SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-328641979] iniNet Solutions GmbH SCADA Webserver

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2017-09-21PLCiniNet Solutions GmbHMatthias Niedermaier and Florian Fischer, both of Augsburg University of Applied Sciences, reported this vulnerability. N/ACVE-2017-1399 N/AN/AN/A

Source

						
							
								
#
# iniNet Solutions GmbH SCADA Webserver
#


### VULNERABLE VENDOR
iniNet Solutions GmbH


### VULNERABLE PRODUCT
SCADA Webserver



### RESEARCHER
Matthias Niedermaier and Florian Fischer, both of Augsburg University of Applied Sciences, reported this vulnerability.



### AFFECTED PRODUCTS

The following versions of iniNet Solutions GmbH's SCADA Webserver, a third-party web-based server software, are affected:

iniNet Webserver, All versions prior to V2.02.0100



### IMPACT

Successful exploitation of this vulnerability could allow malicious users to access human-machine interface (HMI) pages or to modify programmable logic controller (PLC) variables without authentication.



### VULNERABILITY OVERVIEW

IMPROPER AUTHENTICATION CWE-287
The webserver does not properly authenticate users, which may allow a malicious attacker to access sensitive information such as HMI pages or modify PLC variables.
CVE-2017-13995 has been assigned to this vulnerability.
A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)





### BACKGROUND

Critical Infrastructure Sector: Critical Manufacturing
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Switzerland




### MITIGATION

IniNet Solutions GmbH has released a new version of the SCADA Webserver, V2.02.0100, which allows users to implement basic authentication. It can be found at the following location (login required):

http://spidercontrol.net/download/downloadarea/?lang=en


Instructions for implementing basic authentication can be found in the user manual for V2.02.0100.

IniNet Solutions GmbH reminds users that the webserver is designed to be used in a protected environment.

As a third-party software, the iniNet Webserver is used in many different vendors' products. Asset owners should determine if they are using a vulnerable version of the iniNet Webserver and follow the recommended practices below.

IniNet Solutions GmbH recommends that users never connect PLCs to the Internet. If a user must connect to the Internet, IniNet Solutions GmbH recommends using a managed infrastructure to do so.