CVE-2016-9160

A vulnerability in SIEMENS SIMATIC WinCC (All versions < SIMATIC WinCC V7.2) and SIEMENS SIMATIC PCS 7 (All versions < SIMATIC PCS 7 V8.0 SP1) could allow a remote attacker to crash an ActiveX component or leak parts of the application memory if a user is tricked into clicking on a malicious link under certain conditions.

Weakness

When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java.

Affected Software

Name	Vendor	Start Version	End Version
Simatic_pcs_7	Siemens	*	8.0 (including)
Simatic_wincc	Siemens	*	7.1 (including)

Potential Mitigations

References

http://www.securityfocus.com/bid/94825
http://www.securitytracker.com/id/1037435
http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-693129.pdf
https://ics-cert.us-cert.gov/advisories/ICSA-16-348-04
http://www.securityfocus.com/bid/94825
http://www.securitytracker.com/id/1037435
http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-693129.pdf
https://ics-cert.us-cert.gov/advisories/ICSA-16-348-04

NVD	https://nvd.nist.gov/vuln/detail/CVE-2016-9160
CWE	https://cwe.mitre.org/data/definitions/111.html

Direct Use of Unsafe JNI

Weakness

Affected Software

Potential Mitigations

References