ID

VAR-202109-1214


CVE

CVE-2021-37174


TITLE

Unnecessary privileged execution vulnerability in multiple Siemens products

Trust: 0.8

sources: JVNDB: JVNDB-2021-011720

DESCRIPTION

A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.14.1), RUGGEDCOM ROX RX1400 (All versions < V2.14.1), RUGGEDCOM ROX RX1500 (All versions < V2.14.1), RUGGEDCOM ROX RX1501 (All versions < V2.14.1), RUGGEDCOM ROX RX1510 (All versions < V2.14.1), RUGGEDCOM ROX RX1511 (All versions < V2.14.1), RUGGEDCOM ROX RX1512 (All versions < V2.14.1), RUGGEDCOM ROX RX1524 (All versions < V2.14.1), RUGGEDCOM ROX RX1536 (All versions < V2.14.1), RUGGEDCOM ROX RX5000 (All versions < V2.14.1). The affected devices have a privilege escalation vulnerability, if exploited, an attacker could gain root user access. Multiple Siemens products contain unnecessary privileged execution vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. RUGGEDCOM products provide a certain degree of reliability and set the standard for communication networks deployed in harsh environments. RUGGEDCOM RX1400 is a multi-protocol smart node that combines Ethernet switching, routing and application hosting functions with various wide-area connectivity options. Siemens RUGGEDCOM ROX has a privilege escalation vulnerability. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.79

sources: NVD: CVE-2021-37174 // JVNDB: JVNDB-2021-011720 // CNVD: CNVD-2021-71419 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-37174

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-71419

AFFECTED PRODUCTS

vendor:siemensmodel:ruggedcom rox rx1510scope:ltversion:2.14.1

Trust: 1.0

vendor:siemensmodel:ruggedcom rox rx5000scope:ltversion:2.14.1

Trust: 1.0

vendor:siemensmodel:ruggedcom rox rx1501scope:ltversion:2.14.1

Trust: 1.0

vendor:siemensmodel:ruggedcom rox rx1524scope:ltversion:2.14.1

Trust: 1.0

vendor:siemensmodel:ruggedcom rox rx1511scope:ltversion:2.14.1

Trust: 1.0

vendor:siemensmodel:ruggedcom rox mx5000scope:ltversion:2.14.1

Trust: 1.0

vendor:siemensmodel:ruggedcom rox rx1500scope:ltversion:2.14.1

Trust: 1.0

vendor:siemensmodel:ruggedcom rox rx1536scope:ltversion:2.14.1

Trust: 1.0

vendor:siemensmodel:ruggedcom rox rx1400scope:ltversion:2.14.1

Trust: 1.0

vendor:siemensmodel:ruggedcom rox rx1512scope:ltversion:2.14.1

Trust: 1.0

vendor:シーメンスmodel:ruggedcom rox rx1536scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:ruggedcom rox rx1524scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:ruggedcom rox rx1400scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:ruggedcom rox mx5000scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:ruggedcom rox rx5000scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:ruggedcom rox rx1512scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:ruggedcom rox rx1501scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:ruggedcom rox rx1500scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:ruggedcom rox rx1510scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:ruggedcom rox rx1511scope: - version: -

Trust: 0.8

vendor:siemensmodel:ruggedcom rox rx1512scope:ltversion:v2.14.1

Trust: 0.6

vendor:siemensmodel:ruggedcom rox rx1511scope:ltversion:v2.14.1

Trust: 0.6

vendor:siemensmodel:ruggedcom rox rx1510scope:ltversion:v2.14.1

Trust: 0.6

vendor:siemensmodel:ruggedcom rox rx1501scope:ltversion:v2.14.1

Trust: 0.6

vendor:siemensmodel:ruggedcom rox rx1500scope:ltversion:v2.14.1

Trust: 0.6

vendor:siemensmodel:ruggedcom rox rx1400scope:ltversion:v2.14.1

Trust: 0.6

vendor:siemensmodel:ruggedcom rox mx5000scope:ltversion:v2.14.1

Trust: 0.6

vendor:siemensmodel:ruggedcom rox rx1536scope:ltversion:v2.14.1

Trust: 0.6

vendor:siemensmodel:ruggedcom rox rx1524scope:ltversion:v2.14.1

Trust: 0.6

vendor:siemensmodel:ruggedcom rox rx5000scope:ltversion:v2.14.1

Trust: 0.6

sources: CNVD: CNVD-2021-71419 // JVNDB: JVNDB-2021-011720 // NVD: CVE-2021-37174

