9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.4 High
AI Score
Confidence
Low
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.377 Low
EPSS
Percentile
97.1%
Successful exploitation of this vulnerability in third-party components could allow an attacker to interfere with the affected product in various ways.
Siemens reports this vulnerability affects the following SINEC INS (Infrastructure Network Services) web-based application:
There are 71 third-party components affected by this vulnerability as Node.js, cURL, SQLite, CivetWeb and DNS(ISC BIND) could allow an attacker to interfere with the affected product.
CVE-2019-19242, CVE-2019-19244, CVE-2019-19317, CVE-2019-19603, CVE-2019-19645, CVE-2019-19646, CVE-2019-19880, CVE-2019-19923, CVE-2019-19924, CVE-2019-19925, CVE-2019-19926, CVE-2020-1971, CVE-2020-7774, CVE-2020-8169, CVE-2020-8177, CVE-2020-8231, CVE-2020-8265, CVE-2020-8284, CVE-2020-8285, CVE-2020-8286, CVE-2020-8287, CVE-2020-8625, CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-13871, CVE-2020-15358, CVE-2020-27304, CVE-2021-3449, CVE-2021-3450, CVE-2021-3672, CVE-2021-3711, CVE-2021-3712, CVE-2021-22876, CVE-2021-22883, CVE-2021-22884, CVE-2021-22890, CVE-2021-22897, CVE-2021-22898, CVE-2021-22901, CVE-2021-22918, CVE-2021-22921, CVE-2021-22922, CVE-2021-22923, CVE-2021-22924, CVE-2021-22925, CVE-2021-22926, CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940, CVE-2021-22945, CVE-2021-22946, CVE-2021-22947, CVE-2021-23362, CVE-2021-23840, CVE-2021-25214, CVE-2021-25215, CVE-2021-25216, CVE-2021-25219, CVE-2021-27290, CVE-2021-32803, CVE-2021-32804, CVE-2021-37701, CVE-2021-37712, CVE-2021-37713, CVE-2021-39134, and CVE-2021-39135 have been assigned to these third-party component vulnerabilities. A CVSS v3 base score of 9.8 has been calculated for the worst case; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Siemens reported this vulnerability to CISA.
Siemens has released an update for SINEC INS and recommends updating to v1.0.1.1 or later version.
As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security, and to follow the recommendations in the product manuals.
Additional information on industrial security by Siemens can be found at: https://www.siemens.com/industrialsecurity
For more information about this issue, please see Siemens’ security advisory SSA-389290
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target this vulnerability.
cert-portal.siemens.com/operational-guidelines-industrial-security.pdf
cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
cwe.mitre.org/data/definitions/1035.html
nvd.nist.gov/vuln/detail/CVE-2019-19242
nvd.nist.gov/vuln/detail/CVE-2019-19244
nvd.nist.gov/vuln/detail/CVE-2019-19317
nvd.nist.gov/vuln/detail/CVE-2019-19603
nvd.nist.gov/vuln/detail/CVE-2019-19645
nvd.nist.gov/vuln/detail/CVE-2019-19646
nvd.nist.gov/vuln/detail/CVE-2019-19880
nvd.nist.gov/vuln/detail/CVE-2019-19923
nvd.nist.gov/vuln/detail/CVE-2019-19924
nvd.nist.gov/vuln/detail/CVE-2019-19925
nvd.nist.gov/vuln/detail/CVE-2019-19926
nvd.nist.gov/vuln/detail/CVE-2020-11655
nvd.nist.gov/vuln/detail/CVE-2020-11656
nvd.nist.gov/vuln/detail/CVE-2020-13630
nvd.nist.gov/vuln/detail/CVE-2020-13631
nvd.nist.gov/vuln/detail/CVE-2020-13632
