ID

VAR-202111-0671


CVE

CVE-2021-40366


TITLE

Climatix POL909  Vulnerability in plaintext transmission of important information in

Trust: 0.8

sources: JVNDB: JVNDB-2021-014894

DESCRIPTION

A vulnerability has been identified in Climatix POL909 (AWB module) (All versions < V11.42), Climatix POL909 (AWM module) (All versions < V11.34). The web server of affected devices transmits data without TLS encryption. This could allow an unauthenticated remote attacker in a man-in-the-middle position to read sensitive data, such as administrator credentials, or modify data in transit. Climatix POL909 Contains a vulnerability in the transmission of important information in clear text.Information may be obtained and information may be tampered with. Siemens Climatix Pol909 is an intelligent network module of Siemens (Siemens) in Germany

Trust: 2.16

sources: NVD: CVE-2021-40366 // JVNDB: JVNDB-2021-014894 // CNVD: CNVD-2021-89433

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-89433

AFFECTED PRODUCTS

vendor:siemensmodel:climatix pol909scope:ltversion:11.34

Trust: 1.0

vendor:siemensmodel:climatix pol909scope:ltversion:11.42

Trust: 1.0

vendor:シーメンスmodel:climatix pol909scope:eqversion:climatix pol909 firmware (awm module ) 11.34

Trust: 0.8

vendor:シーメンスmodel:climatix pol909scope:eqversion: -

Trust: 0.8

vendor:シーメンスmodel:climatix pol909scope:eqversion:climatix pol909 firmware (awb module ) 11.42

Trust: 0.8

vendor:siemensmodel:climatix pol909scope:ltversion:v11.34

Trust: 0.6

sources: CNVD: CNVD-2021-89433 // JVNDB: JVNDB-2021-014894 // NVD: CVE-2021-40366

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-40366
value: HIGH

Trust: 1.0

NVD: CVE-2021-40366
value: HIGH

Trust: 0.8

CNVD: CNVD-2021-89433
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202111-868
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2021-40366
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2021-89433
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2021-40366
baseSeverity: HIGH
baseScore: 7.4
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.2
impactScore: 5.2
version: 3.1

Trust: 1.0

NVD: CVE-2021-40366
baseSeverity: HIGH
baseScore: 7.4
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-89433 // JVNDB: JVNDB-2021-014894 // CNNVD: CNNVD-202111-868 // NVD: CVE-2021-40366

PROBLEMTYPE DATA

problemtype:CWE-311

Trust: 1.0

problemtype:CWE-319

Trust: 1.0

problemtype:Sending important information in clear text (CWE-319) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-014894 // NVD: CVE-2021-40366

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202111-868

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202111-868

PATCH

title:SSA-703715url:https://cert-portal.siemens.com/productcert/pdf/ssa-703715.pdf

Trust: 0.8

title:Patch for Siemens Climatix POL909 (AWM) Information Disclosure Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/300041

Trust: 0.6

title:Siemens Climatix POL909 Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=169828

Trust: 0.6

sources: CNVD: CNVD-2021-89433 // JVNDB: JVNDB-2021-014894 // CNNVD: CNNVD-202111-868

EXTERNAL IDS

db:NVDid:CVE-2021-40366

Trust: 3.8

db:SIEMENSid:SSA-703715

Trust: 2.2

db:ICS CERTid:ICSA-21-315-09

Trust: 1.4

db:JVNid:JVNVU95671889

Trust: 0.8

db:JVNDBid:JVNDB-2021-014894

Trust: 0.8

db:CNVDid:CNVD-2021-89433

Trust: 0.6

db:CS-HELPid:SB2021111510

Trust: 0.6

db:AUSCERTid:ESB-2021.3874

Trust: 0.6

db:CNNVDid:CNNVD-202111-868

Trust: 0.6

sources: CNVD: CNVD-2021-89433 // JVNDB: JVNDB-2021-014894 // CNNVD: CNNVD-202111-868 // NVD: CVE-2021-40366

REFERENCES

url:https://cert-portal.siemens.com/productcert/pdf/ssa-703715.pdf

Trust: 2.2

url:http://jvn.jp/vu/jvnvu95671889/index.html

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-40366

Trust: 0.8

url:https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-09

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2021111510

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-21-315-09

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.3874

Trust: 0.6

sources: CNVD: CNVD-2021-89433 // JVNDB: JVNDB-2021-014894 // CNNVD: CNNVD-202111-868 // NVD: CVE-2021-40366

CREDITS

Siemens reported this vulnerability to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202111-868

SOURCES

db:CNVDid:CNVD-2021-89433
db:JVNDBid:JVNDB-2021-014894
db:CNNVDid:CNNVD-202111-868
db:NVDid:CVE-2021-40366

LAST UPDATE DATE

2024-11-23T20:27:40.619000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2021-89433date:2021-11-20T00:00:00
db:JVNDBid:JVNDB-2021-014894date:2022-10-31T07:16:00
db:CNNVDid:CNNVD-202111-868date:2022-08-10T00:00:00
db:NVDid:CVE-2021-40366date:2024-11-21T06:23:57.903

SOURCES RELEASE DATE

db:CNVDid:CNVD-2021-89433date:2021-11-20T00:00:00
db:JVNDBid:JVNDB-2021-014894date:2022-10-31T00:00:00
db:CNNVDid:CNNVD-202111-868date:2021-11-09T00:00:00
db:NVDid:CVE-2021-40366date:2021-11-09T12:15:10.123