CVE-2017-9635 (GCVE-0-2017-9635)
Vulnerability from cvelistv5
Published
2018-05-18 13:00
Modified
2024-09-17 03:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-326 - Inadequate encryption strength
Summary
Schneider Electric Ampla MES 6.4 provides capability to configure users and their privileges. When Ampla MES users are configured to use Simple Security, a weakness in the password hashing algorithm could be exploited to reverse the user's password. Schneider Electric recommends that users of Ampla MES versions 6.4 and prior should upgrade to Ampla MES version 6.5 as soon as possible.
References
| ► | URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Schneider Electric SE | Ampla MES |
Version: versions 6.4 and prior |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:11:02.328Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000118/"
},
{
"name": "99469",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99469"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Ampla MES",
"vendor": "Schneider Electric SE",
"versions": [
{
"status": "affected",
"version": "versions 6.4 and prior"
}
]
}
],
"datePublic": "2017-06-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Schneider Electric Ampla MES 6.4 provides capability to configure users and their privileges. When Ampla MES users are configured to use Simple Security, a weakness in the password hashing algorithm could be exploited to reverse the user\u0027s password. Schneider Electric recommends that users of Ampla MES versions 6.4 and prior should upgrade to Ampla MES version 6.5 as soon as possible."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "Inadequate encryption strength CWE-326",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-19T09:57:01",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000118/"
},
{
"name": "99469",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99469"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2017-06-30T00:00:00",
"ID": "CVE-2017-9635",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Ampla MES",
"version": {
"version_data": [
{
"version_value": "versions 6.4 and prior"
}
]
}
}
]
},
"vendor_name": "Schneider Electric SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Schneider Electric Ampla MES 6.4 provides capability to configure users and their privileges. When Ampla MES users are configured to use Simple Security, a weakness in the password hashing algorithm could be exploited to reverse the user\u0027s password. Schneider Electric recommends that users of Ampla MES versions 6.4 and prior should upgrade to Ampla MES version 6.5 as soon as possible."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Inadequate encryption strength CWE-326"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05"
},
{
"name": "http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000118/",
"refsource": "CONFIRM",
"url": "http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000118/"
},
{
"name": "99469",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99469"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2017-9635",
"datePublished": "2018-05-18T13:00:00Z",
"dateReserved": "2017-06-14T00:00:00",
"dateUpdated": "2024-09-17T03:28:56.779Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2017-9635\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2018-05-18T13:29:00.223\",\"lastModified\":\"2024-11-21T03:36:33.690\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Schneider Electric Ampla MES 6.4 provides capability to configure users and their privileges. When Ampla MES users are configured to use Simple Security, a weakness in the password hashing algorithm could be exploited to reverse the user\u0027s password. Schneider Electric recommends that users of Ampla MES versions 6.4 and prior should upgrade to Ampla MES version 6.5 as soon as possible.\"},{\"lang\":\"es\",\"value\":\"Schneider Electric Ampla MES 6.4 proporciona capacidades para configurar usuarios y sus privilegios. Cuando los usuarios Ampla MES se configuran para emplear Simple Security, una debilidad en el algoritmo de hasheo de contrase\u00f1as podr\u00eda explotarse para revertir la contrase\u00f1a de usuario. Schneider Electric recomienda que los usuarios de Ampla MES en versiones 6.4 y anteriores actualicen a la versi\u00f3n 6.5 de Ampla MES tan pronto como les sea posible.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":3.9,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":0.5,\"impactScore\":3.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:M/Au:N/C:P/I:N/A:N\",\"baseScore\":1.9,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":3.4,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-326\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-326\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:schneider-electric:ampla_manufacturing_execution_system:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"6.4\",\"matchCriteriaId\":\"FDB21341-79E5-4D5D-BD51-DE44C0284B21\"}]}]}],\"references\":[{\"url\":\"http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000118/\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/99469\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000118/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/99469\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…