CVE-2017-12069

Summary

CVE	CVE-2017-12069
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2017-08-30 19:29:00 UTC
Updated	2017-10-06 01:29:00 UTC
Description	An XXE vulnerability has been identified in OPC Foundation UA .NET Sample Code before 2017-03-21 and Local Discovery Server (LDS) before 1.03.367. Among the affected products are Siemens SIMATIC PCS7 (All versions V8.1 and earlier), SIMATIC WinCC (All versions < V7.4 SP1), SIMATIC WinCC Runtime Professional (All versions < V14 SP1), SIMATIC NET PC Software, and SIMATIC IT Production Suite. By sending specially crafted packets to the OPC Discovery Server at port 4840/tcp, an attacker might cause the system to access various resources chosen by the attacker.

Risk And Classification

Problem Types: CWE-611

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Ocpfoundation	Local Discovery Server	All	All	All	All
Application	Ocpfoundation	Ua .net	All	All	All	All
Application	Siemens	Simatic Pcs7	All	All	All	All
Application	Siemens	Wincc	All	All	All	All

References

Reference	Source	Link	Tags
Page not found - OPC Foundation	CONFIRM	opcfoundation-onlineapplications.org	Patch, Vendor Advisory
Siemens SIMATIC WinCC OPC Discovery Service Bug Lets Remote Users Cause Denial of Service Attacks - SecurityTracker	SECTRACK	www.securitytracker.com
Siemens	CONFIRM	www.siemens.com	Vendor Advisory
Multiple Siemens Products CVE-2017-12069 XML External Entity Injection Vulnerability	BID	www.securityfocus.com	Third Party Advisory, VDB Entry
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.