CVE-2017-20238
7.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Summary
Hirschmann Industrial HiVision versions 06.0.00 and 07.0.00 prior to 06.0.06 and 07.0.01 contains an improper authorization vulnerability that allows read-only users to gain write access to managed devices by bypassing access control mechanisms. Attackers can exploit alternative interfaces such as the web interface or SNMP browser to modify device configurations despite having restricted permissions.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Belden | Hirschmann Industrial HiVision | 06.0.06 | unaffected |
| Belden | Hirschmann Industrial HiVision | 07.0.01 | unaffected |
| Belden | Hirschmann Industrial HiVision | 06.0.00 <= 06.0.05 | affected |
| Belden | Hirschmann Industrial HiVision | 0 <= 07.00 | affected |
Weaknesses
- CWE-285: CWE-285: Improper Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://assets.belden.com/m/7cc5d59343125b25/original/Security-Bulletin-Restricted-User-Roles-Write-Access-HiVision-2017-01.pdf
- https://www.vulncheck.com/advisories/hirschmann-industrial-hivision-improper-authorization-privilege-escalation
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.