nvd.nist.gov/vuln/detail/CVE-2020-13871
nvd.nist.gov/vuln/detail/CVE-2020-15358
nvd.nist.gov/vuln/detail/CVE-2020-1971
nvd.nist.gov/vuln/detail/CVE-2020-27304
nvd.nist.gov/vuln/detail/CVE-2020-7774
nvd.nist.gov/vuln/detail/CVE-2020-8169
nvd.nist.gov/vuln/detail/CVE-2020-8177
nvd.nist.gov/vuln/detail/CVE-2020-8231
nvd.nist.gov/vuln/detail/CVE-2020-8265
nvd.nist.gov/vuln/detail/CVE-2020-8284
nvd.nist.gov/vuln/detail/CVE-2020-8285
nvd.nist.gov/vuln/detail/CVE-2020-8286
nvd.nist.gov/vuln/detail/CVE-2020-8287
nvd.nist.gov/vuln/detail/CVE-2020-8625
nvd.nist.gov/vuln/detail/CVE-2020-9327
nvd.nist.gov/vuln/detail/CVE-2021-22876
nvd.nist.gov/vuln/detail/CVE-2021-22883
nvd.nist.gov/vuln/detail/CVE-2021-22884
nvd.nist.gov/vuln/detail/CVE-2021-22890
nvd.nist.gov/vuln/detail/CVE-2021-22897
nvd.nist.gov/vuln/detail/CVE-2021-22898
nvd.nist.gov/vuln/detail/CVE-2021-22901
nvd.nist.gov/vuln/detail/CVE-2021-22918
nvd.nist.gov/vuln/detail/CVE-2021-22921
nvd.nist.gov/vuln/detail/CVE-2021-22922
nvd.nist.gov/vuln/detail/CVE-2021-22923
nvd.nist.gov/vuln/detail/CVE-2021-22924
nvd.nist.gov/vuln/detail/CVE-2021-22925
nvd.nist.gov/vuln/detail/CVE-2021-22926
nvd.nist.gov/vuln/detail/CVE-2021-22930
nvd.nist.gov/vuln/detail/CVE-2021-22931
nvd.nist.gov/vuln/detail/CVE-2021-22939
nvd.nist.gov/vuln/detail/CVE-2021-22940
nvd.nist.gov/vuln/detail/CVE-2021-22945
nvd.nist.gov/vuln/detail/CVE-2021-22946
nvd.nist.gov/vuln/detail/CVE-2021-22947
nvd.nist.gov/vuln/detail/CVE-2021-23362
nvd.nist.gov/vuln/detail/CVE-2021-23840
nvd.nist.gov/vuln/detail/CVE-2021-25214
nvd.nist.gov/vuln/detail/CVE-2021-25215
nvd.nist.gov/vuln/detail/CVE-2021-25216
nvd.nist.gov/vuln/detail/CVE-2021-25219
nvd.nist.gov/vuln/detail/CVE-2021-27290
nvd.nist.gov/vuln/detail/CVE-2021-32803
nvd.nist.gov/vuln/detail/CVE-2021-32804
nvd.nist.gov/vuln/detail/CVE-2021-3449
nvd.nist.gov/vuln/detail/CVE-2021-3450
nvd.nist.gov/vuln/detail/CVE-2021-3672
nvd.nist.gov/vuln/detail/CVE-2021-3711
nvd.nist.gov/vuln/detail/CVE-2021-3712
nvd.nist.gov/vuln/detail/CVE-2021-37701
nvd.nist.gov/vuln/detail/CVE-2021-37712
nvd.nist.gov/vuln/detail/CVE-2021-37713
nvd.nist.gov/vuln/detail/CVE-2021-39134
nvd.nist.gov/vuln/detail/CVE-2021-39135
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
support.industry.siemens.com/cs/ww/en/view/109806100/
twitter.com/CISAgov
twitter.com/intent/tweet?text=Siemens%20SINEC%20INS+https://www.cisa.gov/news-events/ics-advisories/icsa-22-069-09
www.cisa.gov/uscert/ics
www.cisa.gov/uscert/ics
www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01
www.cisa.gov/uscert/ics/recommended-practices
www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B
www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-22-069-09&title=Siemens%20SINEC%20INS
www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-22-069-09
www.oig.dhs.gov/
www.siemens.com/cert/operational-guidelines-industrial-security
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-22-069-09
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Siemens%20SINEC%20INS&body=www.cisa.gov/news-events/ics-advisories/icsa-22-069-09
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.4 High
AI Score
Confidence
Low
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.377 Low
EPSS
Percentile
97.1%