Sign-up

ID

VAR-202108-1890


CVE

CVE-2021-37160


TITLE

Nexus Control Panel code issue vulnerability

Trust: 0.6

sources: CNVD: CNVD-2021-62176

DESCRIPTION

A firmware validation issue was discovered in HMI3 Control Panel in Swisslog Healthcare Nexus Panel operated by released versions of software before Nexus Software 7.2.5.7. There is no firmware validation (e.g., cryptographic signature validation) during a File Upload for a firmware update. No detailed vulnerability details are currently provided. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.07

sources: NVD: CVE-2021-37160 // CNVD: CNVD-2021-62176 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-37160

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-62176

AFFECTED PRODUCTS

vendor:swisslog healthcaremodel:hmi-3 control panelscope:ltversion:7.2.5.7

Trust: 1.0

vendor:swisslogmodel:healthcare nexus control panelscope:ltversion:7.2.5.7

Trust: 0.6

sources: CNVD: CNVD-2021-62176 // NVD: CVE-2021-37160

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-37160
value: CRITICAL

Trust: 1.0

CNVD: CNVD-2021-62176
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202108-081
value: CRITICAL

Trust: 0.6

VULMON: CVE-2021-37160
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2021-37160
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

CNVD: CNVD-2021-62176
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2021-37160
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: CNVD: CNVD-2021-62176 // VULMON: CVE-2021-37160 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-081 // NVD: CVE-2021-37160

PROBLEMTYPE DATA

problemtype:CWE-347

Trust: 1.0

sources: NVD: CVE-2021-37160

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202108-081

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:Threatposturl:https://threatpost.com/pwnedpiper-bugs-hospital-pneumatics/168277/

Trust: 0.1

title:BleepingComputerurl:https://www.bleepingcomputer.com/news/security/pwnedpiper-critical-bug-set-impacts-major-hospitals-in-north-america/

Trust: 0.1

sources: VULMON: CVE-2021-37160

EXTERNAL IDS

db:NVDid:CVE-2021-37160

Trust: 2.3

db:ICS CERTid:ICSMA-21-215-01

Trust: 1.2

db:CNVDid:CNVD-2021-62176

Trust: 0.6

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:AUSCERTid:ESB-2021.2625

Trust: 0.6

db:CS-HELPid:SB2021080306

Trust: 0.6

db:CNNVDid:CNNVD-202108-081

Trust: 0.6

db:VULMONid:CVE-2021-37160

Trust: 0.1

sources: CNVD: CNVD-2021-62176 // VULMON: CVE-2021-37160 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-081 // NVD: CVE-2021-37160

REFERENCES

url:https://www.armis.com/pwnedpiper

Trust: 1.7

url:https://www.swisslog-healthcare.com

Trust: 1.7

url:https://www.swisslog-healthcare.com/-/media/swisslog-healthcare/documents/customer-service/armis-documents/cve-2021-37160-bulletin---no-firmware-update-validation.pdf?rev=c7f94647037c4007992e2e626d445561&hash=e89531490070a809fb74994018ba1248

Trust: 1.7

url:https://us-cert.cisa.gov/ics/advisories/icsma-21-215-01

Trust: 1.2

url:https://www.swisslog-healthcare.com/en-us/customer-care/security-information/cve-disclosures#:~:text=cve%20disclosures%20%20%20%20vulnerability%20name%20%2c%20%20cve-2021-37164%20%204%20more%20rows%20

Trust: 1.0

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://www.swisslog-healthcare.com/en-us/customer-care/security-information/cve-disclosures#:~:text=cve%20disclosures%20%20%20%20vulnerability%20name%20

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021080306

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.2625

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/347.html

Trust: 0.1

url:https://cwe.mitre.org/data/definitions/434.html

Trust: 0.1

url:https://www.swisslog-healthcare.com/en-us/customer-care/security-information/cve-disclosures#:~:text=cve%20disclosures%20%20%20%20vulnerability%20name%20,%20%20cve-2021-37164%20%204%20more%20rows%20

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://threatpost.com/pwnedpiper-bugs-hospital-pneumatics/168277/

Trust: 0.1

sources: CNVD: CNVD-2021-62176 // VULMON: CVE-2021-37160 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-081 // NVD: CVE-2021-37160

CREDITS

Barak Hadad and Ben Seri from Armis reported these vulnerabilities to Swisslog.

Trust: 0.6

sources: CNNVD: CNNVD-202108-081

SOURCES

db:CNVDid:CNVD-2021-62176
db:VULMONid:CVE-2021-37160
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202108-081
db:NVDid:CVE-2021-37160

LAST UPDATE DATE

2024-08-14T13:01:11.580000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2021-62176date:2021-09-01T00:00:00
db:VULMONid:CVE-2021-37160date:2021-08-10T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202108-081date:2022-07-14T00:00:00
db:NVDid:CVE-2021-37160date:2023-11-07T03:36:55.140

SOURCES RELEASE DATE

db:CNVDid:CNVD-2021-62176date:2021-08-16T00:00:00
db:VULMONid:CVE-2021-37160date:2021-08-02T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202108-081date:2021-08-02T00:00:00
db:NVDid:CVE-2021-37160date:2021-08-02T13:15:07.707