#VU7492 Security restrictions bypass in SiPass
Vulnerability identifier: #VU7492
Vulnerability risk: Low
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
SiPass
Client/Desktop applications /
Other client software
Vendor: Siemens
Description
The vulnerability allows a remote low-privileged attacker to bypass security restrictions on the target system.
The weakness exists due to improper permissions and access controls. A remote attacker can bypass security restrictions and read or write files on the file system of the SiPass integrated server over the network.
Successful exploitation of the vulnerability results in information disclosure and modification.
Mitigation
Update to version 2.70.
Vulnerable software versions
SiPass: 2.60 - 2.65
External links
http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-339433.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
