cnvd - cnvd-2017-07166

cnvd-2017-07166

Vulnerability from cnvd

Title

Advantech B + B SmartWorx MESR901身份验证绕过漏洞

Description

研华B + B SmartWorx MESR901是Modbus网关。研华B + B SmartWorx MESR901存在身份验证绕过漏洞。攻击者可以利用漏洞进行身份验证机制并执行未经授权的操作，导致进一步的攻击。

Severity

高

Formal description

目前没有详细的解决方案提供： https://www.Advantech?.com/

Reference

http://www.securityfocus.com/bid/98257 https://nvd.nist.gov/vuln/detail/CVE-2017-7909

Impacted products

Name
Advantech B+B SmartWorx MESR901 <=1.5.2

Show details on source website

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "98257"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-7909"
    }
  },
  "description": "\u7814\u534eB + B SmartWorx MESR901\u662fModbus\u7f51\u5173\u3002\r\n\r\n\u7814\u534eB + B SmartWorx MESR901\u5b58\u5728\u8eab\u4efd\u9a8c\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\u673a\u5236\u5e76\u6267\u884c\u672a\u7ecf\u6388\u6743\u7684\u64cd\u4f5c\uff0c\u5bfc\u81f4\u8fdb\u4e00\u6b65\u7684\u653b\u51fb\u3002",
  "discovererName": "Maxim Rupp",
  "formalWay": "\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u89e3\u51b3\u65b9\u6848\u63d0\u4f9b\uff1a\r\nhttps://www.Advantech?.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-07166",
  "openTime": "2017-05-22",
  "products": {
    "product": "Advantech B+B SmartWorx MESR901 \u003c=1.5.2"
  },
  "referenceLink": "http://www.securityfocus.com/bid/98257\r\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-7909",
  "serverity": "\u9ad8",
  "submitTime": "2017-05-03",
  "title": "Advantech B + B SmartWorx MESR901\u8eab\u4efd\u9a8c\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e"
}

CVE-2017-7909 (GCVE-0-2017-7909)

Vulnerability from cvelistv5

Published

2017-05-06 00:00

Modified

2024-08-05 16:19

Severity ?

CWE

CWE-603

Summary

A Use of Client-Side Authentication issue was discovered in Advantech B+B SmartWorx MESR901 firmware versions 1.5.2 and prior. The web interface uses JavaScript to check client authentication and redirect unauthorized users. Attackers may intercept requests and bypass authentication to access restricted web pages.

References

URL

Tags

	https://ics-cert.us-cert.gov/advisories/ICSA-17-122-03	x_refsource_MISC
	http://www.securityfocus.com/bid/98257	vdb-entry, x_refsource_BID

Impacted products

	Vendor	Product	Version
	n/a	Advantech B+B SmartWorx MESR901	Version: Advantech B+B SmartWorx MESR901

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T16:19:29.487Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-122-03"
          },
          {
            "name": "98257",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/98257"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Advantech B+B SmartWorx MESR901",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Advantech B+B SmartWorx MESR901"
            }
          ]
        }
      ],
      "datePublic": "2017-05-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A Use of Client-Side Authentication issue was discovered in Advantech B+B SmartWorx MESR901 firmware versions 1.5.2 and prior. The web interface uses JavaScript to check client authentication and redirect unauthorized users. Attackers may intercept requests and bypass authentication to access restricted web pages."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-603",
              "description": "CWE-603",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-05-08T09:57:01",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-122-03"
        },
        {
          "name": "98257",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/98257"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2017-7909",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Advantech B+B SmartWorx MESR901",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Advantech B+B SmartWorx MESR901"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A Use of Client-Side Authentication issue was discovered in Advantech B+B SmartWorx MESR901 firmware versions 1.5.2 and prior. The web interface uses JavaScript to check client authentication and redirect unauthorized users. Attackers may intercept requests and bypass authentication to access restricted web pages."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-603"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-122-03",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-122-03"
            },
            {
              "name": "98257",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/98257"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2017-7909",
    "datePublished": "2017-05-06T00:00:00",
    "dateReserved": "2017-04-18T00:00:00",
    "dateUpdated": "2024-08-05T16:19:29.487Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.