Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2013.0076 SSA-194865: Security Vulnerability in Siemens COMOS 19 June 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Siemens COMOS Operating System: Windows Impact/Access: Increased Privileges -- Existing Account Resolution: Patch/Upgrade Member content until: Friday, July 19 2013 OVERVIEW A vulnerability has been identified in Siemens COMOS version prior to 9.2.0.6.10 and 10.0.3.0.4 [1] IMPACT The vendor has provided the following description regarding the vulnerability: "Vulnerability Description (CVE-2013-3927) Authenticated users with read privileges can use the client library to elevate their privileges for the COMOS database system. This enables the users to access and modify all COMOS objects available in the database. CVSS Base Score 4.6 CVSS Temporal Score 3.6 CVSS Overall Score 3.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C)" [1] MITIGATION The vendor recommends updating to Siemens COMOS version 9.2.0.6.10 or 10.0.3.0.4. [1] REFERENCES [1] SSA-194865: Security Vulnerability in Siemens COMOS http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-194865.pdf AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUcE2d+4yVqjM2NGpAQJw/hAAkIK2OUVDxYuNkXfHhJj2np6kw0oal5yx HG2N80SzRURQdsDxqWTyybbU0dwcivG0006GZ2srFVroPOJrDmhZIc1rSNx3tK51 9ssftGrSsyQRB4Z9muCQ926YzjyqG1a/hF0vlWZq1l7Yv/UOs/mUJ1VX+jPVNHKQ UzCrFYUOXvkmezTqbkkj+SisGy4dTczYC+nHAI0R88yLXDU/JPTR/cLUykud0IeP XO7V+1hAeMuuJjJAI+Bay6pLpt/fVB8mSaq1V3ATE4B3drz8a9kYKK8L53IxS6+W Xf1bjUx1I/bX0m7Sh1LKc2+WqKy/fVwFcmH9HgRTWjcJbefozEMsbYbledk4uGSr a8+F2KimKcIq76pXO18wuTeAaYhDgFPfJbTP6ktrsl5C8neIywJ+V0Hoj4rrTJ4L JGdjG+3DATBH6Q7zOLDG4mZmvY+gyIlDO7MJm+xhAtE8421bhemqrhV808Oq6UPh Mr3uSnPRVmmswGJ4cvDd+zGsT8WRqcVYoIdmdIA7TyVSsafWwXR32PvVv2Pc6xV+ 6uc8Nmm8/mQGIX//qhcLKh5ImizLXd2exQ/TRWHcc1vzXmSjGiYQpwvZi44tEtzU 4E4SbKGYzEm0XPa0WpyslJwsd+bRxcoD9xo+7Gnii/yh3SwTn33CuHyvRIPYYKoj t5Df2b9oZYg= =pt2B -----END PGP SIGNATURE-----