ID

VAR-202109-1914


CVE

CVE-2021-37173


TITLE

Privilege management vulnerability in multiple Siemens products

Trust: 0.8

sources: JVNDB: JVNDB-2021-011719

DESCRIPTION

A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.14.1), RUGGEDCOM ROX RX1400 (All versions < V2.14.1), RUGGEDCOM ROX RX1500 (All versions < V2.14.1), RUGGEDCOM ROX RX1501 (All versions < V2.14.1), RUGGEDCOM ROX RX1510 (All versions < V2.14.1), RUGGEDCOM ROX RX1511 (All versions < V2.14.1), RUGGEDCOM ROX RX1512 (All versions < V2.14.1), RUGGEDCOM ROX RX1524 (All versions < V2.14.1), RUGGEDCOM ROX RX1536 (All versions < V2.14.1), RUGGEDCOM ROX RX5000 (All versions < V2.14.1). The command line interface of affected devices insufficiently restrict file read and write operations for low privileged users. This could allow an authenticated remote attacker to escalate privileges and gain root access to the device. Multiple Siemens products contain a privilege management vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. RUGGEDCOM products provide a certain degree of reliability and set the standard for communication networks deployed in harsh environments. RUGGEDCOM RX1400 is a multi-protocol smart node that combines Ethernet switching, routing and application hosting functions with various wide-area connectivity options. Siemens RUGGEDCOM ROX has an information disclosure vulnerability. Attackers can use vulnerabilities to obtain sensitive information. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. The affected devices have an exposure of sensitive information vulnerability, if exploited, it could allow an authenticated malicious user to extract data via Secure Shell (SSH)

Trust: 2.79

sources: NVD: CVE-2021-37173 // JVNDB: JVNDB-2021-011719 // CNVD: CNVD-2021-71420 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-37173

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-71420

AFFECTED PRODUCTS

vendor:siemensmodel:ruggedcom rox rx1510scope:ltversion:2.14.1

Trust: 1.0

vendor:siemensmodel:ruggedcom rox rx5000scope:ltversion:2.14.1

Trust: 1.0

vendor:siemensmodel:ruggedcom rox rx1501scope:ltversion:2.14.1

Trust: 1.0

vendor:siemensmodel:ruggedcom rox rx1524scope:ltversion:2.14.1

Trust: 1.0

vendor:siemensmodel:ruggedcom rox rx1511scope:ltversion:2.14.1

Trust: 1.0

vendor:siemensmodel:ruggedcom rox mx5000scope:ltversion:2.14.1

Trust: 1.0

vendor:siemensmodel:ruggedcom rox rx1500scope:ltversion:2.14.1

Trust: 1.0

vendor:siemensmodel:ruggedcom rox rx1536scope:ltversion:2.14.1

Trust: 1.0

vendor:siemensmodel:ruggedcom rox rx1400scope:ltversion:2.14.1

Trust: 1.0

vendor:siemensmodel:ruggedcom rox rx1512scope:ltversion:2.14.1

Trust: 1.0

vendor:シーメンスmodel:ruggedcom rox rx1536scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:ruggedcom rox rx1524scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:ruggedcom rox rx1400scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:ruggedcom rox mx5000scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:ruggedcom rox rx5000scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:ruggedcom rox rx1512scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:ruggedcom rox rx1501scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:ruggedcom rox rx1500scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:ruggedcom rox rx1510scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:ruggedcom rox rx1511scope: - version: -

Trust: 0.8

vendor:siemensmodel:ruggedcom rox rx1512scope:ltversion:v2.14.1

Trust: 0.6

vendor:siemensmodel:ruggedcom rox rx1511scope:ltversion:v2.14.1

Trust: 0.6

vendor:siemensmodel:ruggedcom rox rx1510scope:ltversion:v2.14.1

Trust: 0.6

vendor:siemensmodel:ruggedcom rox rx1501scope:ltversion:v2.14.1

Trust: 0.6

vendor:siemensmodel:ruggedcom rox rx1500scope:ltversion:v2.14.1

Trust: 0.6

vendor:siemensmodel:ruggedcom rox rx1400scope:ltversion:v2.14.1

Trust: 0.6

vendor:siemensmodel:ruggedcom rox mx5000scope:ltversion:v2.14.1

Trust: 0.6

vendor:siemensmodel:ruggedcom rox rx1536scope:ltversion:v2.14.1

Trust: 0.6

vendor:siemensmodel:ruggedcom rox rx1524scope:ltversion:v2.14.1

Trust: 0.6

vendor:siemensmodel:ruggedcom rox rx5000scope:ltversion:v2.14.1

Trust: 0.6

sources: CNVD: CNVD-2021-71420 // JVNDB: JVNDB-2021-011719 // NVD: CVE-2021-37173

