CVE-2017-6041

An Unrestricted Upload issue was discovered in Marel Food Processing Systems M3000 terminal associated with the following systems: A320, A325, A371, A520 Master, A520 Slave, A530, A542, A571, Check Bin Grader, FlowlineQC T376, IPM3 Dual Cam v132, IPM3 Dual Cam v139, IPM3 Single Cam v132, P520, P574, SensorX13 QC flow line, SensorX23 QC Master, SensorX23 QC Slave, Speed Batcher, T374, T377, V36, V36B, and V36C; M3210 terminal associated with the same systems as the M3000 terminal identified above; M3000 desktop software associated with the same systems as the M3000 terminal identified above; MAC4 controller associated with the same systems as the M3000 terminal identified above; SensorX23 X-ray machine; SensorX25 X-ray machine; and MWS2 weighing system. This vulnerability allows an attacker to modify the operation and upload firmware changes without detection.

CVSS v3.0 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3.0 : CRITICAL

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://ics-cert.us-cert.gov/advisories/ICSA-17-094-02	Mitigation Third Party Advisory US Government Resource
http://www.securityfocus.com/bid/97388	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:marel:a320_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:marel:a320:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:marel:a325_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:marel:a325:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:marel:a371_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:marel:a371:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:marel:a520_master_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:marel:a520_master:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:marel:a520_slave_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:marel:a520_slave:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:marel:a530_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:marel:a530:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:marel:a542_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:marel:a542:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:marel:a571_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:marel:a571:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

cpe:2.3:o:marel:check_bin_grader_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:marel:check_bin_grader:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND

cpe:2.3:o:marel:flowlineqc_t376_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:marel:flowlineqc_t376:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND

cpe:2.3:o:marel:ipm3_dual_cam_firmware:132:*:*:*:*:*:*:*

cpe:2.3:h:marel:ipm3_dual_cam:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND

cpe:2.3:o:marel:ipm3_dual_cam_firmware:139:*:*:*:*:*:*:*

cpe:2.3:h:marel:ipm3_dual_cam:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND

cpe:2.3:o:marel:ipm3_dual_cam_firmware:132:*:*:*:*:*:*:*

cpe:2.3:h:marel:ipm3_dual_cam:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND

cpe:2.3:o:marel:p520_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:marel:p520:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND

cpe:2.3:o:marel:p574_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:marel:p574:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND

cpe:2.3:o:marel:sensorx13_qc_flow_line_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:marel:sensorx13_qc_flow_line:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND

cpe:2.3:o:marel:sensorx23_qc_master_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:marel:sensorx23_qc_master:-:*:*:*:*:*:*:*

Configuration 18 (hide)

AND

cpe:2.3:o:marel:sensorx23_qc_slave_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:marel:sensorx23_qc_slave:-:*:*:*:*:*:*:*

Configuration 19 (hide)

AND

cpe:2.3:o:marel:speed_batcher_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:marel:speed_batcher:-:*:*:*:*:*:*:*

Configuration 20 (hide)

AND

cpe:2.3:o:marel:t374_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:marel:t374:-:*:*:*:*:*:*:*

Configuration 21 (hide)

AND

cpe:2.3:o:marel:t377_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:marel:t377:-:*:*:*:*:*:*:*

Configuration 22 (hide)

AND

cpe:2.3:o:marel:v36_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:marel:v36:-:*:*:*:*:*:*:*

Configuration 23 (hide)

AND

cpe:2.3:o:marel:v36b_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:marel:v36b:-:*:*:*:*:*:*:*

Configuration 24 (hide)

AND

cpe:2.3:o:marel:v36c_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:marel:v36c:-:*:*:*:*:*:*:*

Information

Published : 2017-06-29 20:29

Updated : 2019-10-09 16:28

NVD link : CVE-2017-6041

Mitre link : CVE-2017-6041

JSON object : View

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

Products Affected

marel

a320
p520_firmware
sensorx13_qc_flow_line
sensorx23_qc_slave
a571
speed_batcher_firmware
t374
v36
v36c
v36c_firmware
sensorx23_qc_master_firmware
ipm3_dual_cam_firmware
a371
a571_firmware
sensorx13_qc_flow_line_firmware
a520_slave_firmware
t377
flowlineqc_t376_firmware
v36b_firmware
a320_firmware
a542
flowlineqc_t376
a325_firmware
a542_firmware
t377_firmware
sensorx23_qc_slave_firmware
a371_firmware
a520_master
p574_firmware
speed_batcher
a530_firmware
check_bin_grader_firmware
v36b
ipm3_dual_cam
sensorx23_qc_master
t374_firmware
a520_master_firmware
p520
a520_slave
check_bin_grader
v36_firmware
a325
a530
p574

9.8 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2017-6041

9.8^/10

7.5^/10

Attach tags to `CVE-2017-6041`