CVE-2017-6021 - OpenCVE

In Schneider Electric ClearSCADA 2014 R1 (build 75.5210) and prior, 2014 R1.1 (build 75.5387) and prior, 2015 R1 (build 76.5648) and prior, and 2015 R2 (build 77.5882) and prior, an attacker with network access to the ClearSCADA server can send specially crafted sequences of commands and data packets to the ClearSCADA server that can cause the ClearSCADA server process and ClearSCADA communications driver processes to terminate. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Aveva	Clearscada
Schneider-electric	Clearscada

Configuration 1 [-]

OR	cpe:2.3:a:aveva:clearscada::::::::
	cpe:2.3:a:schneider-electric:clearscada:2014:r1::::::
	cpe:2.3:a:schneider-electric:clearscada:2014:r1.1::::::

Configuration 2 [-]

OR	cpe:2.3:a:aveva:clearscada::::::::
	cpe:2.3:a:schneider-electric:clearscada:2015:r1::::::
	cpe:2.3:a:schneider-electric:clearscada:2015:r2::::::

No data.

References

Link	Providers
http://www.securityfocus.com/bid/96768
https://ics-cert.us-cert.gov/advisories/ICSA-17-068-01

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2018-05-14T14:00:00Z

Updated: 2024-09-16T22:56:53.661Z

Reserved: 2017-02-16T00:00:00

Link: CVE-2017-6021

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-05-14T14:29:00.193

Modified: 2019-10-09T23:28:34.323

Link: CVE-2017-6021

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "ClearSCADA", "vendor": "Schneider Electric SE", "versions": [{"status": "affected", "version": "2014 R1 (build 75.5210) and prior"}, {"status": "affected", "version": "2014 R1.1 (build 75.5387) and prior"}, {"status": "affected", "version": "2015 R1 (build 76.5648) and prior"}, {"status": "affected", "version": "2015 R2 (build 77.5882) and prior"}]}], "datePublic": "2017-03-09T00:00:00", "descriptions": [{"lang": "en", "value": "In Schneider Electric ClearSCADA 2014 R1 (build 75.5210) and prior, 2014 R1.1 (build 75.5387) and prior, 2015 R1 (build 76.5648) and prior, and 2015 R2 (build 77.5882) and prior, an attacker with network access to the ClearSCADA server can send specially crafted sequences of commands and data packets to the ClearSCADA server that can cause the ClearSCADA server process and ClearSCADA communications driver processes to terminate. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "IMPROPER INPUT VALIDATION CWE-20", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-05-15T09:57:01", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"name": "96768", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/96768"}, {"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-068-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2017-03-09T00:00:00", "ID": "CVE-2017-6021", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ClearSCADA", "version": {"version_data": [{"version_value": "2014 R1 (build 75.5210) and prior"}, {"version_value": "2014 R1.1 (build 75.5387) and prior"}, {"version_value": "2015 R1 (build 76.5648) and prior"}, {"version_value": "2015 R2 (build 77.5882) and prior"}]}}]}, "vendor_name": "Schneider Electric SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Schneider Electric ClearSCADA 2014 R1 (build 75.5210) and prior, 2014 R1.1 (build 75.5387) and prior, 2015 R1 (build 76.5648) and prior, and 2015 R2 (build 77.5882) and prior, an attacker with network access to the ClearSCADA server can send specially crafted sequences of commands and data packets to the ClearSCADA server that can cause the ClearSCADA server process and ClearSCADA communications driver processes to terminate. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "IMPROPER INPUT VALIDATION CWE-20"}]}]}, "references": {"reference_data": [{"name": "96768", "refsource": "BID", "url": "http://www.securityfocus.com/bid/96768"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-068-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-068-01"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T15:18:49.489Z"}, "title": "CVE Program Container", "references": [{"name": "96768", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/96768"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-068-01"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2017-6021", "datePublished": "2018-05-14T14:00:00Z", "dateReserved": "2017-02-16T00:00:00", "dateUpdated": "2024-09-16T22:56:53.661Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:aveva:clearscada:*:*:*:*:*:*:*:*", "matchCriteriaId": "DAF38D64-EC72-4D39-80BB-4B3958C18B8B", "versionEndIncluding": "2010", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneider-electric:clearscada:2014:r1:*:*:*:*:*:*", "matchCriteriaId": "441BA0DB-0BF8-4CDC-9715-9E5227954061", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneider-electric:clearscada:2014:r1.1:*:*:*:*:*:*", "matchCriteriaId": "CB2497FA-9965-4C1A-B9F8-34FC76F0A552", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:aveva:clearscada:*:*:*:*:*:*:*:*", "matchCriteriaId": "DAF38D64-EC72-4D39-80BB-4B3958C18B8B", "versionEndIncluding": "2010", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneider-electric:clearscada:2015:r1:*:*:*:*:*:*", "matchCriteriaId": "AFE9EABB-597E-4198-9C2D-3886A969483D", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneider-electric:clearscada:2015:r2:*:*:*:*:*:*", "matchCriteriaId": "23FD329C-7118-44C1-8BE2-EED715564C2B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Schneider Electric ClearSCADA 2014 R1 (build 75.5210) and prior, 2014 R1.1 (build 75.5387) and prior, 2015 R1 (build 76.5648) and prior, and 2015 R2 (build 77.5882) and prior, an attacker with network access to the ClearSCADA server can send specially crafted sequences of commands and data packets to the ClearSCADA server that can cause the ClearSCADA server process and ClearSCADA communications driver processes to terminate. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)."}, {"lang": "es", "value": "En Schneider Electric ClearSCADA 2014 R1 (build 75.5210) y anteriores, 2014 R1.1 (build 75.5387) y anteriores, 2015 R1 (build 76.5648) y anteriores y 2015 R2 (build 77.5882) y anteriores, un atacante con acceso de red al servidor ClearSCADA puede enviar secuencias de comandos especialmente manipuladas y paquetes de datos al servidor ClearSCADA que pueden provocar que el proceso del servidor ClearSCADA y los procesos del controlador de comunicaciones ClearSCADA finalicen. Se ha calculado una puntuaci\u00f3n base de CVSS v3 de 7.5; la cadena de vector CVSS es (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)."}], "id": "CVE-2017-6021", "lastModified": "2019-10-09T23:28:34.323", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-05-14T14:29:00.193", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/96768"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-068-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}