|2017-06-29||Other||Siemens||Hannes Trunde from Kapsch BusinessCom AG reported this vulnerability to Siemens.
# Siemens Viewport for Web Office Portal
### VULNERABLE VENDOR
### VULNERABLE PRODUCT
Viewport for Web Office Portal
Hannes Trunde from Kapsch BusinessCom AG reported this vulnerability to Siemens.
### AFFECTED PRODUCTS
Siemens reports that the vulnerability affects the following ViewPort for Web Office Portal products:
ViewPort for Web Office Portal: versions prior to revision number 1453
Successful exploitation of this vulnerability could allow a remote attacker to upload and execute arbitrary code.
### VULNERABILITY OVERVIEW
IMPROPER AUTHENTICATION CWE-287
An unauthenticated remote attacker may be able to use specially crafted network packets to upload arbitrary code to Port 443/TCP or Port 80/TCP and execute with the permissions of the operating system user.
CVE-2017-6869 has been assigned to this vulnerability.
A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Critical Infrastructure Sector(s): Energy
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Germany
Siemens has released software revision number 1453 for ViewPort for Web Office Portal to address the vulnerability. It is recommended that users update to the fixed version. This new version can be obtained by emailing Siemens Energy Customer Support Center at: firstname.lastname@example.org
Siemens recommends the following mitigations until patches can be applied:
Protect access to Port 443/TCP and Port 80/TCP of the affected product with appropriate measures.
Disable Port 80/TCP and use TLS client certificates (PKI) to access Port 443/TCP.
For more information on this vulnerability and more detailed mitigation instructions, please see Siemens Security Advisory SSA-545214 at the following location: