Lucene search

[email protected]CVE-2021-40363

HistoryFeb 09, 2022 - 4:15 p.m.

CVE-2021-40363

2022-02-0916:15:13

CWE-538

CWE-312

[email protected]

web.nvd.nist.gov

cve-2021-40363

simatic pcs 7

simatic wincc

vulnerability

local system account

credentials

project files

outdated cipher algorithm

brute force

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.3 High

AI Score

Confidence

High

2.1 Low

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

0.0004 Low

EPSS

Percentile

12.5%

JSON

A vulnerability has been identified in SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions), SIMATIC PCS 7 V9.1 (All versions < V9.1 SP1), SIMATIC WinCC V15 and earlier (All versions < V15 SP1 Update 7), SIMATIC WinCC V16 (All versions < V16 Update 5), SIMATIC WinCC V17 (All versions < V17 Update 2), SIMATIC WinCC V17 (All versions <= V17 Update 4), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 19), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 6). The affected component stores the credentials of a local system account in a potentially publicly accessible project file using an outdated cipher algorithm. An attacker may use this to brute force the credentials and take over the system.

Affected configurations

NVD

Node

siemenssimatic_pcs_7Range≤8.2

siemenssimatic_pcs_7Match9.0-

siemenssimatic_pcs_7Match9.1-

siemenssimatic_winccRange<7.4

siemenssimatic_winccMatch7.4-

siemenssimatic_winccMatch7.4sp1

siemenssimatic_winccMatch7.4sp1_update1

siemenssimatic_winccMatch7.4sp1_update10

siemenssimatic_winccMatch7.4sp1_update11

siemenssimatic_winccMatch7.4sp1_update12

siemenssimatic_winccMatch7.4sp1_update13

siemenssimatic_winccMatch7.4sp1_update14

siemenssimatic_winccMatch7.4sp1_update15

siemenssimatic_winccMatch7.4sp1_update16

siemenssimatic_winccMatch7.4sp1_update17

siemenssimatic_winccMatch7.4sp1_update18

siemenssimatic_winccMatch7.4sp1_update2

siemenssimatic_winccMatch7.4sp1_update3

siemenssimatic_winccMatch7.4sp1_update4

siemenssimatic_winccMatch7.4sp1_update5

siemenssimatic_winccMatch7.4sp1_update6

siemenssimatic_winccMatch7.4sp1_update7

siemenssimatic_winccMatch7.4sp1_update8

siemenssimatic_winccMatch7.4sp1_update9

siemenssimatic_winccMatch7.4update_1

siemenssimatic_winccMatch7.5-

siemenssimatic_winccMatch7.5sp1

siemenssimatic_winccMatch7.5sp1_update1

siemenssimatic_winccMatch7.5sp1_update2

siemenssimatic_winccMatch7.5sp2

siemenssimatic_winccMatch7.5sp2_update1

siemenssimatic_winccMatch7.5sp2_update2

siemenssimatic_winccMatch7.5sp2_update3

siemenssimatic_winccMatch7.5sp2_update4

siemenssimatic_winccMatch7.5sp2_update5

siemenssimatic_winccMatch13-

siemenssimatic_winccMatch13sp1

siemenssimatic_winccMatch13sp2

siemenssimatic_winccMatch14.0.1

siemenssimatic_winccMatch15

siemenssimatic_winccMatch15.1-

siemenssimatic_winccMatch15.1update_1

siemenssimatic_winccMatch15.1update_2

siemenssimatic_winccMatch15.1update_3

siemenssimatic_winccMatch15.1update_4

siemenssimatic_winccMatch15.1update_5

siemenssimatic_winccMatch15.1update_6

siemenssimatic_winccMatch16-

siemenssimatic_winccMatch16update1

siemenssimatic_winccMatch16update2

siemenssimatic_winccMatch16update3

siemenssimatic_winccMatch16update4

siemenssimatic_winccMatch17-

siemenssimatic_winccMatch17update1

CPENameOperatorVersion
siemens:simatic_pcs_7siemens simatic pcs 7le8.2
siemens:simatic_pcs_7siemens simatic pcs 7eq9.0
siemens:simatic_pcs_7siemens simatic pcs 7eq9.1
siemens:simatic_winccsiemens simatic wincclt7.4
siemens:simatic_winccsiemens simatic wincceq7.5
siemens:simatic_winccsiemens simatic wincceq13
siemens:simatic_winccsiemens simatic wincceq14.0.1
siemens:simatic_winccsiemens simatic wincceq15
siemens:simatic_winccsiemens simatic wincceq15.1
siemens:simatic_winccsiemens simatic wincceq16

CPE	Name	Operator	Version
siemens:simatic_pcs_7	siemens simatic pcs 7	le	8.2
siemens:simatic_pcs_7	siemens simatic pcs 7	eq	9.0
siemens:simatic_pcs_7	siemens simatic pcs 7	eq	9.1
siemens:simatic_wincc	siemens simatic wincc	lt	7.4
siemens:simatic_wincc	siemens simatic wincc	eq	7.5
siemens:simatic_wincc	siemens simatic wincc	eq	13
siemens:simatic_wincc	siemens simatic wincc	eq	14.0.1
siemens:simatic_wincc	siemens simatic wincc	eq	15
siemens:simatic_wincc	siemens simatic wincc	eq	15.1
siemens:simatic_wincc	siemens simatic wincc	eq	16

Rows per page:

1-10 of 111

CNA Affected

[
  {
    "product": "SIMATIC PCS 7 V8.2",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "All versions"
      }
    ]
  },
  {
    "product": "SIMATIC PCS 7 V9.0",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "All versions"
      }
    ]
  },
  {
    "product": "SIMATIC PCS 7 V9.1",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "All versions < V9.1 SP1"
      }
    ]
  },
  {
    "product": "SIMATIC WinCC V15 and earlier",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "All versions < V15 SP1 Update 7"
      }
    ]
  },
  {
    "product": "SIMATIC WinCC V16",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "All versions < V16 Update 5"
      }
    ]
  },
  {
    "product": "SIMATIC WinCC V17",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "All versions < V17 Update 2"
      }
    ]
  },
  {
    "product": "SIMATIC WinCC V17",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "All versions <= V17 Update 4"
      }
    ]
  },
  {
    "product": "SIMATIC WinCC V7.4",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "All versions < V7.4 SP1 Update 19"
      }
    ]
  },
  {
    "product": "SIMATIC WinCC V7.5",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "All versions < V7.5 SP2 Update 6"
      }
    ]
  }
]

References

cert-portal.siemens.com/productcert/pdf/ssa-914168.pdf

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.3 High

AI Score

Confidence

High

2.1 Low

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

0.0004 Low

EPSS

Percentile

12.5%

JSON

Related for CVE-2021-40363

cvelist1 cnvd1 prion1 nvd1 ics1