CVE-2017-12069 Information

Description

An XXE vulnerability has been identified in OPC Foundation UA .NET Sample Code before 2017-03-21 and Local Discovery Server (LDS) before 1.03.367. Among the affected products are Siemens SIMATIC PCS7 (All versions V8.1 and earlier) SIMATIC WinCC (All versions V7.4 SP1) SIMATIC WinCC Runtime Professional (All versions V14 SP1) SIMATIC NET PC Software and SIMATIC IT Production Suite. By sending specially crafted packets to the OPC Discovery Server at port 4840/tcp an attacker might cause the system to access various resources chosen by the attacker.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Reference

http://www.securityfocus.com/bid/100559 http://www.securitytracker.com/id/1039510 https://opcfoundation-onlineapplications.org/faq/SecurityBulletins/OPC_Foundation_Security_Bulletin_CVE-2017-12069.pdf https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-535640.pdf

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

HIGH

Base Severity

8.2