CVE-2017-7968 - OpenCVE

An Incorrect Default Permissions issue was discovered in Schneider Electric Wonderware InduSoft Web Studio v8.0 Patch 3 and prior versions. Upon installation, Wonderware InduSoft Web Studio creates a new directory and two files, which are placed in the system's path and can be manipulated by non-administrators. This could allow an authenticated user to escalate his or her privileges.

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Schneider-electric	Wonderware Indusoft Web Studio

Configuration 1 [-]

cpe:2.3:a:schneider-electric:wonderware_indusoft_web_studio:*:*:*:*:*:*:*:*

References

Link	Resource
http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2017-090-02	Vendor Advisory
http://www.securityfocus.com/bid/98544	Third Party Advisory VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-17-138-02	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: schneider

Published: 2017-05-19T15:00:00

Updated: 2017-05-24T09:57:01

Reserved: 2017-04-19T00:00:00

Link: CVE-2017-7968

JSON object: View

NVD Information

Status : Modified

Published: 2017-05-19T15:29:00.287

Modified: 2019-10-09T23:30:02.360

Link: CVE-2017-7968

JSON object: View

Redhat Information

No data.

CWE

CWE-276

{"containers": {"cna": {"affected": [{"product": "Schneider Electric Wonderware InduSoft Web Studio", "vendor": "n/a", "versions": [{"status": "affected", "version": "Schneider Electric Wonderware InduSoft Web Studio"}]}], "datePublic": "2017-05-19T00:00:00", "descriptions": [{"lang": "en", "value": "An Incorrect Default Permissions issue was discovered in Schneider Electric Wonderware InduSoft Web Studio v8.0 Patch 3 and prior versions. Upon installation, Wonderware InduSoft Web Studio creates a new directory and two files, which are placed in the system's path and can be manipulated by non-administrators. This could allow an authenticated user to escalate his or her privileges."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "description": "CWE-276", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2017-05-24T09:57:01", "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-138-02"}, {"tags": ["x_refsource_MISC"], "url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2017-090-02"}, {"name": "98544", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/98544"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cybersecurity@schneider-electric.com", "ID": "CVE-2017-7968", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Schneider Electric Wonderware InduSoft Web Studio", "version": {"version_data": [{"version_value": "Schneider Electric Wonderware InduSoft Web Studio"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An Incorrect Default Permissions issue was discovered in Schneider Electric Wonderware InduSoft Web Studio v8.0 Patch 3 and prior versions. Upon installation, Wonderware InduSoft Web Studio creates a new directory and two files, which are placed in the system's path and can be manipulated by non-administrators. This could allow an authenticated user to escalate his or her privileges."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-276"}]}]}, "references": {"reference_data": [{"name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-138-02", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-138-02"}, {"name": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2017-090-02", "refsource": "MISC", "url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2017-090-02"}, {"name": "98544", "refsource": "BID", "url": "http://www.securityfocus.com/bid/98544"}]}}}}, "cveMetadata": {"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "assignerShortName": "schneider", "cveId": "CVE-2017-7968", "datePublished": "2017-05-19T15:00:00", "dateReserved": "2017-04-19T00:00:00", "dateUpdated": "2017-05-24T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:wonderware_indusoft_web_studio:*:*:*:*:*:*:*:*", "matchCriteriaId": "93923A2F-FFAB-4418-8F1E-603DF4C1DEB1", "versionEndIncluding": "8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An Incorrect Default Permissions issue was discovered in Schneider Electric Wonderware InduSoft Web Studio v8.0 Patch 3 and prior versions. Upon installation, Wonderware InduSoft Web Studio creates a new directory and two files, which are placed in the system's path and can be manipulated by non-administrators. This could allow an authenticated user to escalate his or her privileges."}, {"lang": "es", "value": "Un problema de permisos predeterminado incorrecto se descubri\u00f3 en Schneider Electric Wonderware InduSoft Web Studio v8.0 revisi\u00f3n 3 y versiones anteriores. Despu\u00e9s de la instalaci\u00f3n, Wonderware InduSoft Web Studio crea un nuevo directorio y dos archivos, que se colocan en la ruta del sistema y pueden ser manipulados por no administradores. Esto podr\u00eda permitir a un usuario autenticado escalar sus privilegios."}], "id": "CVE-2017-7968", "lastModified": "2019-10-09T23:30:02.360", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-05-19T15:29:00.287", "references": [{"source": "cybersecurity@se.com", "tags": ["Vendor Advisory"], "url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2017-090-02"}, {"source": "cybersecurity@se.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/98544"}, {"source": "cybersecurity@se.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-138-02"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-276"}], "source": "cybersecurity@se.com", "type": "Secondary"}]}