ID

VAR-202102-0161


CVE

CVE-2020-15798


TITLE

Siemens  Made  HMI  Lack of authentication vulnerability for product critical features

Trust: 0.8

sources: JVNDB: JVNDB-2021-001015

DESCRIPTION

A vulnerability has been identified in SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions < V16 Update 3a), SIMATIC HMI KTP Mobile Panels (All versions < V16 Update 3a), SINAMICS GH150 (All versions), SINAMICS GL150 (with option X30) (All versions), SINAMICS GM150 (with option X30) (All versions), SINAMICS SH150 (All versions), SINAMICS SL150 (All versions), SINAMICS SM120 (All versions), SINAMICS SM150 (All versions), SINAMICS SM150i (All versions). Affected devices with enabled telnet service do not require authentication for this service. This could allow a remote attacker to gain full access to the device. (ZDI-CAN-12046). This vulnerability allows remote attackers to execute arbitrary code on affected installations of Siemens Comfort Panel. Authentication is not required to exploit this vulnerability.The specific flaw exists within the telnet service, which listens on TCP port 22 by default. The issue results from the lack of authentication prior to allowing remote connections. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Siemens Simatic Hmi is a device of Germany's Siemens (Siemens) that provides human-computer interaction functions for industrial automation equipment

Trust: 2.88

sources: NVD: CVE-2020-15798 // JVNDB: JVNDB-2021-001015 // ZDI: ZDI-21-129 // CNVD: CNVD-2021-07537 // VULMON: CVE-2020-15798

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-07537

AFFECTED PRODUCTS

vendor:siemensmodel:simatic hmi comfort panelsscope:eqversion:16.0

Trust: 1.0

vendor:siemensmodel:sinamics sm150iscope:eqversion: -

Trust: 1.0

vendor:siemensmodel:sinamics sh150scope:eqversion: -

Trust: 1.0

vendor:siemensmodel:simatic hmi comfort panelsscope:ltversion:16.0

Trust: 1.0

vendor:siemensmodel:sinamics gm150scope:eqversion: -

Trust: 1.0

vendor:siemensmodel:simatic hmi ktp mobile panelsscope:eqversion:16.0

Trust: 1.0

vendor:siemensmodel:simatic hmi ktp mobile panelsscope:ltversion:16.0

Trust: 1.0

vendor:siemensmodel:sinamics sm120scope:eqversion: -

Trust: 1.0

vendor:siemensmodel:sinamics gh150scope:eqversion: -

Trust: 1.0

vendor:siemensmodel:sinamics sl150scope:eqversion: -

Trust: 1.0

vendor:siemensmodel:sinamics sm150scope:eqversion: -

Trust: 1.0

vendor:siemensmodel:sinamics gl150scope:eqversion: -

Trust: 1.0

vendor:シーメンスmodel:simatic hmi comfort panelsscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:simatic hmi ktp mobile panelsscope:ltversion:v16 update 3a earlier versions

Trust: 0.8

vendor:siemensmodel:comfort panelscope: - version: -

Trust: 0.7

vendor:siemensmodel:simatic hmiscope: - version: -

Trust: 0.6

sources: ZDI: ZDI-21-129 // CNVD: CNVD-2021-07537 // JVNDB: JVNDB-2021-001015 // NVD: CVE-2020-15798

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-15798
value: CRITICAL

Trust: 1.0

IPA: JVNDB-2021-001015
value: HIGH

Trust: 0.8

ZDI: CVE-2020-15798
value: CRITICAL

Trust: 0.7

CNVD: CNVD-2021-07537
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202101-2499
value: CRITICAL

Trust: 0.6

VULMON: CVE-2020-15798
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2020-15798
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

CNVD: CNVD-2021-07537
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-15798
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

IPA: JVNDB-2021-001015
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2020-15798
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-21-129 // CNVD: CNVD-2021-07537 // VULMON: CVE-2020-15798 // JVNDB: JVNDB-2021-001015 // CNNVD: CNNVD-202101-2499 // NVD: CVE-2020-15798

PROBLEMTYPE DATA

problemtype:CWE-306

Trust: 1.0

problemtype:Lack of authentication for important features (CWE-306) [IPA Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-001015 // NVD: CVE-2020-15798

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202101-2499

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202101-2499

PATCH

title:SSA-520004url:https://support.industry.siemens.com/cs/document/109746530/image-downloads-for-hmi-operator-panels?dti=0&lc=en-WW

Trust: 0.8

title:Siemens has issued an update to correct this vulnerability.url:https://us-cert.cisa.gov/ics/advisories/icsa-21-033-02

Trust: 0.7

title:Patch for Siemens Simatic Hmi authorization issue vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/246031

