ID

VAR-202111-1616


CVE

CVE-2021-31888


TITLE

Out-of-bounds write vulnerabilities in multiple Siemens products

Trust: 0.8

sources: JVNDB: JVNDB-2021-014901

DESCRIPTION

A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions < V3.5.4), APOGEE PXC Compact (P2 Ethernet) (All versions < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.4), APOGEE PXC Modular (P2 Ethernet) (All versions < V2.8.19), Desigo PXC00-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC00-U (All versions >= V2.3 and < V6.30.016), Desigo PXC001-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC100-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC12-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC128-U (All versions >= V2.3 and < V6.30.016), Desigo PXC200-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC36.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC50-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC64-U (All versions >= V2.3 and < V6.30.016), Desigo PXM20-E (All versions >= V2.3 and < V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.4), Nucleus Source Code (All versions), TALON TC Compact (BACnet) (All versions < V3.5.4), TALON TC Modular (BACnet) (All versions < V3.5.4). FTP server does not properly validate the length of the “MKD/XMKD” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution. (FSMD-2021-0018). Multiple Siemens products are vulnerable to out-of-bounds writes.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2021-31888 // JVNDB: JVNDB-2021-014901

AFFECTED PRODUCTS

vendor:siemensmodel:desigo pxc12-e.dscope:gteversion:2.3

Trust: 1.0

vendor:siemensmodel:talon tc modularscope:ltversion:3.5.4

Trust: 1.0

vendor:siemensmodel:nucleus source codescope:eqversion:*

Trust: 1.0

vendor:siemensmodel:desigo pxc36.1-e.dscope:gteversion:2.3

Trust: 1.0

vendor:siemensmodel:desigo pxc128-uscope:gteversion:2.3

Trust: 1.0

vendor:siemensmodel:desigo pxc50-e.dscope:gteversion:2.3

Trust: 1.0

vendor:siemensmodel:desigo pxc64-uscope:gteversion:2.3

Trust: 1.0

vendor:siemensmodel:desigo pxc001-e.dscope:gteversion:2.3

Trust: 1.0

vendor:siemensmodel:apogee pxc compactscope:ltversion:2.8.19

Trust: 1.0

vendor:siemensmodel:desigo pxc100-e.dscope:gteversion:2.3

Trust: 1.0

vendor:siemensmodel:desigo pxc36.1-e.dscope:ltversion:6.30.016

Trust: 1.0

vendor:siemensmodel:apogee pxc compactscope:ltversion:3.5.4

Trust: 1.0

vendor:siemensmodel:nucleus netscope:eqversion:*

Trust: 1.0

vendor:siemensmodel:desigo pxc00-uscope:ltversion:6.30.016

Trust: 1.0

vendor:siemensmodel:desigo pxc12-e.dscope:ltversion:6.30.016

Trust: 1.0

vendor:siemensmodel:desigo pxc22-e.dscope:ltversion:6.30.016

Trust: 1.0

vendor:siemensmodel:apogee modular building controllerscope:eqversion:*

Trust: 1.0

vendor:siemensmodel:desigo pxc22.1-e.dscope:gteversion:2.3

Trust: 1.0

vendor:siemensmodel:desigo pxc128-uscope:ltversion:6.30.016

Trust: 1.0

vendor:siemensmodel:desigo pxm20-escope:gteversion:2.3

Trust: 1.0

vendor:siemensmodel:desigo pxc200-e.dscope:ltversion:6.30.016

Trust: 1.0

vendor:siemensmodel:desigo pxm20-escope:ltversion:6.30.016

Trust: 1.0

vendor:siemensmodel:desigo pxc00-e.dscope:ltversion:6.30.016

Trust: 1.0

vendor:siemensmodel:desigo pxc22.1-e.dscope:ltversion:6.30.016

Trust: 1.0

vendor:siemensmodel:apogee pxc modularscope:ltversion:3.5.4

Trust: 1.0

vendor:siemensmodel:apogee pxc modularscope:ltversion:2.8.19

Trust: 1.0

vendor:siemensmodel:talon tc compactscope:ltversion:3.5.4

Trust: 1.0

vendor:siemensmodel:desigo pxc100-e.dscope:ltversion:6.30.016

Trust: 1.0

vendor:siemensmodel:desigo pxc22-e.dscope:gteversion:2.3

Trust: 1.0

vendor:siemensmodel:nucleus readystart v3scope:ltversion:2017.02.4

Trust: 1.0

vendor:siemensmodel:desigo pxc00-uscope:gteversion:2.3

Trust: 1.0

vendor:siemensmodel:desigo pxc64-uscope:ltversion:6.30.016

Trust: 1.0

vendor:siemensmodel:desigo pxc00-e.dscope:gteversion:2.3

Trust: 1.0

vendor:siemensmodel:desigo pxc001-e.dscope:ltversion:6.30.016

Trust: 1.0

vendor:siemensmodel:apogee modular equiment controllerscope:eqversion:*

Trust: 1.0

