Man-in-the-middle in Siemens LOGO! Soft Comfort
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2017-12740 |
| CWE-ID | CWE-300 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software Subscribe |
LOGO! Soft Comfort Client/Desktop applications / Other client software |
| Vendor | Siemens |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Man-in-the-middle attack
EUVDB-ID: #VU9701
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2017-12740
CWE-ID:
CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to conduct man-in-the-middle attack.
The weakness exists due to lack of integrity verification on software packages downloaded via an unprotected communication channel. A remote attacker can use man-in-the-middle technique and manipulate the software package.
Update to version 8.2.
LOGO! Soft Comfort: All versions
External linkshttp://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-888929.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
