SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Siemens SIMATIC WinCC Vendors:   Siemens
Siemens SIMATIC WinCC iOS App Lets Local Users Obtain Passwords and Gain Elevated Privileges
SecurityTracker Alert ID:  1031546
SecurityTracker URL:  http://securitytracker.com/id/1031546
CVE Reference:   CVE-2014-5231, CVE-2014-5232, CVE-2014-5233   (Links to External Site)
Date:  Jan 15 2015
Impact:   Disclosure of authentication information, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): iOS app prior to 1.0.2
Description:   A vulnerability was reported in the Siemens SIMATIC WinCC iOS app. A local user can obtain passwords. A local user can obtain elevated privileges on the target system.

A local user can obtain the application password [CVE-2014-5231].

When an application-specific password is set, the application does not require the password when the application is resumed from the background [CVE-2014-5232].

A local user can obtain Sm@rtServer credentials [CVE-2014-5233].

Kim Schlyter, Seyton Bradford, and Richard Warren from FortConsult (NCC Group) reported these vulnerabilities.

Impact:   A local user can obtain passwords.

A local user can bypass the password prompt to gain access to the application.

Solution:   The vendor has issued a fix (1.0.2).

The vendor's advisory is available at:

http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-311299.pdf

Vendor URL:  www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-311299.pdf (Links to External Site)
Cause:   Access control error, Authentication error
Underlying OS:  Apple (iOS)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC