Siemens SIMATIC WinCC HMI Web Server Multiple Input Validation Vulnerabilities Network Vulnerability

Summary

Siemens SIMATIC WinCC is prone to an HTTP-header-injection issue, a directory-traversal issue, and an arbitrary memory-read access issue because the application fails to properly sanitize user- supplied input. A remote attacker can exploit these issues to gain elevated privileges, obtain sensitive information, or cause denial-of-service conditions.

Solution

Updates are available. Please see the references for more information.

References

http://www.automation.siemens.com/mcms/human-machine-interface/en/visualization-software/scada/Pages/Default.aspx
http://www.securityfocus.com/bid/51836
http://www.us-cert.gov/control_systems/pdf/ICSA-12-030-01.pdf
http://www.us-cert.gov/control_systems/pdf/ICSA-12-030-01A.pdf

Updated on 2015-03-25

Severity

Classification

CVE CVE-2011-4512, CVE-2011-4878, CVE-2011-4879

CVSS	Base Score: 8.5 AV:N/AC:L/Au:N/C:P/I:N/A:C

Related Vulnerabilities

Atlassian JIRA FishEye and Crucible Plugins XML Parsing Unspecified Security Vulnerability
ARRIS 2307 Unprotected Web Console
AdaptBB Multiple Input Validation Vulnerabilities
AWStats configdir parameter arbitrary cmd exec
Arkeia Appliance Multiple Vulnerabilities

Take action and discover your vulnerabilities