Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0115.2
A vulnerability has been identified in Siemens COMOS
17 August 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens COMOS
Operating System: Windows
Impact/Access: Increased Privileges -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2012-3009
Member content until: Thursday, September 13 2012
Revision History: August 17 2012: Added CVE reference
August 14 2012: Initial Release
OVERVIEW
A vulnerability has been identified in Siemens COMOS prior to versions
9.1 Patch 413, 9.2 Update 03 Patch 023, 10.0 Patch 005, 10 SP1.
IMPACT
The vendor has provided the following details regarding this
vulnerability:
"The object oriented database design of COMOS enables authenticated
users to access database objects via published methods. Authenticated
users with read privileges may exploit a vulnerability to elevate
their rights. As a result, they may achieve full administrative access
to the database." [1]
MITIGATION
The vendor recommends updating COMOS to correct this issue. [1]
REFERENCES
[1] SSA-312568: Security Vulnerability in COMOS
http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-312568.pdf
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUC2gQu4yVqjM2NGpAQIvZRAAqWREt832r0hcpyNEKPMm0EvjS9v5ULV4
TDZjg/hhHXGdnHAmwNSpMnW8d+1jJg4wCc4Lcgl0DseV0zeQ5dfXlAYsCeED9nXP
IvEBmwEs0o1M0K+POWvV9hviMiYawLdfSulFyhcMZDkN5yYXliyrIPH9dQRdF5u9
A8KWXRQXKjcDEaom9b7k8a9B0efp++XpuJnSHsnAjcLetztuELW4bbD4PdXonplw
kLIKZNeTzZTSAS1jOX6IqfV4cLdhTF3SMM3wIsMfQR+rBuquQ5a7itgQ1d6TjlGD
g9GXFzz9texOVW9+qlnbTxIbrHOf0V1HdlcqhHyWDSNkeY2MubhDm8mFQkMhUHQt
G3WUCU9ybI1sE4JsXNaKBU68FWMt5Ok1R0LBFIyP5qWFbP2oO9R6oJjyDp/TLZEf
YGZk2ZZjDJt2hZhNP/QUSmFe3NidxCgmCOqtAosimjmcOJtlBovyHeM5EtIixRJS
AuglucbLKCX4w/i04jP2HA986qVbKRooJRtxZEcThgUqVwO1KG6uzMzmX+1D+OZn
0MgDO2CtvIgti0MnIRszx0v0xYSc9iOL05YOEZVWMmv7nASj4b7/ca0kjQU68mpB
eX0PaMyWzuoOMRLLRbIRTS8jvQLDoy6DVdGxE4/6dWi+6ynGYOPTq/QJqhrgkR3K
xeOWLF1Jsps=
=gmHQ
-----END PGP SIGNATURE-----