vendor:siemensmodel:desigo pxc200-e.dscope:gteversion:2.3

Trust: 1.0

vendor:siemensmodel:desigo pxc50-e.dscope:ltversion:6.30.016

Trust: 1.0

vendor:シーメンスmodel:capital vstarscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:nucleus source codescope: - version: -

Trust: 0.8

vendor:シーメンスmodel:talon tc compactscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:apogee pxc modularscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:nucleus readystart v3scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:talon tc modularscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:apogee modular equiment controllerscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:apogee pxc compactscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:apogee modular building controllerscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:nucleus netscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-014901 // NVD: CVE-2021-31888

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-31888
value: HIGH

Trust: 1.0

NVD: CVE-2021-31888
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202111-841
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2021-31888
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2021-31888
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2021-31888
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2021-014901 // CNNVD: CNNVD-202111-841 // NVD: CVE-2021-31888

PROBLEMTYPE DATA

problemtype:CWE-787

Trust: 1.0

problemtype:CWE-170

Trust: 1.0

problemtype:Out-of-bounds writing (CWE-787) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-014901 // NVD: CVE-2021-31888

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202111-841

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202111-841

PATCH

title:SSA-044112 Siemens Security Advisoryurl:https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf

Trust: 0.8

title:Siemens Nucleus ReadyStart Buffer error vulnerability fixurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=174346

Trust: 0.6

sources: JVNDB: JVNDB-2021-014901 // CNNVD: CNNVD-202111-841

EXTERNAL IDS

db:NVDid:CVE-2021-31888

Trust: 3.2

db:SIEMENSid:SSA-044112

Trust: 1.6

db:SIEMENSid:SSA-114589

Trust: 1.6

db:ICS CERTid:ICSA-21-315-07

Trust: 1.4

db:ICS CERTid:ICSA-21-313-03

Trust: 1.4

db:JVNid:JVNVU95671889

Trust: 0.8

db:JVNDBid:JVNDB-2021-014901

Trust: 0.8

db:AUSCERTid:ESB-2021.3874

Trust: 0.6

db:AUSCERTid:ESB-2021.3833

Trust: 0.6

db:CS-HELPid:SB2021111003

Trust: 0.6

db:CNNVDid:CNNVD-202111-841

Trust: 0.6

sources: JVNDB: JVNDB-2021-014901 // CNNVD: CNNVD-202111-841 // NVD: CVE-2021-31888

REFERENCES

url:https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf

Trust: 1.6

url:https://cert-portal.siemens.com/productcert/pdf/ssa-114589.pdf

Trust: 1.6

url:http://jvn.jp/vu/jvnvu95671889/index.html

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-31888

Trust: 0.8

url:https://www.cisa.gov/uscert/ics/advisories/icsa-21-313-03

Trust: 0.8

url:https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-07

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2021111003

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.3874

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.3833

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-21-315-07

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-21-313-03

Trust: 0.6

sources: JVNDB: JVNDB-2021-014901 // CNNVD: CNNVD-202111-841 // NVD: CVE-2021-31888

CREDITS

Siemens reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202111-841

SOURCES

db:JVNDBid:JVNDB-2021-014901
db:CNNVDid:CNNVD-202111-841
db:NVDid:CVE-2021-31888

LAST UPDATE DATE

2024-08-14T12:35:59.299000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2021-014901date:2022-10-31T07:53:00
db:CNNVDid:CNNVD-202111-841date:2022-05-23T00:00:00
db:NVDid:CVE-2021-31888date:2023-05-16T10:50:54.340

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2021-014901date:2022-10-31T00:00:00
db:CNNVDid:CNNVD-202111-841date:2021-11-09T00:00:00
db:NVDid:CVE-2021-31888date:2021-11-09T12:15:09.640