Lucene search

[email protected]CVE-2021-40359

HistoryNov 09, 2021 - 12:15 p.m.

CVE-2021-40359

2021-11-0912:15:09

CWE-22

[email protected]

web.nvd.nist.gov

cve-2021-40359

siemens

openpcs

simatic batch

simatic net

simatic pcs 7

simatic route control

simatic wincc

cybersecurity

file download vulnerability

data security

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

7.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.9%

JSON

A vulnerability has been identified in OpenPCS 7 V8.2 (All versions), OpenPCS 7 V9.0 (All versions < V9.0 Upd4), OpenPCS 7 V9.1 (All versions), SIMATIC BATCH V8.2 (All versions), SIMATIC BATCH V9.0 (All versions), SIMATIC BATCH V9.1 (All versions), SIMATIC NET PC Software V14 (All versions), SIMATIC NET PC Software V15 (All versions), SIMATIC NET PC Software V16 (All versions < V16 Update 6), SIMATIC NET PC Software V17 (All versions < V17 SP1), SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions < V9.0 SP3 UC04), SIMATIC PCS 7 V9.1 (All versions < V9.1 SP1), SIMATIC Route Control V8.2 (All versions), SIMATIC Route Control V9.0 (All versions), SIMATIC Route Control V9.1 (All versions), SIMATIC WinCC V15 and earlier (All versions < V15 SP1 Update 7), SIMATIC WinCC V16 (All versions < V16 Update 5), SIMATIC WinCC V17 (All versions < V17 Update 2), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 19), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 5). When downloading files, the affected systems do not properly neutralize special elements within the pathname. An attacker could then cause the pathname to resolve to a location outside of the restricted directory on the server and read unexpected critical files.

Affected configurations

NVD

Node

siemenssimatic_batchMatch8.2-

siemenssimatic_batchMatch8.2upd_9

siemenssimatic_batchMatch9.0-

siemenssimatic_batchMatch9.0sp1

siemenssimatic_batchMatch9.0sp1_update_1

siemenssimatic_batchMatch9.0sp1_update_2

siemenssimatic_batchMatch9.0sp1_update_3

siemenssimatic_batchMatch9.0sp1_update_4

siemenssimatic_batchMatch9.1-

siemenssimatic_net_pcMatch14-

siemenssimatic_net_pcMatch15-

siemenssimatic_net_pcMatch16-

siemenssimatic_net_pcMatch16update1

siemenssimatic_net_pcMatch17-

siemenssimatic_route_controlMatch8.2

siemenssimatic_route_controlMatch9.0-

siemenssimatic_route_controlMatch9.1-

siemenssimatic_winccRange≤7.4

siemenssimatic_winccMatch7.5

siemenssimatic_winccMatch7.5-

siemenssimatic_winccMatch7.5sp1

siemenssimatic_winccMatch7.5sp1_update1

siemenssimatic_winccMatch7.5sp1_update2

siemenssimatic_winccMatch7.5sp2

siemenssimatic_winccMatch7.5sp2_update1

siemenssimatic_winccMatch7.5sp2_update2

siemenssimatic_winccMatch7.5sp2_update3

siemenssimatic_winccMatch7.5sp2_update4

siemenssimatic_winccMatch15-

siemenssimatic_winccMatch16-

siemenssimatic_winccMatch16update1

siemenssimatic_winccMatch16update2

siemenssimatic_winccMatch16update3

siemenssimatic_winccMatch16update4

siemenssimatic_winccMatch17-

siemenssimatic_winccMatch17update1

siemenssimaticpcs_7Range≤8.2

siemenssimaticpcs_7Range9.0–9.1

siemenssimaticpcs_7Match9.1-

CPENameOperatorVersion
siemens:simatic_batchsiemens simatic batcheq8.2
siemens:simatic_batchsiemens simatic batcheq9.0
siemens:simatic_batchsiemens simatic batcheq9.1
siemens:simatic_net_pcsiemens simatic net pceq14
siemens:simatic_net_pcsiemens simatic net pceq15
siemens:simatic_net_pcsiemens simatic net pceq16
siemens:simatic_net_pcsiemens simatic net pceq17
siemens:simatic_route_controlsiemens simatic route controleq8.2
siemens:simatic_route_controlsiemens simatic route controleq9.0
siemens:simatic_route_controlsiemens simatic route controleq9.1

CPE	Name	Operator	Version
siemens:simatic_batch	siemens simatic batch	eq	8.2
siemens:simatic_batch	siemens simatic batch	eq	9.0
siemens:simatic_batch	siemens simatic batch	eq	9.1
siemens:simatic_net_pc	siemens simatic net pc	eq	14
siemens:simatic_net_pc	siemens simatic net pc	eq	15
siemens:simatic_net_pc	siemens simatic net pc	eq	16
siemens:simatic_net_pc	siemens simatic net pc	eq	17
siemens:simatic_route_control	siemens simatic route control	eq	8.2
siemens:simatic_route_control	siemens simatic route control	eq	9.0
siemens:simatic_route_control	siemens simatic route control	eq	9.1

Rows per page:

1-10 of 171

CNA Affected

[
  {
    "vendor": "Siemens",
    "product": "OpenPCS 7 V8.2",
    "versions": [
      {
        "version": "All versions",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "OpenPCS 7 V9.0",
    "versions": [
      {
        "version": "All versions < V9.0 Upd4",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "OpenPCS 7 V9.1",
    "versions": [
      {
        "version": "All versions",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "SIMATIC BATCH V8.2",
    "versions": [
      {
        "version": "All versions",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "SIMATIC BATCH V9.0",
    "versions": [
      {
        "version": "All versions",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "SIMATIC BATCH V9.1",
    "versions": [
      {
        "version": "All versions",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "SIMATIC NET PC Software V14",
    "versions": [
      {
        "version": "All versions",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "SIMATIC NET PC Software V15",
    "versions": [
      {
        "version": "All versions",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "SIMATIC NET PC Software V16",
    "versions": [
      {
        "version": "All versions < V16 Update 6",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "SIMATIC NET PC Software V17",
    "versions": [
      {
        "version": "All versions < V17 SP1",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "SIMATIC PCS 7 V8.2",
    "versions": [
      {
        "version": "All versions",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "SIMATIC PCS 7 V9.0",
    "versions": [
      {
        "version": "All versions < V9.0 SP3 UC04",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "SIMATIC PCS 7 V9.1",
    "versions": [
      {
        "version": "All versions < V9.1 SP1",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "SIMATIC Route Control V8.2",
    "versions": [
      {
        "version": "All versions",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "SIMATIC Route Control V9.0",
    "versions": [
      {
        "version": "All versions",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "SIMATIC Route Control V9.1",
    "versions": [
      {
        "version": "All versions",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "SIMATIC WinCC V15 and earlier",
    "versions": [
      {
        "version": "All versions < V15 SP1 Update 7",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "SIMATIC WinCC V16",
    "versions": [
      {
        "version": "All versions < V16 Update 5",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "SIMATIC WinCC V17",
    "versions": [
      {
        "version": "All versions < V17 Update 2",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "SIMATIC WinCC V7.4",
    "versions": [
      {
        "version": "All versions < V7.4 SP1 Update 19",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "SIMATIC WinCC V7.5",
    "versions": [
      {
        "version": "All versions < V7.5 SP2 Update 5",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

cert-portal.siemens.com/productcert/pdf/ssa-840188.pdf

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

7.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.9%

JSON

Related for CVE-2021-40359

prion1 cnvd1 nvd1 cvelist1 ics1