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-37174
value: HIGH

Trust: 1.0

NVD: CVE-2021-37174
value: HIGH

Trust: 0.8

CNVD: CNVD-2021-71419
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202109-811
value: HIGH

Trust: 0.6

VULMON: CVE-2021-37174
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2021-37174
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2021-71419
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2021-37174
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2021-37174
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-71419 // VULMON: CVE-2021-37174 // JVNDB: JVNDB-2021-011720 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-811 // NVD: CVE-2021-37174

PROBLEMTYPE DATA

problemtype:CWE-250

Trust: 1.0

problemtype:Execution with unnecessary privileges (CWE-250) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-011720 // NVD: CVE-2021-37174

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202109-811

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:SSA-150692url:https://cert-portal.siemens.com/productcert/pdf/ssa-150692.pdf

Trust: 0.8

title:Patch for Siemens RUGGEDCOM ROX Privilege Escalation Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/290836

Trust: 0.6

title:Siemens RUGGEDCOM Remediation measures for authorization problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=163037

Trust: 0.6

title:Siemens Security Advisories: Siemens Security Advisoryurl:https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=93a87ed46de57a6f27b2f3f9a3698e0c

Trust: 0.1

sources: CNVD: CNVD-2021-71419 // VULMON: CVE-2021-37174 // JVNDB: JVNDB-2021-011720 // CNNVD: CNNVD-202109-811

EXTERNAL IDS

db:NVDid:CVE-2021-37174

Trust: 3.9

db:SIEMENSid:SSA-150692

Trust: 2.3

db:JVNDBid:JVNDB-2021-011720

Trust: 0.8

db:CNVDid:CNVD-2021-71419

Trust: 0.6

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:AUSCERTid:ESB-2021.3140

Trust: 0.6

db:ICS CERTid:ICSA-21-259-01

Trust: 0.6

db:CS-HELPid:SB2021091703

Trust: 0.6

db:CNNVDid:CNNVD-202109-811

Trust: 0.6

db:VULMONid:CVE-2021-37174

Trust: 0.1

sources: CNVD: CNVD-2021-71419 // VULMON: CVE-2021-37174 // JVNDB: JVNDB-2021-011720 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-811 // NVD: CVE-2021-37174

REFERENCES

url:https://cert-portal.siemens.com/productcert/pdf/ssa-150692.pdf

Trust: 2.3

url:https://nvd.nist.gov/vuln/detail/cve-2021-37174

Trust: 1.4

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-21-259-01

Trust: 0.6

url:https://vigilance.fr/vulnerability/ruggedcom-rox-three-vulnerabilities-36396

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021091703

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.3140

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/250.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://cert-portal.siemens.com/productcert/txt/ssa-150692.txt

Trust: 0.1

sources: CNVD: CNVD-2021-71419 // VULMON: CVE-2021-37174 // JVNDB: JVNDB-2021-011720 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-811 // NVD: CVE-2021-37174

CREDITS

Michael Messner from Siemens Energy reported these vulnerabilities to Siemens.

Trust: 0.6

sources: CNNVD: CNNVD-202109-811

SOURCES

db:CNVDid:CNVD-2021-71419
db:VULMONid:CVE-2021-37174
db:JVNDBid:JVNDB-2021-011720
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202109-811
db:NVDid:CVE-2021-37174

LAST UPDATE DATE

2024-08-14T13:07:17.525000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2021-71419date:2021-09-16T00:00:00
db:VULMONid:CVE-2021-37174date:2021-09-23T00:00:00
db:JVNDBid:JVNDB-2021-011720date:2022-08-09T06:52:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202109-811date:2021-09-24T00:00:00
db:NVDid:CVE-2021-37174date:2021-09-23T18:15:20.810

SOURCES RELEASE DATE

db:CNVDid:CNVD-2021-71419date:2021-09-15T00:00:00
db:VULMONid:CVE-2021-37174date:2021-09-14T00:00:00
db:JVNDBid:JVNDB-2021-011720date:2022-08-09T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202109-811date:2021-09-14T00:00:00
db:NVDid:CVE-2021-37174date:2021-09-14T11:15:25.273