CVE-2017-9637 - OpenCVE

Schneider Electric Ampla MES 6.4 provides capability to interact with data from third party databases. When connectivity to those databases is configured to use a SQL user name and password, an attacker may be able to sniff details from the connection string. Schneider Electric recommends that users of Ampla MES versions 6.4 and prior should upgrade to Ampla MES version 6.5 as soon as possible.

No CVSS v3.1

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Schneider-electric	Ampla Manufacturing Execution System

Configuration 1 [-]

cpe:2.3:a:schneider-electric:ampla_manufacturing_execution_system:*:*:*:*:*:*:*:*

References

Link	Resource
http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000118/	Vendor Advisory
http://www.securityfocus.com/bid/99469	Third Party Advisory VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2017-06-30T00:00:00

Updated: 2018-05-19T09:57:01

Reserved: 2017-06-14T00:00:00

Link: CVE-2017-9637

JSON object: View

NVD Information

Status : Modified

Published: 2018-05-18T13:29:00.283

Modified: 2019-10-09T23:30:44.847

Link: CVE-2017-9637

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Ampla MES", "vendor": "Schneider Electric SE", "versions": [{"status": "affected", "version": "versions 6.4 and prior"}]}], "datePublic": "2017-06-30T00:00:00", "descriptions": [{"lang": "en", "value": "Schneider Electric Ampla MES 6.4 provides capability to interact with data from third party databases. When connectivity to those databases is configured to use a SQL user name and password, an attacker may be able to sniff details from the connection string. Schneider Electric recommends that users of Ampla MES versions 6.4 and prior should upgrade to Ampla MES version 6.5 as soon as possible."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "Cleartext transmission of sensitive information CWE-319", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-05-19T09:57:01", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000118/"}, {"name": "99469", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/99469"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2017-06-30T00:00:00", "ID": "CVE-2017-9637", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Ampla MES", "version": {"version_data": [{"version_value": "versions 6.4 and prior"}]}}]}, "vendor_name": "Schneider Electric SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Schneider Electric Ampla MES 6.4 provides capability to interact with data from third party databases. When connectivity to those databases is configured to use a SQL user name and password, an attacker may be able to sniff details from the connection string. Schneider Electric recommends that users of Ampla MES versions 6.4 and prior should upgrade to Ampla MES version 6.5 as soon as possible."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cleartext transmission of sensitive information CWE-319"}]}]}, "references": {"reference_data": [{"name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05"}, {"name": "http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000118/", "refsource": "CONFIRM", "url": "http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000118/"}, {"name": "99469", "refsource": "BID", "url": "http://www.securityfocus.com/bid/99469"}]}}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2017-9637", "datePublished": "2017-06-30T00:00:00", "dateReserved": "2017-06-14T00:00:00", "dateUpdated": "2018-05-19T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:ampla_manufacturing_execution_system:*:*:*:*:*:*:*:*", "matchCriteriaId": "FDB21341-79E5-4D5D-BD51-DE44C0284B21", "versionEndIncluding": "6.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Schneider Electric Ampla MES 6.4 provides capability to interact with data from third party databases. When connectivity to those databases is configured to use a SQL user name and password, an attacker may be able to sniff details from the connection string. Schneider Electric recommends that users of Ampla MES versions 6.4 and prior should upgrade to Ampla MES version 6.5 as soon as possible."}, {"lang": "es", "value": "Schneider Electric Ampla MES 6.4 proporciona capacidades para interactuar con datos de bases de datos de terceros. Cuando la conectividad a esas bases de datos se configura para emplear un nombre de usuario y contrase\u00f1a SQL, un atacante podr\u00eda ser capaz de rastrear detalles de la cadena de conexi\u00f3n. Schneider Electric recomienda que los usuarios de Ampla MES en versiones 6.4 y anteriores actualicen a la versi\u00f3n 6.5 de Ampla MES tan pronto como les sea posible."}], "id": "CVE-2017-9637", "lastModified": "2019-10-09T23:30:44.847", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 0.5, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-05-18T13:29:00.283", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Vendor Advisory"], "url": "http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000118/"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/99469"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-319"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}