#VU11259 Improper access control in SIMATIC WinCC OA UI for Android and SIMATIC WinCC OA UI for IOS - CVE-2018-4844
Published: March 26, 2018 / Updated: March 26, 2018
Vulnerability identifier: #VU11259
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-4844
CWE-ID: CWE-284
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vulnerable software:
SIMATIC WinCC OA UI for Android
SIMATIC WinCC OA UI for IOS
SIMATIC WinCC OA UI for Android
SIMATIC WinCC OA UI for IOS
Software vendor:
Siemens
Siemens
Description
The vulnerability allows an adjacent attacker to bypass security restrictions on the target system.
The weakness exists due to insufficient limitation of CONTROL script capabilities. An adjacent attacker can trick the victim into connecting to a malicious WinCC OA server and read and write data from and to the app’s project cache folder.
The weakness exists due to insufficient limitation of CONTROL script capabilities. An adjacent attacker can trick the victim into connecting to a malicious WinCC OA server and read and write data from and to the app’s project cache folder.
Remediation
Update to version 3.15.10.