CVE-2011-4876

Published: Feb 3, 2012Modified: Apr 29, 2026

9.3

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Exploitability: 8.6 / Impact: 10.0

Source: NVD

Description

Directory traversal vulnerability in HmiLoad in the runtime loader in Siemens WinCC flexible 2004, 2005, 2007, and 2008; WinCC V11 (aka TIA portal); the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime, when Transfer Mode is enabled, allows remote attackers to execute, read, create, modify, or delete arbitrary files via a .. (dot dot) in a string.

Affected (12)

Products: Siemens: Wincc Flexible, Wincc, Simatic Hmi Panels, Wincc Runtime Advanced, Wincc Flexible Runtime

5 products

Simatic Hmi Panels

Wincc Runtime Advanced

Wincc Flexible Runtime

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Siemens Wincc Flexible	Version 2004
Siemens Wincc Flexible	Version 2005
Siemens Wincc Flexible	Version 2007
Siemens Wincc Flexible	Version 2008

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Siemens Wincc	Version v11

Configuration C

5 vulnerable

Vulnerable Software	Affected Versions
Siemens Simatic Hmi Panels	Version comfort_panels
Siemens Simatic Hmi Panels	Version mobile_panels
Siemens Simatic Hmi Panels	Version mp
Siemens Simatic Hmi Panels	Version op
Siemens Simatic Hmi Panels	Version tp

Configuration D

1 vulnerable

Vulnerable Software	Affected Versions
Siemens Wincc Runtime Advanced	Version v11

Configuration E

1 vulnerable

Vulnerable Software	Affected Versions
Siemens Wincc Flexible Runtime	All versions

Related CWEs

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (18)

http://aluigi.org/adv/winccflex_1-adv.txt

Source: cret@cert.org

http://secunia.com/advisories/46997

Source: cret@cert.org

http://www.exploit-db.com/exploits/18166

Source: cret@cert.org

http://www.osvdb.org/77381

Source: cret@cert.org

http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345442.pdf

Source: cret@cert.org

Vendor Advisory

http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-332-02.pdf

Source: cret@cert.org

http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-332-02A.pdf

Source: cret@cert.org

http://www.us-cert.gov/control_systems/pdf/ICSA-12-030-01.pdf

Source: cret@cert.org

US Government Resource

https://exchange.xforce.ibmcloud.com/vulnerabilities/71450

Source: cret@cert.org

http://aluigi.org/adv/winccflex_1-adv.txt

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/46997

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.exploit-db.com/exploits/18166

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.osvdb.org/77381

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345442.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-332-02.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-332-02A.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.us-cert.gov/control_systems/pdf/ICSA-12-030-01.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

US Government Resource

https://exchange.xforce.ibmcloud.com/vulnerabilities/71450

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.