700:00:00
This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
13

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

6.1 Medium

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

74.1%

JSON

A vulnerability has been identified in Siemens APOGEE PXC and TALON TC BACnet Automation Controllers in all versions <V3.5. A directory traversal vulnerability could allow a remote attacker with network access to the integrated web server (80/tcp and 443/tcp) to obtain information on the structure of the file system of the affected devices.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(500105);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/11");

  script_cve_id("CVE-2017-9947");

  script_name(english:"Siemens BACnet Field Panels Improper Limitation of a Pathname to a Restricted Directory (CVE-2017-9947)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A vulnerability has been identified in Siemens APOGEE PXC and TALON TC
BACnet Automation Controllers in all versions <V3.5. A directory
traversal vulnerability could allow a remote attacker with network
access to the integrated web server (80/tcp and 443/tcp) to obtain
information on the structure of the file system of the affected
devices.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  # https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-148078.pdf
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?39061797");
  # http://packetstormsecurity.com/files/169544/Siemens-APOGEE-PXC-TALON-TC-Authentication-Bypass.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8c345dfe");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-17-285-05");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Siemens has released updates for several affected products and recommends updating to the latest versions. Siemens
recommends countermeasures for products where updates are not, or not yet available.

- APOGEE PXC Compact (BACnet): Update to v3.5 or later version
- APOGEE PXC Compact (P2 Ethernet): Disable the integrated webserver
- APOGEE PXC Modular (BACnet): Update to v3.5 or later version
- APOGEE PXC Modular (P2 Ethernet): Disable the integrated webserver
- TALON TC Compact (BACnet): Update to v3.5 or later version
- TALON TC Modular (BACnet): Update to v3.5 or later version

Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk:

- Siemens recommends disabling the integrated webserver when not in use
- Please contact a Siemens office for additional support

As a general security measure Siemens strongly recommends protecting network access to affected products with
appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a
protected IT environment.

For more information on this vulnerability and more detailed mitigation instructions, please see Siemens Security
Advisory SSA-148078");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-9947");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(22);

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/10/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/02/07");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_pxc_bacnet_automation_controller_firmware:3");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:apogee_pxc_firmware" :
        {"versionEndExcluding" : "3.5", "family" : "Apogee"},
    "cpe:/o:siemens:apogee_pxc_modular_firmware" :
        {"versionEndExcluding" : "3.5", "family" : "PxcModular"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);
VendorProductVersionCPE
siemensapogee_pxc_bacnet_automation_controller_firmware3cpe:/o:siemens:apogee_pxc_bacnet_automation_controller_firmware:3

Related

cve 1
prion 1
nvd 1
cvelist 1
nessus 1
ics 1
zdt 1
packetstorm 1
cve
cve
CVE-2017-9947
2017-10-23 08:29:00
prion
prion
Directory traversal
2017-10-23 08:29:00
nvd
nvd
CVE-2017-9947
2017-10-23 08:29:00
cvelist
cvelist
CVE-2017-9947
2017-10-23 00:00:00
nessus
nessus
Siemens Apogee Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
2019-11-08 00:00:00
ics
ics
Siemens BACnet Field Panels (Update A)
2022-06-16 12:00:00
zdt
zdt
Siemens APOGEE PXC / TALON TC Authentication Bypass Exploit
2022-10-28 00:00:00
packetstorm
packetstorm
Siemens APOGEE PXC / TALON TC Authentication Bypass
2022-10-28 00:00:00

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

6.1 Medium

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

74.1%

JSON
Related for TENABLE_OT_SIEMENS_CVE-2017-9947.NASL
cve1prion1nvd1cvelist1nessus1ics1zdt1packetstorm1