Details of VAR-202111-1616

ID

VAR-202111-1616

CVE

CVE-2021-31888

TITLE

Out-of-bounds write vulnerabilities in multiple Siemens products

Trust: 0.8

sources: JVNDB: JVNDB-2021-014901

DESCRIPTION

A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions < V3.5.4), APOGEE PXC Compact (P2 Ethernet) (All versions < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.4), APOGEE PXC Modular (P2 Ethernet) (All versions < V2.8.19), Desigo PXC00-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC00-U (All versions >= V2.3 and < V6.30.016), Desigo PXC001-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC100-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC12-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC128-U (All versions >= V2.3 and < V6.30.016), Desigo PXC200-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC36.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC50-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC64-U (All versions >= V2.3 and < V6.30.016), Desigo PXM20-E (All versions >= V2.3 and < V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.4), Nucleus Source Code (All versions), TALON TC Compact (BACnet) (All versions < V3.5.4), TALON TC Modular (BACnet) (All versions < V3.5.4). FTP server does not properly validate the length of the “MKD/XMKD” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution. (FSMD-2021-0018). Multiple Siemens products are vulnerable to out-of-bounds writes.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2021-31888 // JVNDB: JVNDB-2021-014901

AFFECTED PRODUCTS

vendor:	siemens	model:	desigo pxc12-e.d	scope:	gte	version:	2.3	Trust: 1.0
vendor:	siemens	model:	talon tc modular	scope:	lt	version:	3.5.4	Trust: 1.0
vendor:	siemens	model:	nucleus source code	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	desigo pxc36.1-e.d	scope:	gte	version:	2.3	Trust: 1.0
vendor:	siemens	model:	desigo pxc128-u	scope:	gte	version:	2.3	Trust: 1.0
vendor:	siemens	model:	desigo pxc50-e.d	scope:	gte	version:	2.3	Trust: 1.0
vendor:	siemens	model:	desigo pxc64-u	scope:	gte	version:	2.3	Trust: 1.0
vendor:	siemens	model:	desigo pxc001-e.d	scope:	gte	version:	2.3	Trust: 1.0
vendor:	siemens	model:	apogee pxc compact	scope:	lt	version:	2.8.19	Trust: 1.0
vendor:	siemens	model:	desigo pxc100-e.d	scope:	gte	version:	2.3	Trust: 1.0
vendor:	siemens	model:	desigo pxc36.1-e.d	scope:	lt	version:	6.30.016	Trust: 1.0
vendor:	siemens	model:	apogee pxc compact	scope:	lt	version:	3.5.4	Trust: 1.0
vendor:	siemens	model:	nucleus net	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	desigo pxc00-u	scope:	lt	version:	6.30.016	Trust: 1.0
vendor:	siemens	model:	desigo pxc12-e.d	scope:	lt	version:	6.30.016	Trust: 1.0
vendor:	siemens	model:	desigo pxc22-e.d	scope:	lt	version:	6.30.016	Trust: 1.0
vendor:	siemens	model:	apogee modular building controller	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	desigo pxc22.1-e.d	scope:	gte	version:	2.3	Trust: 1.0
vendor:	siemens	model:	desigo pxc128-u	scope:	lt	version:	6.30.016	Trust: 1.0
vendor:	siemens	model:	desigo pxm20-e	scope:	gte	version:	2.3	Trust: 1.0
vendor:	siemens	model:	desigo pxc200-e.d	scope:	lt	version:	6.30.016	Trust: 1.0
vendor:	siemens	model:	desigo pxm20-e	scope:	lt	version:	6.30.016	Trust: 1.0
vendor:	siemens	model:	desigo pxc00-e.d	scope:	lt	version:	6.30.016	Trust: 1.0
vendor:	siemens	model:	desigo pxc22.1-e.d	scope:	lt	version:	6.30.016	Trust: 1.0
vendor:	siemens	model:	apogee pxc modular	scope:	lt	version:	3.5.4	Trust: 1.0
vendor:	siemens	model:	apogee pxc modular	scope:	lt	version:	2.8.19	Trust: 1.0
vendor:	siemens	model:	talon tc compact	scope:	lt	version:	3.5.4	Trust: 1.0
vendor:	siemens	model:	desigo pxc100-e.d	scope:	lt	version:	6.30.016	Trust: 1.0
vendor:	siemens	model:	desigo pxc22-e.d	scope:	gte	version:	2.3	Trust: 1.0
vendor:	siemens	model:	nucleus readystart v3	scope:	lt	version:	2017.02.4	Trust: 1.0
vendor:	siemens	model:	desigo pxc00-u	scope:	gte	version:	2.3	Trust: 1.0
vendor:	siemens	model:	desigo pxc64-u	scope:	lt	version:	6.30.016	Trust: 1.0
vendor:	siemens	model:	desigo pxc00-e.d	scope:	gte	version:	2.3	Trust: 1.0
vendor:	siemens	model:	desigo pxc001-e.d	scope:	lt	version:	6.30.016	Trust: 1.0
vendor:	siemens	model:	apogee modular equiment controller	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	desigo pxc200-e.d	scope:	gte	version:	2.3	Trust: 1.0
vendor:	siemens	model:	desigo pxc50-e.d	scope:	lt	version:	6.30.016	Trust: 1.0
vendor:	シーメンス	model:	capital vstar	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	nucleus source code	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	talon tc compact	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	apogee pxc modular	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	nucleus readystart v3	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	talon tc modular	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	apogee modular equiment controller	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	apogee pxc compact	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	apogee modular building controller	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	nucleus net	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-014901 // NVD: CVE-2021-31888

