ID

VAR-202109-1218


CVE

CVE-2021-37181


TITLE

Untrusted data deserialization vulnerability in multiple Siemens products

Trust: 0.8

sources: JVNDB: JVNDB-2021-011929

DESCRIPTION

A vulnerability has been identified in Cerberus DMS V4.0 (All versions), Cerberus DMS V4.1 (All versions), Cerberus DMS V4.2 (All versions), Cerberus DMS V5.0 (All versions < v5.0 QU1), Desigo CC Compact V4.0 (All versions), Desigo CC Compact V4.1 (All versions), Desigo CC Compact V4.2 (All versions), Desigo CC Compact V5.0 (All versions < V5.0 QU1), Desigo CC V4.0 (All versions), Desigo CC V4.1 (All versions), Desigo CC V4.2 (All versions), Desigo CC V5.0 (All versions < V5.0 QU1). The application deserialises untrusted data without sufficient validations, that could result in an arbitrary deserialization. This could allow an unauthenticated attacker to execute code in the affected system. The CCOM communication component used for Windows App / Click-Once and IE Web / XBAP client connectivity are affected by the vulnerability. (DoS) It may be in a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.25

sources: NVD: CVE-2021-37181 // JVNDB: JVNDB-2021-011929 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-37181

AFFECTED PRODUCTS

vendor:siemensmodel:desigo cc compactscope:eqversion:4.2

Trust: 1.0

vendor:siemensmodel:desigo ccscope:eqversion:5.0

Trust: 1.0

vendor:siemensmodel:desigo cc compactscope:eqversion:4.1

Trust: 1.0

vendor:siemensmodel:cerberus dmsscope:eqversion:4.2

Trust: 1.0

vendor:siemensmodel:desigo cc compactscope:eqversion:4.0

Trust: 1.0

vendor:siemensmodel:desigo ccscope:eqversion:4.2

Trust: 1.0

vendor:siemensmodel:cerberus dmsscope:eqversion:4.1

Trust: 1.0

vendor:siemensmodel:cerberus dmsscope:eqversion:4.0

Trust: 1.0

vendor:siemensmodel:desigo cc compactscope:eqversion:5.0

Trust: 1.0

vendor:siemensmodel:desigo ccscope:eqversion:4.1

Trust: 1.0

vendor:siemensmodel:desigo ccscope:eqversion:4.0

Trust: 1.0

vendor:siemensmodel:cerberus dmsscope:eqversion:5.0

Trust: 1.0

vendor:シーメンスmodel:desigo cc compactscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:cerberus dmsscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:desigo ccscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-011929 // NVD: CVE-2021-37181

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-37181
value: CRITICAL

Trust: 1.0

NVD: CVE-2021-37181
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202109-959
value: CRITICAL

Trust: 0.6

VULMON: CVE-2021-37181
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2021-37181
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

nvd@nist.gov: CVE-2021-37181
baseSeverity: CRITICAL
baseScore: 10.0
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 6.0
version: 3.1

Trust: 1.0

NVD: CVE-2021-37181
baseSeverity: CRITICAL
baseScore: 10.0
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULMON: CVE-2021-37181 // JVNDB: JVNDB-2021-011929 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-959 // NVD: CVE-2021-37181

PROBLEMTYPE DATA

problemtype:CWE-502

Trust: 1.0

problemtype:Deserialization of untrusted data (CWE-502) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-011929 // NVD: CVE-2021-37181

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202109-959

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:SSA-453715url:https://cert-portal.siemens.com/productcert/pdf/ssa-453715.pdf

Trust: 0.8

title:Cerberus DMS Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=163044

Trust: 0.6

title:Siemens Security Advisories: Siemens Security Advisoryurl:https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=6523ee8ce108aa3ed5f77ec6f6c582a7

Trust: 0.1

sources: VULMON: CVE-2021-37181 // JVNDB: JVNDB-2021-011929 // CNNVD: CNNVD-202109-959

EXTERNAL IDS

db:NVDid:CVE-2021-37181

Trust: 3.3

db:SIEMENSid:SSA-453715

Trust: 1.7

db:ICS CERTid:ICSA-21-257-17

Trust: 1.4

db:JVNid:JVNVU96712416

Trust: 0.8

db:JVNDBid:JVNDB-2021-011929

Trust: 0.8

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:CS-HELPid:SB2021091522

Trust: 0.6

db:CNNVDid:CNNVD-202109-959

Trust: 0.6

db:VULMONid:CVE-2021-37181

Trust: 0.1

sources: VULMON: CVE-2021-37181 // JVNDB: JVNDB-2021-011929 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-959 // NVD: CVE-2021-37181

REFERENCES

url:https://cert-portal.siemens.com/productcert/pdf/ssa-453715.pdf

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-37181

Trust: 1.4

url:https://jvn.jp/vu/jvnvu96712416/index.html

Trust: 0.8

url:https://www.cisa.gov/uscert/ics/advisories/icsa-21-257-17

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021091522

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-21-257-17

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/502.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://cert-portal.siemens.com/productcert/txt/ssa-453715.txt

Trust: 0.1

sources: VULMON: CVE-2021-37181 // JVNDB: JVNDB-2021-011929 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-959 // NVD: CVE-2021-37181

CREDITS

Markus Wulftange from Code White GmbH reported this vulnerability to Siemens.

Trust: 0.6

sources: CNNVD: CNNVD-202109-959

SOURCES

db:VULMONid:CVE-2021-37181
db:JVNDBid:JVNDB-2021-011929
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202109-959
db:NVDid:CVE-2021-37181

LAST UPDATE DATE

2024-08-14T12:34:37.533000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2021-37181date:2021-09-24T00:00:00
db:JVNDBid:JVNDB-2021-011929date:2022-08-17T07:15:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202109-959date:2022-03-11T00:00:00
db:NVDid:CVE-2021-37181date:2021-09-24T15:20:36.767

SOURCES RELEASE DATE

db:VULMONid:CVE-2021-37181date:2021-09-14T00:00:00
db:JVNDBid:JVNDB-2021-011929date:2022-08-17T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202109-959date:2021-09-14T00:00:00
db:NVDid:CVE-2021-37181date:2021-09-14T11:15:25.613