|2017-09-21||PLC||iniNet Solutions GmbH||Matthias Niedermaier and Florian Fischer, both of Augsburg University of Applied Sciences, reported this vulnerability.
# iniNet Solutions GmbH SCADA Webserver
### VULNERABLE VENDOR
iniNet Solutions GmbH
### VULNERABLE PRODUCT
Matthias Niedermaier and Florian Fischer, both of Augsburg University of Applied Sciences, reported this vulnerability.
### AFFECTED PRODUCTS
The following versions of iniNet Solutions GmbH's SCADA Webserver, a third-party web-based server software, are affected:
iniNet Webserver, All versions prior to V2.02.0100
Successful exploitation of this vulnerability could allow malicious users to access human-machine interface (HMI) pages or to modify programmable logic controller (PLC) variables without authentication.
### VULNERABILITY OVERVIEW
IMPROPER AUTHENTICATION CWE-287
The webserver does not properly authenticate users, which may allow a malicious attacker to access sensitive information such as HMI pages or modify PLC variables.
CVE-2017-13995 has been assigned to this vulnerability.
A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Critical Infrastructure Sector: Critical Manufacturing
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Switzerland
IniNet Solutions GmbH has released a new version of the SCADA Webserver, V2.02.0100, which allows users to implement basic authentication. It can be found at the following location (login required):
Instructions for implementing basic authentication can be found in the user manual for V2.02.0100.
IniNet Solutions GmbH reminds users that the webserver is designed to be used in a protected environment.
As a third-party software, the iniNet Webserver is used in many different vendors' products. Asset owners should determine if they are using a vulnerable version of the iniNet Webserver and follow the recommended practices below.
IniNet Solutions GmbH recommends that users never connect PLCs to the Internet. If a user must connect to the Internet, IniNet Solutions GmbH recommends using a managed infrastructure to do so.