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-37173
value: HIGH

Trust: 1.0

NVD: CVE-2021-37173
value: HIGH

Trust: 0.8

CNVD: CNVD-2021-71420
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202109-810
value: HIGH

Trust: 0.6

VULMON: CVE-2021-37173
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-37173
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2021-71420
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULMON: CVE-2021-37173
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-37173
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2021-37173
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-71420 // VULMON: CVE-2021-37173 // JVNDB: JVNDB-2021-011719 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-810 // NVD: CVE-2021-37173

PROBLEMTYPE DATA

problemtype:CWE-269

Trust: 1.0

problemtype:Improper authority management (CWE-269) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-011719 // NVD: CVE-2021-37173

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202109-810

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:SSA-150692url:https://cert-portal.siemens.com/productcert/pdf/ssa-150692.pdf

Trust: 0.8

title:Patch for Siemens RUGGEDCOM ROX Information Disclosure Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/290831

Trust: 0.6

title:Siemens RUGGEDCOM Repair measures for information disclosure vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=174336

Trust: 0.6

title:Siemens Security Advisories: Siemens Security Advisoryurl:https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=93a87ed46de57a6f27b2f3f9a3698e0c

Trust: 0.1

sources: CNVD: CNVD-2021-71420 // VULMON: CVE-2021-37173 // JVNDB: JVNDB-2021-011719 // CNNVD: CNNVD-202109-810

EXTERNAL IDS

db:NVDid:CVE-2021-37173

Trust: 3.9

db:SIEMENSid:SSA-150692

Trust: 2.3

db:JVNDBid:JVNDB-2021-011719

Trust: 0.8

db:CNVDid:CNVD-2021-71420

Trust: 0.6

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:AUSCERTid:ESB-2021.3140

Trust: 0.6

db:ICS CERTid:ICSA-21-259-01

Trust: 0.6

db:CS-HELPid:SB2021091703

Trust: 0.6

db:CNNVDid:CNNVD-202109-810

Trust: 0.6

db:VULMONid:CVE-2021-37173

Trust: 0.1

sources: CNVD: CNVD-2021-71420 // VULMON: CVE-2021-37173 // JVNDB: JVNDB-2021-011719 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-810 // NVD: CVE-2021-37173

REFERENCES

url:https://cert-portal.siemens.com/productcert/pdf/ssa-150692.pdf

Trust: 2.3

url:https://nvd.nist.gov/vuln/detail/cve-2021-37173

Trust: 1.4

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-21-259-01

Trust: 0.6

url:https://vigilance.fr/vulnerability/ruggedcom-rox-three-vulnerabilities-36396

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021091703

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.3140

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/200.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://cert-portal.siemens.com/productcert/txt/ssa-150692.txt

Trust: 0.1

sources: CNVD: CNVD-2021-71420 // VULMON: CVE-2021-37173 // JVNDB: JVNDB-2021-011719 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-810 // NVD: CVE-2021-37173

CREDITS

Michael Messner from Siemens Energy reported these vulnerabilities to Siemens.

Trust: 0.6

sources: CNNVD: CNNVD-202109-810

SOURCES

db:CNVDid:CNVD-2021-71420
db:VULMONid:CVE-2021-37173
db:JVNDBid:JVNDB-2021-011719
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202109-810
db:NVDid:CVE-2021-37173

LAST UPDATE DATE

2024-08-14T12:44:31.634000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2021-71420date:2021-09-16T00:00:00
db:VULMONid:CVE-2021-37173date:2021-09-23T00:00:00
db:JVNDBid:JVNDB-2021-011719date:2022-08-09T06:52:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202109-810date:2021-12-15T00:00:00
db:NVDid:CVE-2021-37173date:2021-12-14T20:42:49.173

SOURCES RELEASE DATE

db:CNVDid:CNVD-2021-71420date:2021-09-15T00:00:00
db:VULMONid:CVE-2021-37173date:2021-09-14T00:00:00
db:JVNDBid:JVNDB-2021-011719date:2022-08-09T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202109-810date:2021-09-14T00:00:00
db:NVDid:CVE-2021-37173date:2021-09-14T11:15:25.180