Vulnerability Details : CVE-2017-9637
Schneider Electric Ampla MES 6.4 provides capability to interact with data from third party databases. When connectivity to those databases is configured to use a SQL user name and password, an attacker may be able to sniff details from the connection string. Schneider Electric recommends that users of Ampla MES versions 6.4 and prior should upgrade to Ampla MES version 6.5 as soon as possible.
Products affected by CVE-2017-9637
- cpe:2.3:a:schneider-electric:ampla_manufacturing_execution_system:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-9637
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 20 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-9637
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
1.9
|
LOW | AV:L/AC:M/Au:N/C:P/I:N/A:N |
3.4
|
2.9
|
NIST | |
4.1
|
MEDIUM | CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N |
0.5
|
3.6
|
NIST |
CWE ids for CVE-2017-9637
-
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.Assigned by: ics-cert@hq.dhs.gov (Secondary)
-
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-9637
-
http://www.securityfocus.com/bid/99469
Schneider Electric Ampla MES ICSA-17-187-05 Multiple Local Security VulnerabilitiesThird Party Advisory;VDB Entry
-
https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05
Schneider Electric Ampla MES | CISAThird Party Advisory;US Government Resource
-
http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000118/
Vendor Advisory
Jump to