Vulnerabilities > CVE-2017-12069 - XXE vulnerability in multiple products

CVSS 6.4 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

PARTIAL

network

low complexity

siemens

ocpfoundation

CWE-611

NVD

Published: 2017-08-30

Updated: 2017-10-06

Summary

An XXE vulnerability has been identified in OPC Foundation UA .NET Sample Code before 2017-03-21 and Local Discovery Server (LDS) before 1.03.367. Among the affected products are Siemens SIMATIC PCS7 (All versions V8.1 and earlier), SIMATIC WinCC (All versions < V7.4 SP1), SIMATIC WinCC Runtime Professional (All versions < V14 SP1), SIMATIC NET PC Software, and SIMATIC IT Production Suite. By sending specially crafted packets to the OPC Discovery Server at port 4840/tcp, an attacker might cause the system to access various resources chosen by the attacker.

Vulnerable Configurations

Part	Description	Count
Application	Siemens Siemens Simatic Pcs7 7.1 Siemens Simatic Pcs7 8.0 Siemens Simatic Pcs7 8.1 Siemens Wincc 5.0 Siemens Wincc 6.0 Siemens Wincc 7.0 Siemens Wincc 7.1 Siemens Wincc 7.2 Siemens Wincc 7.3	18
Application	Ocpfoundation Ocpfoundation Local Discovery Server * Ocpfoundation UA .Net *	2

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References