SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-764204056] Siemens XHQ

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2017-06-22OtherSiemensSiemens self-reported this vulnerability. N/ACVE-2017-6866 N/AN/AN/A

Source

						
							
								
#
# Siemens XHQ
#


### VULNERABLE VENDOR
Siemens


### VULNERABLE PRODUCT
XHQ



### RESEARCHER
Siemens self-reported this vulnerability.



### AFFECTED PRODUCTS

Siemens reports that the vulnerability affects the following versions of the XHQ operations intelligence product line:

XHQ 4: All versions prior to V4.7.1.3
XHQ 5: All versions prior to V5.0.0.2



### IMPACT

This vulnerability could allow a low-privileged remote user to gain read access to data in the XHQ solution exceeding his configured permission level.



### VULNERABILITY OVERVIEW

IMPROPER ACCESS CONTROL CWE-284
A vulnerability in XHQ server could allow an authenticated, low-privileged remote user to gain read access to data in the XHQ solution exceeding his configured permission level.
CVE-2017-6866 has been assigned to this vulnerability.
A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)





### BACKGROUND

Critical Infrastructure Sector: Energy
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Germany




### MITIGATION

Siemens has released new versions of XHQ to address this vulnerability.  Users are to call their local service organization for further information on how to obtain the newest version of XHQ.  If the local service organization is not known, please call a local Siemens hotline center:

https://w3.siemens.com/aspa_app/


Siemens strongly recommends users protect network access to XHQ with appropriate mechanisms. Siemens also advises that users configure the operational environment according to Siemens' Operational Guidelines for Industrial Security:

https://www.siemens.com/cert/operational-guidelines-industrial-security


For more information on this vulnerability and more detailed mitigation instructions, please see Siemens Security Advisory SSA-945660 at the following location:

http://www.siemens.com/cert/advisories