CVE-2017-13997

EUVD-2017-5512

03.10.2017, 01:29

A Missing Authentication for Critical Function issue was discovered in Schneider Electric InduSoft Web Studio v8.0 SP2 or prior, and InTouch Machine Edition v8.0 SP2 or prior. InduSoft Web Studio provides the capability for an HMI client to trigger script execution on the server for the purposes of performing customized calculations or actions. A remote malicious entity could bypass the server authentication and trigger the execution of an arbitrary command. The command is executed under high privileges and could lead to a complete compromise of the server.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 81%

Affected Products (NVD)

Vendor	Product	Version
schneider-electric	wonderware_indusoft_web_studio	𝑥 ≤ 8.0
schneider-electric	wonderware_intouch	𝑥 ≤ 8.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-306 - Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References

http://www.securityfocus.com/bid/100952

https://ics-cert.us-cert.gov/advisories/ICSA-17-264-01

http://www.securityfocus.com/bid/100952

https://ics-cert.us-cert.gov/advisories/ICSA-17-264-01