Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0115.2 A vulnerability has been identified in Siemens COMOS 17 August 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Siemens COMOS Operating System: Windows Impact/Access: Increased Privileges -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2012-3009 Member content until: Thursday, September 13 2012 Revision History: August 17 2012: Added CVE reference August 14 2012: Initial Release OVERVIEW A vulnerability has been identified in Siemens COMOS prior to versions 9.1 Patch 413, 9.2 Update 03 Patch 023, 10.0 Patch 005, 10 SP1. IMPACT The vendor has provided the following details regarding this vulnerability: "The object oriented database design of COMOS enables authenticated users to access database objects via published methods. Authenticated users with read privileges may exploit a vulnerability to elevate their rights. As a result, they may achieve full administrative access to the database." [1] MITIGATION The vendor recommends updating COMOS to correct this issue. [1] REFERENCES [1] SSA-312568: Security Vulnerability in COMOS http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-312568.pdf AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUC2gQu4yVqjM2NGpAQIvZRAAqWREt832r0hcpyNEKPMm0EvjS9v5ULV4 TDZjg/hhHXGdnHAmwNSpMnW8d+1jJg4wCc4Lcgl0DseV0zeQ5dfXlAYsCeED9nXP IvEBmwEs0o1M0K+POWvV9hviMiYawLdfSulFyhcMZDkN5yYXliyrIPH9dQRdF5u9 A8KWXRQXKjcDEaom9b7k8a9B0efp++XpuJnSHsnAjcLetztuELW4bbD4PdXonplw kLIKZNeTzZTSAS1jOX6IqfV4cLdhTF3SMM3wIsMfQR+rBuquQ5a7itgQ1d6TjlGD g9GXFzz9texOVW9+qlnbTxIbrHOf0V1HdlcqhHyWDSNkeY2MubhDm8mFQkMhUHQt G3WUCU9ybI1sE4JsXNaKBU68FWMt5Ok1R0LBFIyP5qWFbP2oO9R6oJjyDp/TLZEf YGZk2ZZjDJt2hZhNP/QUSmFe3NidxCgmCOqtAosimjmcOJtlBovyHeM5EtIixRJS AuglucbLKCX4w/i04jP2HA986qVbKRooJRtxZEcThgUqVwO1KG6uzMzmX+1D+OZn 0MgDO2CtvIgti0MnIRszx0v0xYSc9iOL05YOEZVWMmv7nASj4b7/ca0kjQU68mpB eX0PaMyWzuoOMRLLRbIRTS8jvQLDoy6DVdGxE4/6dWi+6ynGYOPTq/QJqhrgkR3K xeOWLF1Jsps= =gmHQ -----END PGP SIGNATURE-----