The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of SIMATIC

computer vulnerability CVE-2016-7959 CVE-2016-7960

SIMATIC STEP 7: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of SIMATIC STEP 7.
Impacted products: SIMATIC.
Severity: 1/4.
Consequences: data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 12/10/2016.
Identifiers: CERTFR-2016-AVI-347, CVE-2016-7959, CVE-2016-7960, SSA-869766, VIGILANCE-VUL-20845.

Description of the vulnerability

Several vulnerabilities were announced in SIMATIC STEP 7.

A local attacker can perform a brute-force, in order to obtain sensitive information about machine to machine communication. [severity:1/4; CVE-2016-7959]

An attacker can bypass security features via TIA Portal Project File, in order to obtain sensitive information. [severity:1/4; CVE-2016-7960]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2016-2183 CVE-2016-6329

Blowfish, Triple-DES: algorithms too weak, SWEET32

Synthesis of the vulnerability

An attacker can create a TLS/VPN session with a Blowfish/Triple-DES algorithm, and perform a two days attack, in order to decrypt data.
Impacted products: Avaya Ethernet Routing Switch, Blue Coat CAS, ProxySG par Blue Coat, SGOS by Blue Coat, Cisco ASR, Cisco Aironet, Cisco ATA, Cisco AnyConnect Secure Mobility Client, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco WSA, Cisco Wireless Controller, Debian, Avamar, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FileZilla Server, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiGate, FortiGate Virtual Appliance, FortiOS, FreeRADIUS, hMailServer, HPE BSM, LoadRunner, HP Operations, Performance Center, Real User Monitoring, SiteScope, HP Switch, HP-UX, AIX, DB2 UDB, Informix Server, IRAD, Security Directory Server, Tivoli Directory Server, Tivoli Storage Manager, Tivoli System Automation, WebSphere MQ, Junos Space, McAfee Email Gateway, ePO, Data ONTAP, Snap Creator Framework, Nodejs Core, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Oracle DB, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Oracle OIT, Solaris, Tuxedo, Oracle Virtual Directory, WebLogic, Oracle Web Tier, SSL protocol, Pulse Connect Secure, Pulse Secure Client, Pulse Secure SBR, RHEL, JBoss EAP by Red Hat, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS Enterprise BI Server, SAS Enterprise Guide, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio, SIMATIC, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Nessus, Ubuntu, WinSCP.
Severity: 1/4.
Consequences: data reading.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 25/08/2016.
Identifiers: 1610582, 1991866, 1991867, 1991870, 1991871, 1991875, 1991876, 1991878, 1991880, 1991882, 1991884, 1991885, 1991886, 1991887, 1991889, 1991892, 1991894, 1991896, 1991902, 1991903, 1991951, 1991955, 1991959, 1991960, 1991961, 1992681, 1993777, 1994375, 1995099, 1995922, 1998797, 1999054, 1999421, 2000209, 2000212, 2000370, 2000544, 2001608, 2002021, 2002335, 2002336, 2002479, 2002537, 2002870, 2002897, 2002991, 2003145, 2003480, 2003620, 2003673, 2004036, 2008828, 523628, 9010102, bulletinapr2017, c05349499, c05369403, c05369415, c05390849, CERTFR-2017-AVI-012, CERTFR-2019-AVI-049, CERTFR-2019-AVI-311, cisco-sa-20160927-openssl, cpuapr2017, cpujan2018, cpujul2017, cpujul2019, cpuoct2017, CVE-2016-2183, CVE-2016-6329, DSA-2018-124, DSA-3673-1, DSA-3673-2, FEDORA-2016-7810e24465, FEDORA-2016-dc2cb4ad6b, FG-IR-16-047, FG-IR-16-048, FG-IR-17-127, FG-IR-17-173, HPESBGN03697, HPESBGN03765, HPESBUX03725, HPSBGN03690, HPSBGN03694, HPSBHF03674, ibm10718843, java_jan2017_advisory, JSA10770, KM03060544, NTAP-20160915-0001, openSUSE-SU-2016:2199-1, openSUSE-SU-2016:2391-1, openSUSE-SU-2016:2407-1, openSUSE-SU-2016:2496-1, openSUSE-SU-2016:2537-1, openSUSE-SU-2017:1638-1, openSUSE-SU-2018:0458-1, RHSA-2017:0336-01, RHSA-2017:0337-01, RHSA-2017:0338-01, RHSA-2017:3113-01, RHSA-2017:3114-01, RHSA-2017:3239-01, RHSA-2017:3240-01, RHSA-2018:2123-01, SA133, SA40312, SB10171, SB10186, SB10197, SB10215, SOL13167034, SP-CAAAPUE, SPL-129207, SSA:2016-266-01, SSA:2016-363-01, SSA-556833, SUSE-SU-2016:2387-1, SUSE-SU-2016:2394-1, SUSE-SU-2016:2458-1, SUSE-SU-2016:2468-1, SUSE-SU-2016:2469-1, SUSE-SU-2016:2470-1, SUSE-SU-2016:2470-2, SUSE-SU-2017:1444-1, SUSE-SU-2017:2838-1, SUSE-SU-2017:3177-1, SWEET32, TNS-2016-16, USN-3087-1, USN-3087-2, USN-3270-1, USN-3339-1, USN-3339-2, USN-3372-1, VIGILANCE-VUL-20473.

