Details of VAR-202107-0958

ID

VAR-202107-0958

CVE

CVE-2021-31892

TITLE

Certificate validation vulnerability in multiple Siemens products

Trust: 0.8

sources: JVNDB: JVNDB-2021-012066

DESCRIPTION

A vulnerability has been identified in SINUMERIK Analyse MyCondition (All versions), SINUMERIK Analyze MyPerformance (All versions), SINUMERIK Analyze MyPerformance /OEE-Monitor (All versions), SINUMERIK Analyze MyPerformance /OEE-Tuning (All versions), SINUMERIK Integrate Client 02 (All versions >= V02.00.12 < 02.00.18), SINUMERIK Integrate Client 03 (All versions >= V03.00.12 < 03.00.18), SINUMERIK Integrate Client 04 (V04.00.02 and all versions >= V04.00.15 < 04.00.18), SINUMERIK Integrate for Production 4.1 (All versions < V4.1 SP10 HF3), SINUMERIK Integrate for Production 5.1 (V5.1), SINUMERIK Manage MyMachines (All versions), SINUMERIK Manage MyMachines /Remote (All versions), SINUMERIK Manage MyMachines /Spindel Monitor (All versions), SINUMERIK Manage MyPrograms (All versions), SINUMERIK Manage MyResources /Programs (All versions), SINUMERIK Manage MyResources /Tools (All versions), SINUMERIK Manage MyTools (All versions), SINUMERIK Operate V4.8 (All versions < V4.8 SP8), SINUMERIK Operate V4.93 (All versions < V4.93 HF7), SINUMERIK Operate V4.94 (All versions < V4.94 HF5), SINUMERIK Optimize MyProgramming /NX-Cam Editor (All versions). Due to an error in a third-party dependency the ssl flags used for setting up a TLS connection to a server are overwitten with wrong settings. This results in a missing validation of the server certificate and thus in a possible TLS MITM szenario. Multiple Siemens products contain certificate validation vulnerabilities.Information may be obtained and information may be tampered with. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.25

sources: NVD: CVE-2021-31892 // JVNDB: JVNDB-2021-012066 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-31892

AFFECTED PRODUCTS

vendor:	siemens	model:	sinumerik integrate for production	scope:	eq	version:	5.1	Trust: 1.0
vendor:	siemens	model:	sinumerik integrate client	scope:	gte	version:	4.00.15	Trust: 1.0
vendor:	siemens	model:	sinumerik manage mymachines	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	sinumerik operate	scope:	eq	version:	4.93	Trust: 1.0
vendor:	siemens	model:	sinumerik operate	scope:	eq	version:	4.8	Trust: 1.0
vendor:	siemens	model:	sinumerik manage myresources	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	sinumerik analyze myperformance	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	sinumerik analyse mycondition	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	sinumerik integrate client	scope:	gte	version:	3.00.12	Trust: 1.0
vendor:	siemens	model:	sinumerik operate	scope:	eq	version:	4.94	Trust: 1.0
vendor:	siemens	model:	sinumerik optimize myprogramming	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	sinumerik integrate client	scope:	gte	version:	2.00.12	Trust: 1.0
vendor:	siemens	model:	sinumerik operate	scope:	lt	version:	4.8	Trust: 1.0
vendor:	siemens	model:	sinumerik manage myprograms	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	sinumerik integrate client	scope:	lt	version:	3.00.18	Trust: 1.0
vendor:	siemens	model:	sinumerik manage mytools	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	sinumerik integrate client	scope:	lt	version:	2.00.18	Trust: 1.0
vendor:	siemens	model:	sinumerik integrate for production	scope:	lte	version:	4.1	Trust: 1.0
vendor:	siemens	model:	sinumerik integrate client	scope:	lt	version:	4.00.18	Trust: 1.0
vendor:	シーメンス	model:	sinumerik analyze myperformance	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	sinumerik integrate client	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	sinumerik operate	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	sinumerik manage myprograms	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	sinumerik integrate for production	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	sinumerik manage myresources	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	sinumerik manage mytools	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	sinumerik analyse mycondition	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	sinumerik manage mymachines	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-012066 // NVD: CVE-2021-31892

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-31892
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-31892
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202107-936
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2021-31892
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2021-31892
baseSeverity:	HIGH
baseScore:	7.4
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.2
impactScore:	5.2
version:	3.1
Trust: 1.0
NVD:	CVE-2021-31892
baseSeverity:	HIGH
baseScore:	7.4
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2021-012066 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-936 // NVD: CVE-2021-31892

PROBLEMTYPE DATA

problemtype:	CWE-295	Trust: 1.0
problemtype:	Illegal certificate verification (CWE-295) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-012066 // NVD: CVE-2021-31892

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202107-936

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:	SSA-729965	url:	https://cert-portal.siemens.com/productcert/pdf/ssa-729965.pdf	Trust: 0.8
title:	Siemens SINUMERIK Repair measures for trust management problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=156629	Trust: 0.6
title:	Siemens Security Advisories: Siemens Security Advisory	url:	https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=5c67d9cd3bf80eef1b0e658801ea5c7b	Trust: 0.1

sources: VULMON: CVE-2021-31892 // JVNDB: JVNDB-2021-012066 // CNNVD: CNNVD-202107-936

EXTERNAL IDS

db:	NVD	id:	CVE-2021-31892	Trust: 3.3
db:	ICS CERT	id:	ICSA-21-194-04	Trust: 2.4
db:	SIEMENS	id:	SSA-729965	Trust: 1.7
db:	JVNDB	id:	JVNDB-2021-012066	Trust: 0.8
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.2400	Trust: 0.6
db:	CS-HELP	id:	SB2021071419	Trust: 0.6
db:	CNNVD	id:	CNNVD-202107-936	Trust: 0.6
db:	VULMON	id:	CVE-2021-31892	Trust: 0.1

sources: VULMON: CVE-2021-31892 // JVNDB: JVNDB-2021-012066 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-936 // NVD: CVE-2021-31892

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-729965.pdf	Trust: 1.7
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-194-04	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2021-31892	Trust: 1.4
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-21-194-04	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021071419	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.2400	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/295.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://cert-portal.siemens.com/productcert/txt/ssa-729965.txt	Trust: 0.1

sources: VULMON: CVE-2021-31892 // JVNDB: JVNDB-2021-012066 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-936 // NVD: CVE-2021-31892

SOURCES

db:	VULMON	id:	CVE-2021-31892
db:	JVNDB	id:	JVNDB-2021-012066
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202107-936
db:	NVD	id:	CVE-2021-31892

LAST UPDATE DATE

2024-08-14T12:06:50.772000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2021-31892	date:	2021-07-13T00:00:00
db:	JVNDB	id:	JVNDB-2021-012066	date:	2022-08-23T05:18:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202107-936	date:	2021-08-10T00:00:00
db:	NVD	id:	CVE-2021-31892	date:	2021-08-09T16:26:16.037

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2021-31892	date:	2021-07-13T00:00:00
db:	JVNDB	id:	JVNDB-2021-012066	date:	2022-08-23T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202107-936	date:	2021-07-13T00:00:00
db:	NVD	id:	CVE-2021-31892	date:	2021-07-13T11:15:09.453