CVE-2022-36360

2022-10-1111:15:09

CWE-345

CWE-354

[email protected]

web.nvd.nist.gov

vulnerability

logo! 8 bm

firmware update

authenticity check

integrity verification

manipulation

flashing.

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

31.8%

JSON

A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3). Affected devices load firmware updates without checking the authenticity. Furthermore the integrity of the unencrypted firmware is only verified by a non-cryptographic method. This could allow an attacker to manipulate a firmware update and flash it to the device.

Affected configurations

Nvd

Node

siemenslogo\!_8_bm_firmwareRange<8.3

AND

siemenslogo\!8_bmMatch-

Node

siemenslogo\!8_bm_fs-05_firmwareRange<8.3

AND

siemenslogo\!8_bm_fs-05Match-

VendorProductVersionCPE
siemenslogo\!_8_bm_firmware*cpe:2.3:o:siemens:logo\!_8_bm_firmware:*:*:*:*:*:*:*:*
siemenslogo\!8_bm-cpe:2.3:h:siemens:logo\!8_bm:-:*:*:*:*:*:*:*
siemenslogo\!8_bm_fs-05_firmware*cpe:2.3:o:siemens:logo\!8_bm_fs-05_firmware:*:*:*:*:*:*:*:*
siemenslogo\!8_bm_fs-05-cpe:2.3:h:siemens:logo\!8_bm_fs-05:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
siemens	logo\!_8_bm_firmware	*	cpe:2.3:o:siemens:logo\!_8_bm_firmware::::::::
siemens	logo\!8_bm	-	cpe:2.3:h:siemens:logo\!8_bm:-:::::::*
siemens	logo\!8_bm_fs-05_firmware	*	cpe:2.3:o:siemens:logo\!8_bm_fs-05_firmware::::::::
siemens	logo\!8_bm_fs-05	-	cpe:2.3:h:siemens:logo\!8_bm_fs-05:-:::::::*