Info

Disclosure

Jul 30, 2012

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Jul 25, 2012

Description

By default, Siemens Synco OZW installs with a default password for an unspecified administrator level account. This allows attackers to trivially access the program or system and gain privileged access.

Classification

Location: Remote / Network Access
Attack Type: Authentication Management
Impact: Loss of Integrity
Solution: Upgrade, Change Default Setting
Exploit: Exploit Private
Disclosure: Vendor Verified
OSVDB: SCADA

Solution

The program enforces an immediate password change in version 4. Prior to that users should, immediately after installation, change all default installed accounts to use a unique and secure password. When possible, change default account names to custom names as well.

Products

Siemens AG	Synco OZW	672.01
		672.04
		672.16
		772.01
		772.04
		772.16
		772.250
		775

References

CVE ID: 2012-3020 (see also: NVD)
Vendor Specific Solution URL: http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&objid=41929231&subtype=130000&caller=view
Vendor Specific Advisory URL: http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-283911.pdf
Other Advisory URL: http://www.us-cert.gov/control_systems/pdf/ICSA-12-214-01.pdf

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/84443

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Siemens AG

Synco OZW

References

Credit