CVE-2016-9360

An issue was discovered in General Electric (GE) Proficy HMI/SCADA iFIX Version 5.8 SIM 13 and prior versions, Proficy HMI/SCADA CIMPLICITY Version 9.0 and prior versions, and Proficy Historian Version 6.0 and prior versions. An attacker may be able to retrieve user passwords if he or she has access to an authenticated session.

CVSS v3 6.7 MEDIUM
CVSS v2.0 4.4 MEDIUM

6.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.8 / Impact : 5.3

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

4.4^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 3.4 / Impact : 6.4

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.securityfocus.com/bid/95630	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1037809	Third Party Advisory VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-16-336-05A	Mitigation Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ge:cimplicity::::::::
	cpe:2.3:a:ge:historian::::::::
	cpe:2.3:a:ge:ifix::::::::

History

03 Feb 2022, 19:40

Type	Values Removed	Values Added
References	~~(SECTRACK) http://www.securitytracker.com/id/1037809 -~~	(SECTRACK) http://www.securitytracker.com/id/1037809 - Third Party Advisory, VDB Entry
First Time		Ge Ge cimplicity Ge ifix Ge historian
CWE	~~CWE-200~~	CWE-522
CPE	cpe:2.3:a:general_electric:cimplicity:::::::: cpe:2.3:a:general_electric:historian:::::::: cpe:2.3:a:general_electric:ifix::sim_13::::::*	cpe:2.3:a:ge:cimplicity:::::::: cpe:2.3:a:ge:historian:::::::: cpe:2.3:a:ge:ifix::::::::

Information

Published : 2017-02-13 21:59

Updated : 2023-12-10 12:01

NVD link : CVE-2016-9360

Mitre link : CVE-2016-9360

CVE.ORG link : CVE-2016-9360

JSON object : View

Products Affected

ge

cimplicity
historian
ifix

CWE

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2016-9360", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.4, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.3, "exploitabilityScore": 0.8}]}, "published": "2017-02-13T21:59:02.050", "references": [{"url": "http://www.securityfocus.com/bid/95630", "tags": ["Third Party Advisory", "VDB Entry"], "source": "ics-cert@hq.dhs.gov"}, {"url": "http://www.securitytracker.com/id/1037809", "tags": ["Third Party Advisory", "VDB Entry"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-336-05A", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in General Electric (GE) Proficy HMI/SCADA iFIX Version 5.8 SIM 13 and prior versions, Proficy HMI/SCADA CIMPLICITY Version 9.0 and prior versions, and Proficy Historian Version 6.0 and prior versions. An attacker may be able to retrieve user passwords if he or she has access to an authenticated session."}, {"lang": "es", "value": "Se encontr\u00f3 un problema en General Electric (GE) Proficy HMI/SCADA iFIX Version 5.8 SIM 13 y versiones anteriores, Proficy HMI/SCADA CIMPLICITY Versi\u00f3n 9.0 y versiones anteriores y Proficy Historian Versi\u00f3n 6.0 y versiones anteriores. Un atacante puede recuperar contrase\u00f1as de usuario si tiene acceso a una sesi\u00f3n autenticada."}], "lastModified": "2022-02-03T19:40:11.877", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ge:cimplicity:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B1F646B5-A9D5-4D7A-A39E-B7393B2926B8", "versionEndIncluding": "9.0"}, {"criteria": "cpe:2.3:a:ge:historian:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "58D8576D-3745-47AC-AFB5-AD7BEC33E906", "versionEndIncluding": "6.0"}, {"criteria": "cpe:2.3:a:ge:ifix:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D226196E-5F36-4919-B975-AFDAE6340855", "versionEndIncluding": "5.8"}], "operator": "OR"}]}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}