Details of VAR-202104-1828

ID

VAR-202104-1828

CVE

CVE-2021-27393

TITLE

Siemens Nucleus product DNS module can predict UDP port number vulnerability

Trust: 0.6

sources: CNVD: CNVD-2021-28698

DESCRIPTION

A vulnerability has been identified in Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2013.08), Nucleus Source Code (Versions including affected DNS modules). The DNS client does not properly randomize UDP port numbers of DNS requests. That could allow an attacker to poison the DNS cache or spoof DNS resolving. The Nucleus NET module contains a series of standard-compliant network and communication protocols, drivers and utilities to provide full-featured network support in any embedded device. Nucleus RTOS provides a highly scalable microkernel-based real-time operating system designed for the scalability and reliability of systems in aerospace, industrial and medical applications. VSTAR is a complete AUTOSAR 4 based ECU solution that provides tools and embedded software for timely product deployment. Nucleus ReadyStart is a platform with integrated software IP, tools and services. The DNS module of Siemens Nucleus products has security vulnerabilities. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.07

sources: NVD: CVE-2021-27393 // CNVD: CNVD-2021-28698 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-27393

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-28698

AFFECTED PRODUCTS

vendor:	siemens	model:	nucleus net	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	nucleus source code	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	nucleus readystart v3	scope:	lt	version:	2013.08	Trust: 1.0
vendor:	siemens	model:	vstar	scope:	-	version:	-	Trust: 0.6
vendor:	siemens	model:	nucleus source code	scope:	-	version:	-	Trust: 0.6
vendor:	siemens	model:	nucleus rtos	scope:	-	version:	-	Trust: 0.6
vendor:	siemens	model:	nucleus net	scope:	-	version:	-	Trust: 0.6
vendor:	siemens	model:	nucleus readystart	scope:	lt	version:	v2013.08	Trust: 0.6

sources: CNVD: CNVD-2021-28698 // NVD: CVE-2021-27393

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-27393
value:	MEDIUM
Trust: 1.0
CNVD:	CNVD-2021-28698
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202104-921
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2021-27393
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-27393
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
CNVD:	CNVD-2021-28698
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-27393
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2021-28698 // VULMON: CVE-2021-27393 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-921 // NVD: CVE-2021-27393

PROBLEMTYPE DATA

problemtype:

CWE-330

Trust: 1.0

sources: NVD: CVE-2021-27393

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202104-921

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:	Patch for Siemens Nucleus product DNS module can predict UDP port number vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/258426	Trust: 0.6
title:	Siemens Security Advisories: Siemens Security Advisory	url:	https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=05c4bed0fc8868101fc6066abbc9f1a5	Trust: 0.1

sources: CNVD: CNVD-2021-28698 // VULMON: CVE-2021-27393

EXTERNAL IDS

db:	SIEMENS	id:	SSA-201384	Trust: 2.3
db:	NVD	id:	CVE-2021-27393	Trust: 2.3
db:	CNVD	id:	CNVD-2021-28698	Trust: 0.6
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	ICS CERT	id:	ICSA-21-103-14	Trust: 0.6
db:	CS-HELP	id:	SB2021041408	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-921	Trust: 0.6
db:	VULMON	id:	CVE-2021-27393	Trust: 0.1

sources: CNVD: CNVD-2021-28698 // VULMON: CVE-2021-27393 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-921 // NVD: CVE-2021-27393

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-201384.pdf	Trust: 2.3
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-103-14	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021041408	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2021-27393	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/330.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://cert-portal.siemens.com/productcert/txt/ssa-201384.txt	Trust: 0.1

sources: CNVD: CNVD-2021-28698 // VULMON: CVE-2021-27393 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-921 // NVD: CVE-2021-27393

CREDITS

Siemens reported this vulnerability to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202104-921

SOURCES

db:	CNVD	id:	CNVD-2021-28698
db:	VULMON	id:	CVE-2021-27393
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202104-921
db:	NVD	id:	CVE-2021-27393

LAST UPDATE DATE

2024-08-14T12:40:19.503000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-28698	date:	2021-04-15T00:00:00
db:	VULMON	id:	CVE-2021-27393	date:	2021-04-30T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202104-921	date:	2022-01-14T00:00:00
db:	NVD	id:	CVE-2021-27393	date:	2022-04-22T19:38:54.327

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-28698	date:	2021-04-15T00:00:00
db:	VULMON	id:	CVE-2021-27393	date:	2021-04-22T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202104-921	date:	2021-04-13T00:00:00
db:	NVD	id:	CVE-2021-27393	date:	2021-04-22T21:15:10.393