Description of the vulnerability

The Blowfish and Triple-DES symetric encryption algorithms use 64 bit blocks.

However, if they are used in CBC mode, a collision occurs after 785 GB transferred, and it is then possible to decrypt blocks with an attack lasting two days.

An attacker can therefore create a TLS/VPN session with a Blowfish/Triple-DES algorithm, and perform a two days attack, in order to decrypt data.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2016-5874

SIMATIC NET PC-Software: denial of service via OPC-UA

Synthesis of the vulnerability

An attacker can send a malicious OPC-UA packet to SIMATIC NET PC-Software, in order to trigger a denial of service.
Impacted products: SIMATIC.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: intranet client.
Creation date: 25/07/2016.
Identifiers: CERTFR-2016-AVI-250, CVE-2016-5874, SSA-453276, VIGILANCE-VUL-20207.

Description of the vulnerability

The SIMATIC NET PC-Software product has a service to manage received OPC-UA packets on ports 55101-55105/tcp, 4845/tcp, and 4847-4850/tcp.

However, when a malicious packet is received, a fatal error occurs.

An attacker can therefore send a malicious OPC-UA packet to SIMATIC NET PC-Software, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2016-5743 CVE-2016-5744

SIMATIC WinCC: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of SIMATIC WinCC.
Impacted products: SIMATIC.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, data reading.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 25/07/2016.
Identifiers: CERTFR-2016-AVI-250, CVE-2016-5743, CVE-2016-5744, SSA-378531, VIGILANCE-VUL-20206.

Description of the vulnerability

Several vulnerabilities were announced in SIMATIC WinCC.

An attacker can send a packet, in order to run code. [severity:3/4; CVE-2016-5743]

An attacker can traverse directories, in order to read a file outside the root path. [severity:2/4; CVE-2016-5744]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2016-3949

SIMATIC S7-300: denial of service via ISO-TSAP/Profibus

Synthesis of the vulnerability

An attacker can send a malicious ISO-TSAP/Profibus packet to SIMATIC S7-300, in order to trigger a denial of service.
Impacted products: SIMATIC.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: intranet client.
Creation date: 09/06/2016.
Identifiers: CERTFR-2016-AVI-196, CVE-2016-3949, SSA-818183, VIGILANCE-VUL-19848.

Description of the vulnerability

The SIMATIC S7-300 product has a service to manage received ISO-TSAP/Profibus packets.

However, when a malicious packet is received, a fatal error occurs.

