CVE-2017-7928

An Improper Access Control issue was discovered in Schweitzer Engineering Laboratories (SEL) SEL-3620 and SEL-3622 Security Gateway Versions R202 and, R203, R203-V1, R203-V2 and, R204, R204-V1. The device does not properly enforce access control while configured for NAT port forwarding, which may allow for unauthorized communications to downstream devices.

CVSS v3 10.0 CRITICAL
CVSS v2.0 7.5 HIGH

10.0^/10

CVSS v3 : CRITICAL

Vector : AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.securityfocus.com/bid/99536	Third Party Advisory VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-17-192-06	Mitigation Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:o:selinc:sel-3620_firmware:r202:::::::*
	cpe:2.3:o:selinc:sel-3620_firmware:r203:::::::*
	cpe:2.3:o:selinc:sel-3620_firmware:r203-v:::::::*
	cpe:2.3:o:selinc:sel-3620_firmware:r203-v1:::::::*
	cpe:2.3:o:selinc:sel-3620_firmware:r204:::::::*
	cpe:2.3:o:selinc:sel-3620_firmware:r204-v1:::::::*

cpe:2.3:h:selinc:sel-3620:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

OR	cpe:2.3:o:selinc:sel-3622_firmware:r202:::::::*
	cpe:2.3:o:selinc:sel-3622_firmware:r203:::::::*
	cpe:2.3:o:selinc:sel-3622_firmware:r203-v:::::::*
	cpe:2.3:o:selinc:sel-3622_firmware:r203-v1:::::::*
	cpe:2.3:o:selinc:sel-3622_firmware:r204:::::::*
	cpe:2.3:o:selinc:sel-3622_firmware:r204-v1:::::::*

cpe:2.3:h:selinc:sel-3622:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2017-08-07 08:29

Updated : 2024-02-28 16:04

NVD link : CVE-2017-7928

Mitre link : CVE-2017-7928

CVE.ORG link : CVE-2017-7928

JSON object : View

Products Affected

selinc

sel-3622_firmware
sel-3620_firmware
sel-3622
sel-3620

CWE

NVD-CWE-noinfo CWE-284

Improper Access Control

{"id": "CVE-2017-7928", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}]}, "published": "2017-08-07T08:29:00.290", "references": [{"url": "http://www.securityfocus.com/bid/99536", "tags": ["Third Party Advisory", "VDB Entry"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-192-06", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "An Improper Access Control issue was discovered in Schweitzer Engineering Laboratories (SEL) SEL-3620 and SEL-3622 Security Gateway Versions R202 and, R203, R203-V1, R203-V2 and, R204, R204-V1. The device does not properly enforce access control while configured for NAT port forwarding, which may allow for unauthorized communications to downstream devices."}, {"lang": "es", "value": "Se ha descubierto un problema de control de acceso incorrecto en Schweitzer Engineering Laboratories (SEL) SEL-3620 y SEL-3622 Security Gateway Versiones R202 y, R203, R203-V1, R203-V2 y, R204, R204-V1. El dispositivo no aplica correctamente controles de acceso al estar configurado para el reenv\u00edo de puertos NAT, lo que podr\u00eda permitir que se realizasen comunicaciones no autorizadas a dispositivos de bajada."}], "lastModified": "2019-10-09T23:29:59.627", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:selinc:sel-3620_firmware:r202:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6583BFAD-2575-4E44-8627-93F398CC5FBC"}, {"criteria": "cpe:2.3:o:selinc:sel-3620_firmware:r203:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "402F8A8A-1F2C-4604-B18C-AB2A25003A63"}, {"criteria": "cpe:2.3:o:selinc:sel-3620_firmware:r203-v:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "45E61C60-30D0-45C9-BFC5-6FA526AAD466"}, {"criteria": "cpe:2.3:o:selinc:sel-3620_firmware:r203-v1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "90060D74-8688-477B-842A-47A02F8B28D3"}, {"criteria": "cpe:2.3:o:selinc:sel-3620_firmware:r204:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "38283FF1-5422-4D73-84CC-7EC57286A8FF"}, {"criteria": "cpe:2.3:o:selinc:sel-3620_firmware:r204-v1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FD1BD563-98E4-4A2D-9489-5EA7959546EB"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:selinc:sel-3620:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "5DDB548A-15DE-4512-9C02-6197E08051DE"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:selinc:sel-3622_firmware:r202:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F65F7FC5-C8EF-4884-B5F5-66DBE6751121"}, {"criteria": "cpe:2.3:o:selinc:sel-3622_firmware:r203:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "46A6C684-A415-4A00-AB85-13A127A13D65"}, {"criteria": "cpe:2.3:o:selinc:sel-3622_firmware:r203-v:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2C7DCDDC-AE50-4322-BCEE-BF636ECA84B8"}, {"criteria": "cpe:2.3:o:selinc:sel-3622_firmware:r203-v1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B20DCC56-E2F2-4414-89D3-821F7E230B2E"}, {"criteria": "cpe:2.3:o:selinc:sel-3622_firmware:r204:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "88CA202B-F6D0-4727-BFC0-DBA9A871B582"}, {"criteria": "cpe:2.3:o:selinc:sel-3622_firmware:r204-v1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3F2DFB60-2951-4AAA-9094-CA7F90EC82DE"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:selinc:sel-3622:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F2A5E4D1-3584-4B2A-9598-601AAD7FF977"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}