CVE-2016-9338

{"id": "CVE-2016-9338", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.2}]}, "published": "2017-02-13T21:59:01.627", "references": [{"url": "http://www.securityfocus.com/bid/95302", "tags": ["VDB Entry", "Third Party Advisory"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-336-06", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 controller 1763-L16AWA, Series A and B, Version 14.000 and prior versions; 1763-L16BBB, Series A and B, Version 14.000 and prior versions; 1763-L16BWA, Series A and B, Version 14.000 and prior versions; and 1763-L16DWD, Series A and B, Version 14.000 and prior versions. Because of an Incorrect Permission Assignment for Critical Resource, users with administrator privileges may be able to remove all administrative users requiring a factory reset to restore ancillary web server function. Exploitation of this vulnerability will still allow the affected device to function in its capacity as a controller."}, {"lang": "es", "value": "Ha sido descubierto un problema en controlador Rockwell Automation Allen-Bradley MicroLogix 1100, 1763-L16AWA, Serie A y B, Versi\u00f3n 14.000 y versiones anteriores; 1763-L16BBB, Serie A y B, Versi\u00f3n 14.000 y versiones anteriores; 1763-L16BWA, Serie A y B, Versi\u00f3n 14.000 y versiones anteriores; y 1763-L16DWD, Serie A y B, Versi\u00f3n 14.000 y versiones anteriores. Debido a una asignaci\u00f3n de permisos incorrecta para recursos cr\u00edticos, los usuarios con privilegios de administrador pueden eliminar todos los usuarios administrativos requiri\u00e9ndose un restablecimiento de f\u00e1brica para restaurar la funci\u00f3n del servidor web auxiliar. La explotaci\u00f3n de esta vulnerabilidad seguir\u00e1 permitiendo que el dispositivo afectado funcione en su capacidad como controlador."}], "lastModified": "2017-03-16T18:05:31.457", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rockwellautomation:1763-l16awa_series_a:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F7434A56-A11C-4362-A806-ECC05EF81EDC", "versionEndIncluding": "14.000"}, {"criteria": "cpe:2.3:a:rockwellautomation:1763-l16awa_series_b:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E55698D3-601A-48E4-AD5A-C42AA32A02DC", "versionEndIncluding": "14.000"}, {"criteria": "cpe:2.3:a:rockwellautomation:1763-l16bbb_series_a:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8FBC09CC-AD8C-4412-90B0-1E798B56C4F7", "versionEndIncluding": "14.000"}, {"criteria": "cpe:2.3:a:rockwellautomation:1763-l16bbb_series_b:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "58265FCD-55B4-4E9C-8A02-9702B8ED5E4C", "versionEndIncluding": "14.000"}, {"criteria": "cpe:2.3:a:rockwellautomation:1763-l16bwa_series_a:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A719DAFD-8BA2-4E56-AC78-60C2D9FCBAA0", "versionEndIncluding": "14.000"}, {"criteria": "cpe:2.3:a:rockwellautomation:1763-l16bwa_series_b:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "530BB796-C178-49C1-ADF7-7B34E9FD6ED8", "versionEndIncluding": "14.000"}, {"criteria": "cpe:2.3:a:rockwellautomation:1763-l16dwd_series_a:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C6D6A13D-69AC-431B-9E12-BDB6523BB49D", "versionEndIncluding": "14.000"}, {"criteria": "cpe:2.3:a:rockwellautomation:1763-l16dwd_series_b:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D38291EC-779A-461C-971B-09A52C2FB668", "versionEndIncluding": "14.000"}, {"criteria": "cpe:2.3:a:rockwellautomation:1766-l32awa_series_a:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "44A021E4-B93B-4AA0-B7E7-A69F86666D24", "versionEndIncluding": "15.004"}, {"criteria": "cpe:2.3:a:rockwellautomation:1766-l32awa_series_b:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FCE93E4A-C845-4B29-B09E-DA5EC4F22EC2", "versionEndIncluding": "15.004"}, {"criteria": "cpe:2.3:a:rockwellautomation:1766-l32awaa_series_a:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CE5F717B-487B-473F-BD50-0DE76CAFD6B7", "versionEndIncluding": "15.004"}, {"criteria": "cpe:2.3:a:rockwellautomation:1766-l32awaa_series_b:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AEB0FCA4-C3D7-46CC-9D4A-C7FE8B7D25C4", "versionEndIncluding": "15.004"}, {"criteria": "cpe:2.3:a:rockwellautomation:1766-l32bwa_series_a:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "55708721-9FAF-4778-95AE-C51FAF42E234", "versionEndIncluding": "15.004"}, {"criteria": "cpe:2.3:a:rockwellautomation:1766-l32bwa_series_b:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7E6A9C27-E079-43CD-A348-C257AD1B2C9B", "versionEndIncluding": "15.004"}, {"criteria": "cpe:2.3:a:rockwellautomation:1766-l32bwaa_series_a:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A2830F25-7489-4B96-8750-8E187BA155A8", "versionEndIncluding": "15.004"}, {"criteria": "cpe:2.3:a:rockwellautomation:1766-l32bwaa_series_b:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "391B81A5-A3BB-44FD-9849-2D9FC0A004EE", "versionEndIncluding": "15.004"}, {"criteria": "cpe:2.3:a:rockwellautomation:1766-l32bxb_series_a:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AACFCF1B-5FD4-451E-94F9-FFE6CA3427DB", "versionEndIncluding": "15.004"}, {"criteria": "cpe:2.3:a:rockwellautomation:1766-l32bxb_series_b:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "31BCB97C-9F7C-47C7-832E-2EAA7B841CA2", "versionEndIncluding": "15.004"}, {"criteria": "cpe:2.3:a:rockwellautomation:1766-l32bxba_series_a:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "93282079-80A2-4CDF-9EF8-D9EEBAC1D238", "versionEndIncluding": "15.004"}, {"criteria": "cpe:2.3:a:rockwellautomation:1766-l32bxba_series_b:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D4F5D81D-62BA-4655-8FB1-43BC0FF3288B", "versionEndIncluding": "15.004"}], "operator": "OR"}]}], "evaluatorComment": "<a href=\"http://cwe.mitre.org/data/definitions/732.html\">CWE-732: Incorrect Permission Assignment for Critical Resource</a>", "sourceIdentifier": "ics-cert@hq.dhs.gov"}