9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.4 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.076 Low
EPSS
Percentile
94.1%
Successful exploitation of these vulnerabilities could cause crashes and unrestricted file access, impacting the product’s confidentiality, integrity, and availability.
The following versions of SCALANCE LPE9403 (Local Processing Engine), a processing power extension for the SCALANCE family of products, are affected:
The CivetWeb web library does not validate uploaded filepaths when running on an OS other than Windows when using the built-in HTTP form-based file upload mechanism, via the mg_handle_form_request API. Web applications using the file upload form handler, as well as those that use parts of the user-controlled filename in the output path, are susceptible to directory traversal.
CVE-2020-27304 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A corrupted timer tree caused the task wakeup to be missing in the timerqueue_add function in lib/timerqueue.c. This flaw allows a local attacker with special user privileges to cause a denial-of-service condition, slowing and eventually stopping the system while running OSP.
CVE-2021-20317 has been assigned to this vulnerability. A CVSS v3 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
The use of alloca function with an uncontrolled size in function unit_name_path_escape allows a local attacker, able to mount a filesystem on a very long path, to crash systemd and the whole system by allocating a large space in the stack.
CVE-2021-33910 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
A race condition vulnerability exists in Go. The incoming requests’ bodies are not closed after the handler panic, which could lead to a Reverse Proxy crash.
CVE-2021-36221 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
The fix for CVE-2021-33196 can be bypassed by crafted inputs. As a result, the NewReader and OpenReader functions in archive/zip can still cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size.
CVE-2021-39293 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A vulnerability exists in Moby (Docker Engine) where attempting to copy files using docker cp into a specially crafted container can result in UNIX file permission changes for existing files in the host’s filesystem, widening access to others. This does not directly allow files to be read, modified, or executed without an additional cooperating process.
CVE-2021-41089 has been assigned to this vulnerability. A CVSS v3 base score of 2.8 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N).
A vulnerability exists in Moby (Docker Engine) where the data directory contains subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs.
CVE-2021-41091 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L).
A vulnerability exists in the Docker CLI where running docker login my-private-registry.example.com with a misconfigured configuration file would result in any provided credentials being sent to registry-1.docker.io rather than the intended private registry.
CVE-2021-41092 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N).
A vulnerability exists in container where container root directories and some plugins have insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs.
CVE-2021-41103 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
A vulnerability exists in the “flags” member of the new pipe buffer structure in the Linux kernel and could contain stale values. An unprivileged local user could use this to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.
CVE-2022-0847 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Siemens reported these vulnerabilities to CISA.
Siemens recommends users of the affected product [update to Version 2.0](<https://support.industry.siemens.com/cs/ww/en/ view/109811123/>) or later.
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.
For more information see Siemens Security Advisory SSA-222547
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov/ics in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27304
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20317
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33196
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33910
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-36221
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-39293
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41089
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41091
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41092
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41103
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0847
cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf
cisa.gov/ics
cisa.gov/ics
cwe.mitre.org/data/definitions/200.html
cwe.mitre.org/data/definitions/22.html
cwe.mitre.org/data/definitions/22.html
cwe.mitre.org/data/definitions/281.html
cwe.mitre.org/data/definitions/281.html
cwe.mitre.org/data/definitions/362.html
cwe.mitre.org/data/definitions/665.html
cwe.mitre.org/data/definitions/732.html
cwe.mitre.org/data/definitions/770.html
cwe.mitre.org/data/definitions/770.html
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
support.industry.siemens.com/cs/ww/en/ view/109811123/
twitter.com/CISAgov
twitter.com/intent/tweet?text=Siemens%20SCALANCE%20LPE9403%20Third-Party%20Vulnerabilities+https://www.cisa.gov/news-events/ics-advisories/icsa-22-167-09
www.cisa.gov/uscert/ics/recommended-practices
www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B
www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-22-167-09&title=Siemens%20SCALANCE%20LPE9403%20Third-Party%20Vulnerabilities
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-22-167-09
www.oig.dhs.gov/
www.siemens.com/cert/operational-guidelines-industrial-security
www.siemens.com/industrialsecurity
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-22-167-09
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Siemens%20SCALANCE%20LPE9403%20Third-Party%20Vulnerabilities&body=www.cisa.gov/news-events/ics-advisories/icsa-22-167-09
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.4 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.076 Low
EPSS
Percentile
94.1%