CVE-2017-9635 - OpenCVE

Schneider Electric Ampla MES 6.4 provides capability to configure users and their privileges. When Ampla MES users are configured to use Simple Security, a weakness in the password hashing algorithm could be exploited to reverse the user's password. Schneider Electric recommends that users of Ampla MES versions 6.4 and prior should upgrade to Ampla MES version 6.5 as soon as possible.

No CVSS v4.0

No CVSS v3.1

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Schneider-electric	Ampla Manufacturing Execution System

Configuration 1 [-]

cpe:2.3:a:schneider-electric:ampla_manufacturing_execution_system:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000118/
http://www.securityfocus.com/bid/99469
https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2018-05-18T13:00:00Z

Updated: 2024-09-17T03:28:56.779Z

Reserved: 2017-06-14T00:00:00

Link: CVE-2017-9635

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-05-18T13:29:00.223

Modified: 2019-10-09T23:30:44.597

Link: CVE-2017-9635

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Ampla MES", "vendor": "Schneider Electric SE", "versions": [{"status": "affected", "version": "versions 6.4 and prior"}]}], "datePublic": "2017-06-30T00:00:00", "descriptions": [{"lang": "en", "value": "Schneider Electric Ampla MES 6.4 provides capability to configure users and their privileges. When Ampla MES users are configured to use Simple Security, a weakness in the password hashing algorithm could be exploited to reverse the user's password. Schneider Electric recommends that users of Ampla MES versions 6.4 and prior should upgrade to Ampla MES version 6.5 as soon as possible."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-326", "description": "Inadequate encryption strength CWE-326", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-05-19T09:57:01", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000118/"}, {"name": "99469", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/99469"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2017-06-30T00:00:00", "ID": "CVE-2017-9635", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Ampla MES", "version": {"version_data": [{"version_value": "versions 6.4 and prior"}]}}]}, "vendor_name": "Schneider Electric SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Schneider Electric Ampla MES 6.4 provides capability to configure users and their privileges. When Ampla MES users are configured to use Simple Security, a weakness in the password hashing algorithm could be exploited to reverse the user's password. Schneider Electric recommends that users of Ampla MES versions 6.4 and prior should upgrade to Ampla MES version 6.5 as soon as possible."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Inadequate encryption strength CWE-326"}]}]}, "references": {"reference_data": [{"name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05"}, {"name": "http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000118/", "refsource": "CONFIRM", "url": "http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000118/"}, {"name": "99469", "refsource": "BID", "url": "http://www.securityfocus.com/bid/99469"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T17:11:02.328Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000118/"}, {"name": "99469", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/99469"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2017-9635", "datePublished": "2018-05-18T13:00:00Z", "dateReserved": "2017-06-14T00:00:00", "dateUpdated": "2024-09-17T03:28:56.779Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:ampla_manufacturing_execution_system:*:*:*:*:*:*:*:*", "matchCriteriaId": "FDB21341-79E5-4D5D-BD51-DE44C0284B21", "versionEndIncluding": "6.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Schneider Electric Ampla MES 6.4 provides capability to configure users and their privileges. When Ampla MES users are configured to use Simple Security, a weakness in the password hashing algorithm could be exploited to reverse the user's password. Schneider Electric recommends that users of Ampla MES versions 6.4 and prior should upgrade to Ampla MES version 6.5 as soon as possible."}, {"lang": "es", "value": "Schneider Electric Ampla MES 6.4 proporciona capacidades para configurar usuarios y sus privilegios. Cuando los usuarios Ampla MES se configuran para emplear Simple Security, una debilidad en el algoritmo de hasheo de contrase\u00f1as podr\u00eda explotarse para revertir la contrase\u00f1a de usuario. Schneider Electric recomienda que los usuarios de Ampla MES en versiones 6.4 y anteriores actualicen a la versi\u00f3n 6.5 de Ampla MES tan pronto como les sea posible."}], "id": "CVE-2017-9635", "lastModified": "2019-10-09T23:30:44.597", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 0.5, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-05-18T13:29:00.223", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Vendor Advisory"], "url": "http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000118/"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/99469"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-326"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-326"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}