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-31888
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-31888
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202111-841
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2021-31888
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2021-31888
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2021-31888
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2021-014901 // CNNVD: CNNVD-202111-841 // NVD: CVE-2021-31888

PROBLEMTYPE DATA

problemtype:	CWE-787	Trust: 1.0
problemtype:	CWE-170	Trust: 1.0
problemtype:	Out-of-bounds writing (CWE-787) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-014901 // NVD: CVE-2021-31888

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202111-841

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202111-841

PATCH

title:	SSA-044112 Siemens Security Advisory	url:	https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf	Trust: 0.8
title:	Siemens Nucleus ReadyStart Buffer error vulnerability fix	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=174346	Trust: 0.6

sources: JVNDB: JVNDB-2021-014901 // CNNVD: CNNVD-202111-841

EXTERNAL IDS

db:	NVD	id:	CVE-2021-31888	Trust: 3.2
db:	SIEMENS	id:	SSA-044112	Trust: 1.6
db:	SIEMENS	id:	SSA-114589	Trust: 1.6
db:	ICS CERT	id:	ICSA-21-315-07	Trust: 1.4
db:	ICS CERT	id:	ICSA-21-313-03	Trust: 1.4
db:	JVN	id:	JVNVU95671889	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-014901	Trust: 0.8
db:	AUSCERT	id:	ESB-2021.3874	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.3833	Trust: 0.6
db:	CS-HELP	id:	SB2021111003	Trust: 0.6
db:	CNNVD	id:	CNNVD-202111-841	Trust: 0.6

sources: JVNDB: JVNDB-2021-014901 // CNNVD: CNNVD-202111-841 // NVD: CVE-2021-31888

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf	Trust: 1.6
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-114589.pdf	Trust: 1.6
url:	http://jvn.jp/vu/jvnvu95671889/index.html	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-31888	Trust: 0.8
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-21-313-03	Trust: 0.8
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-07	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021111003	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.3874	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.3833	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-315-07	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-313-03	Trust: 0.6

sources: JVNDB: JVNDB-2021-014901 // CNNVD: CNNVD-202111-841 // NVD: CVE-2021-31888

CREDITS

Siemens reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202111-841

SOURCES

db:	JVNDB	id:	JVNDB-2021-014901
db:	CNNVD	id:	CNNVD-202111-841
db:	NVD	id:	CVE-2021-31888

LAST UPDATE DATE

2024-08-14T12:35:59.299000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2021-014901	date:	2022-10-31T07:53:00
db:	CNNVD	id:	CNNVD-202111-841	date:	2022-05-23T00:00:00
db:	NVD	id:	CVE-2021-31888	date:	2023-05-16T10:50:54.340

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2021-014901	date:	2022-10-31T00:00:00
db:	CNNVD	id:	CNNVD-202111-841	date:	2021-11-09T00:00:00
db:	NVD	id:	CVE-2021-31888	date:	2021-11-09T12:15:09.640