An attacker can therefore send a malicious ISO-TSAP/Profibus packet to SIMATIC S7-300, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2016-2846

SIMATIC S7-1200 CPU: privilege escalation

Synthesis of the vulnerability

A network attacker can access to SIMATIC S7-1200 CPU, in order to escalate his privileges.
Impacted products: SIMATIC.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights.
Provenance: intranet client.
Creation date: 15/03/2016.
Identifiers: CVE-2016-2846, SSA-833048, VIGILANCE-VUL-19172.

Description of the vulnerability

The SIMATIC S7-1200 CPU product has access protections.

However, an attacker can bypass these protections.

A worm uses this vulnerability (VIGILANCE-ACTU-5186).

A network attacker can therefore access to SIMATIC S7-1200 CPU, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2016-2200 CVE-2016-2201

Siemens SIMATIC S7-1500 CPU: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Siemens SIMATIC S7-1500 CPU.
Impacted products: SIMATIC.
Severity: 3/4.
Consequences: data creation/edition, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 09/02/2016.
Identifiers: CERTFR-2016-AVI-062, CVE-2016-2200, CVE-2016-2201, SSA:2016-039-02, SSA-253230, VIGILANCE-VUL-18895.

Description of the vulnerability

Several vulnerabilities were announced in Siemens SIMATIC S7-1500 CPU.

An attacker can send a malicious ISO/TSAP packet, in order to trigger a denial of service. [severity:3/4; CVE-2016-2200]

An attacker can partially bypass the integrity check of ISO/TSAP flows, in order to corrupt exchanged data. [severity:1/4; CVE-2016-2201]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2015-8214

Siemens SIMATIC: code execution via Communication Processor

Synthesis of the vulnerability

An unauthenticated attacker can access to the port 102/tcp of Siemens SIMATIC Communication Processor, in order to execute privileged commands.
Impacted products: SIMATIC.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: intranet client.
Creation date: 30/11/2015.
Identifiers: CVE-2015-8214, SSA-763427, VIGILANCE-VUL-18395.

Description of the vulnerability

The Siemens SIMATIC Communication Processor product is used by:
 - SIMATIC CP 343-1 Standard / Advanced / Lean
 - SIMATIC CP 443-1 Standard / Advanced
 - SIMATIC TIM 3V-IE Standard / Advanced / DNP3
 - SIMATIC TIM 4R-IE Standard / DNP3

It listens on port 102/tcp. However, when the configuration is stored in the CPU, an attacker can connect to the port 102/tcp, in order to perform administrative operations.

An unauthenticated attacker can therefore access to the port 102/tcp of Siemens SIMATIC Communication Processor, in order to execute privileged commands.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2015-5698

Siemens SIMATIC S7-1200: Cross Site Request Forgery

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery of Siemens SIMATIC S7-1200, in order to force the victim to perform operations.
Impacted products: SIMATIC.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 28/08/2015.
Identifiers: CERTFR-2015-AVI-364, CVE-2015-5698, SSA-134003, VIGILANCE-VUL-17767.

Description of the vulnerability

The Siemens SIMATIC S7-1200 product offers a web service.

However, the origin of queries is not checked. They can for example originate from an image included in an HTML document.

An attacker can therefore trigger a Cross Site Request Forgery of Siemens SIMATIC S7-1200, in order to force the victim to perform operations.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2015-5084

SIMATIC WinCC Sm@rtClient for Android: information disclosure

Synthesis of the vulnerability

A local attacker can read passwords of SIMATIC WinCC Sm@rtClient for Android, in order to access to user's account.
Impacted products: SIMATIC.
Severity: 1/4.
Consequences: privileged access/rights, user access/rights, data reading.
Provenance: user shell.
Creation date: 22/07/2015.
Identifiers: CVE-2015-5084, SSA-267489, VIGILANCE-VUL-17475.

Description of the vulnerability

The SIMATIC WinCC Sm@rtClient for Android product stores user's passwords.

However, an attacker who has an access to victim's mobile device can read there passwords.

A local attacker can therefore read passwords of SIMATIC WinCC Sm@rtClient for Android, in order to access to user's account.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about SIMATIC: