ID
VAR-202109-1218
CVE
CVE-2021-37181
TITLE
Untrusted data deserialization vulnerability in multiple Siemens products
Trust: 0.8
DESCRIPTION
A vulnerability has been identified in Cerberus DMS V4.0 (All versions), Cerberus DMS V4.1 (All versions), Cerberus DMS V4.2 (All versions), Cerberus DMS V5.0 (All versions < v5.0 QU1), Desigo CC Compact V4.0 (All versions), Desigo CC Compact V4.1 (All versions), Desigo CC Compact V4.2 (All versions), Desigo CC Compact V5.0 (All versions < V5.0 QU1), Desigo CC V4.0 (All versions), Desigo CC V4.1 (All versions), Desigo CC V4.2 (All versions), Desigo CC V5.0 (All versions < V5.0 QU1). The application deserialises untrusted data without sufficient validations, that could result in an arbitrary deserialization. This could allow an unauthenticated attacker to execute code in the affected system. The CCOM communication component used for Windows App / Click-Once and IE Web / XBAP client connectivity are affected by the vulnerability. (DoS) It may be in a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements
Trust: 2.25
AFFECTED PRODUCTS
| vendor: | siemens | model: | desigo cc compact | scope: | eq | version: | 4.2 | Trust: 1.0 |
| vendor: | siemens | model: | desigo cc | scope: | eq | version: | 5.0 | Trust: 1.0 |
| vendor: | siemens | model: | desigo cc compact | scope: | eq | version: | 4.1 | Trust: 1.0 |
| vendor: | siemens | model: | cerberus dms | scope: | eq | version: | 4.2 | Trust: 1.0 |
| vendor: | siemens | model: | desigo cc compact | scope: | eq | version: | 4.0 | Trust: 1.0 |
| vendor: | siemens | model: | desigo cc | scope: | eq | version: | 4.2 | Trust: 1.0 |
| vendor: | siemens | model: | cerberus dms | scope: | eq | version: | 4.1 | Trust: 1.0 |
| vendor: | siemens | model: | cerberus dms | scope: | eq | version: | 4.0 | Trust: 1.0 |
| vendor: | siemens | model: | desigo cc compact | scope: | eq | version: | 5.0 | Trust: 1.0 |
| vendor: | siemens | model: | desigo cc | scope: | eq | version: | 4.1 | Trust: 1.0 |
| vendor: | siemens | model: | desigo cc | scope: | eq | version: | 4.0 | Trust: 1.0 |
| vendor: | siemens | model: | cerberus dms | scope: | eq | version: | 5.0 | Trust: 1.0 |
| vendor: | シーメンス | model: | desigo cc compact | scope: | - | version: | - | Trust: 0.8 |
| vendor: | シーメンス | model: | cerberus dms | scope: | - | version: | - | Trust: 0.8 |
| vendor: | シーメンス | model: | desigo cc | scope: | - | version: | - | Trust: 0.8 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
PROBLEMTYPE DATA
| problemtype: | CWE-502 | Trust: 1.0 |
| problemtype: | Deserialization of untrusted data (CWE-502) [ others ] | Trust: 0.8 |
THREAT TYPE
remote
Trust: 0.6
TYPE
other
Trust: 0.6
PATCH
| title: | SSA-453715 | url: | https://cert-portal.siemens.com/productcert/pdf/ssa-453715.pdf | Trust: 0.8 |
| title: | Cerberus DMS Fixes for code issue vulnerabilities | url: | http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=163044 | Trust: 0.6 |
| title: | Siemens Security Advisories: Siemens Security Advisory | url: | https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=6523ee8ce108aa3ed5f77ec6f6c582a7 | Trust: 0.1 |
EXTERNAL IDS
| db: | NVD | id: | CVE-2021-37181 | Trust: 3.3 |
| db: | SIEMENS | id: | SSA-453715 | Trust: 1.7 |
| db: | ICS CERT | id: | ICSA-21-257-17 | Trust: 1.4 |
| db: | JVN | id: | JVNVU96712416 | Trust: 0.8 |
| db: | JVNDB | id: | JVNDB-2021-011929 | Trust: 0.8 |
| db: | CS-HELP | id: | SB2021041363 | Trust: 0.6 |
| db: | CNNVD | id: | CNNVD-202104-975 | Trust: 0.6 |
| db: | CS-HELP | id: | SB2021091522 | Trust: 0.6 |
| db: | CNNVD | id: | CNNVD-202109-959 | Trust: 0.6 |
| db: | VULMON | id: | CVE-2021-37181 | Trust: 0.1 |
REFERENCES
| url: | https://cert-portal.siemens.com/productcert/pdf/ssa-453715.pdf | Trust: 1.7 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2021-37181 | Trust: 1.4 |
| url: | https://jvn.jp/vu/jvnvu96712416/index.html | Trust: 0.8 |
| url: | https://www.cisa.gov/uscert/ics/advisories/icsa-21-257-17 | Trust: 0.8 |
| url: | https://www.cybersecurity-help.cz/vdb/sb2021041363 | Trust: 0.6 |
| url: | https://www.cybersecurity-help.cz/vdb/sb2021091522 | Trust: 0.6 |
| url: | https://us-cert.cisa.gov/ics/advisories/icsa-21-257-17 | Trust: 0.6 |
| url: | https://cwe.mitre.org/data/definitions/502.html | Trust: 0.1 |
| url: | https://nvd.nist.gov | Trust: 0.1 |
| url: | https://cert-portal.siemens.com/productcert/txt/ssa-453715.txt | Trust: 0.1 |
CREDITS
Markus Wulftange from Code White GmbH reported this vulnerability to Siemens.
Trust: 0.6
SOURCES
| db: | VULMON | id: | CVE-2021-37181 |
| db: | JVNDB | id: | JVNDB-2021-011929 |
| db: | CNNVD | id: | CNNVD-202104-975 |
| db: | CNNVD | id: | CNNVD-202109-959 |
| db: | NVD | id: | CVE-2021-37181 |
LAST UPDATE DATE
2024-08-14T12:34:37.533000+00:00
SOURCES UPDATE DATE
| db: | VULMON | id: | CVE-2021-37181 | date: | 2021-09-24T00:00:00 |
| db: | JVNDB | id: | JVNDB-2021-011929 | date: | 2022-08-17T07:15:00 |
| db: | CNNVD | id: | CNNVD-202104-975 | date: | 2021-04-14T00:00:00 |
| db: | CNNVD | id: | CNNVD-202109-959 | date: | 2022-03-11T00:00:00 |
| db: | NVD | id: | CVE-2021-37181 | date: | 2021-09-24T15:20:36.767 |
SOURCES RELEASE DATE
| db: | VULMON | id: | CVE-2021-37181 | date: | 2021-09-14T00:00:00 |
| db: | JVNDB | id: | JVNDB-2021-011929 | date: | 2022-08-17T00:00:00 |
| db: | CNNVD | id: | CNNVD-202104-975 | date: | 2021-04-13T00:00:00 |
| db: | CNNVD | id: | CNNVD-202109-959 | date: | 2021-09-14T00:00:00 |
| db: | NVD | id: | CVE-2021-37181 | date: | 2021-09-14T11:15:25.613 |