Vulnerability Details : CVE-2017-13997
A Missing Authentication for Critical Function issue was discovered in Schneider Electric InduSoft Web Studio v8.0 SP2 or prior, and InTouch Machine Edition v8.0 SP2 or prior. InduSoft Web Studio provides the capability for an HMI client to trigger script execution on the server for the purposes of performing customized calculations or actions. A remote malicious entity could bypass the server authentication and trigger the execution of an arbitrary command. The command is executed under high privileges and could lead to a complete compromise of the server.
Products affected by CVE-2017-13997
- Schneider-electric » Wonderware Indusoft Web Studio » Update SP2Versions up to, including, (<=) 8.0cpe:2.3:a:schneider-electric:wonderware_indusoft_web_studio:*:sp2:*:*:*:*:*:*
- Schneider-electric » Wonderware Intouch » Update SP2 Machine EditionVersions up to, including, (<=) 8.0cpe:2.3:a:schneider-electric:wonderware_intouch:*:sp2:*:*:machine:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-13997
0.39%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 73 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-13997
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2017-13997
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by:
- ics-cert@hq.dhs.gov (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2017-13997
-
http://www.securityfocus.com/bid/100952
Multiple Schneider Electric Products CVE-2017-13997 Authentication Bypass VulnerabilityThird Party Advisory;VDB Entry
-
https://ics-cert.us-cert.gov/advisories/ICSA-17-264-01
Schneider Electric InduSoft Web Studio, InTouch Machine Edition | CISAMitigation;Third Party Advisory;US Government Resource
Jump to