Trust: 0.6

title:Siemens Simatic Hmi Remediation measures for authorization problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=140096

Trust: 0.6

title:Siemens Security Advisories: Siemens Security Advisoryurl:https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=727a7bb82c467c1176e726c944e1c560

Trust: 0.1

title:Siemens Security Advisories: Siemens Security Advisoryurl:https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=a4e80f78fa87968e8881f762b328bbfa

Trust: 0.1

title: - url:https://github.com/Live-Hack-CVE/CVE-2020-15798

Trust: 0.1

sources: ZDI: ZDI-21-129 // CNVD: CNVD-2021-07537 // VULMON: CVE-2020-15798 // JVNDB: JVNDB-2021-001015 // CNNVD: CNNVD-202101-2499

EXTERNAL IDS

db:NVDid:CVE-2020-15798

Trust: 3.8

db:ICS CERTid:ICSA-21-033-02

Trust: 2.5

db:SIEMENSid:SSA-520004

Trust: 1.7

db:SIEMENSid:SSA-752103

Trust: 1.7

db:ZDIid:ZDI-21-129

Trust: 0.8

db:JVNid:JVNVU92618342

Trust: 0.8

db:JVNid:JVNVU91051134

Trust: 0.8

db:JVNDBid:JVNDB-2021-001015

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-12046

Trust: 0.7

db:CNVDid:CNVD-2021-07537

Trust: 0.6

db:ICS CERTid:ICSA-21-131-13

Trust: 0.6

db:AUSCERTid:ESB-2021.0384

Trust: 0.6

db:CNNVDid:CNNVD-202101-2499

Trust: 0.6

db:VULMONid:CVE-2020-15798

Trust: 0.1

sources: ZDI: ZDI-21-129 // CNVD: CNVD-2021-07537 // VULMON: CVE-2020-15798 // JVNDB: JVNDB-2021-001015 // CNNVD: CNNVD-202101-2499 // NVD: CVE-2020-15798

REFERENCES

url:https://us-cert.cisa.gov/ics/advisories/icsa-21-033-02

Trust: 3.8

url:https://cert-portal.siemens.com/productcert/pdf/ssa-520004.pdf

Trust: 1.7

url:https://cert-portal.siemens.com/productcert/pdf/ssa-752103.pdf

Trust: 1.7

url:https://vigilance.fr/vulnerability/simatic-hmi-code-execution-via-unauthenticated-telnet-34430

Trust: 1.2

url:http://jvn.jp/cert/jvnvu92618342

Trust: 0.8

url:https://jvn.jp/vu/jvnvu91051134/index.html

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2021.0384/

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-21-131-13

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/306.html

Trust: 0.1

url:https://github.com/live-hack-cve/cve-2020-15798

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://www.zerodayinitiative.com/advisories/zdi-21-129/

Trust: 0.1

sources: ZDI: ZDI-21-129 // CNVD: CNVD-2021-07537 // VULMON: CVE-2020-15798 // JVNDB: JVNDB-2021-001015 // CNNVD: CNNVD-202101-2499 // NVD: CVE-2020-15798

CREDITS

Ta-Lun Yen of TXOne IoT/ICS Security Research Labs (Trend Micro)

Trust: 0.7

sources: ZDI: ZDI-21-129

SOURCES

db:ZDIid:ZDI-21-129
db:CNVDid:CNVD-2021-07537
db:VULMONid:CVE-2020-15798
db:JVNDBid:JVNDB-2021-001015
db:CNNVDid:CNNVD-202101-2499
db:NVDid:CVE-2020-15798

LAST UPDATE DATE

2024-08-14T12:51:16.830000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-21-129date:2021-02-04T00:00:00
db:CNVDid:CNVD-2021-07537date:2021-02-03T00:00:00
db:VULMONid:CVE-2020-15798date:2022-10-19T00:00:00
db:JVNDBid:JVNDB-2021-001015date:2021-05-19T07:05:00
db:CNNVDid:CNNVD-202101-2499date:2021-08-11T00:00:00
db:NVDid:CVE-2020-15798date:2022-10-19T19:39:10.340

SOURCES RELEASE DATE

db:ZDIid:ZDI-21-129date:2021-02-04T00:00:00
db:CNVDid:CNVD-2021-07537date:2021-01-31T00:00:00
db:VULMONid:CVE-2020-15798date:2021-02-09T00:00:00
db:JVNDBid:JVNDB-2021-001015date:2021-02-01T00:00:00
db:CNNVDid:CNNVD-202101-2499date:2021-01-28T00:00:00
db:NVDid:CVE-2020-15798date:2021-02-09T17:15:13.437