Details of VAR-202112-0784

ID

VAR-202112-0784

CVE

CVE-2021-44524

TITLE

SiPass integrated and Siveillance Identity Authentication vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-016369

DESCRIPTION

A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2.80 (All versions), SiPass integrated V2.85 (All versions), Siveillance Identity V1.5 (All versions), Siveillance Identity V1.6 (All versions < V1.6.284.0). Affected applications insufficiently limit the access to the internal user authentication service. This could allow an unauthenticated remote attacker to trigger several actions on behalf of valid user accounts. SiPass integrated and Siveillance Identity There is an authentication vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. SiPass integrated is an access control system

Trust: 2.25

sources: NVD: CVE-2021-44524 // JVNDB: JVNDB-2021-016369 // CNVD: CNVD-2021-100377 // VULHUB: VHN-407755

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-100377

AFFECTED PRODUCTS

vendor:	siemens	model:	siveillance identity	scope:	gte	version:	1.6	Trust: 1.0
vendor:	siemens	model:	siveillance identity	scope:	eq	version:	1.5	Trust: 1.0
vendor:	siemens	model:	sipass integrated	scope:	eq	version:	2.85	Trust: 1.0
vendor:	siemens	model:	sipass integrated	scope:	eq	version:	2.80	Trust: 1.0
vendor:	siemens	model:	sipass integrated	scope:	eq	version:	2.76	Trust: 1.0
vendor:	siemens	model:	siveillance identity	scope:	lte	version:	1.6.284.0	Trust: 1.0
vendor:	シーメンス	model:	sipass integrated	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	siveillance identity	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	sipass integrated	scope:	eq	version:	v2.76	Trust: 0.6
vendor:	siemens	model:	sipass integrated	scope:	eq	version:	v2.80	Trust: 0.6
vendor:	siemens	model:	sipass integrated	scope:	eq	version:	v2.85	Trust: 0.6

sources: CNVD: CNVD-2021-100377 // JVNDB: JVNDB-2021-016369 // NVD: CVE-2021-44524

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-44524
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2021-44524
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2021-100377
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202112-1236
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-407755
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-44524
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2021-100377
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:C/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	COMPLETE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-407755
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-44524
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2021-44524
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-100377 // VULHUB: VHN-407755 // JVNDB: JVNDB-2021-016369 // CNNVD: CNNVD-202112-1236 // NVD: CVE-2021-44524

PROBLEMTYPE DATA

problemtype:	CWE-287	Trust: 1.1
problemtype:	CWE-668	Trust: 1.0
problemtype:	Inappropriate authentication (CWE-287) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-407755 // JVNDB: JVNDB-2021-016369 // NVD: CVE-2021-44524

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202112-1236

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202112-1236

PATCH

title:	SSA-160202 Siemens Security Advisory	url:	https://cert-portal.siemens.com/productcert/pdf/ssa-160202.pdf	Trust: 0.8
title:	Patch for SiPass integrated Access Control Vulnerability (CNVD-2021-100377)	url:	https://www.cnvd.org.cn/patchInfo/show/306241	Trust: 0.6
title:	Siemens SiPass Integrated and Siveillance Identity Remediation measures for authorization problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=175716	Trust: 0.6

sources: CNVD: CNVD-2021-100377 // JVNDB: JVNDB-2021-016369 // CNNVD: CNNVD-202112-1236

EXTERNAL IDS

db:	NVD	id:	CVE-2021-44524	Trust: 3.9
db:	SIEMENS	id:	SSA-160202	Trust: 2.3
db:	SIEMENS	id:	SSA-463116	Trust: 1.7
db:	ICS CERT	id:	ICSA-21-350-14	Trust: 1.4
db:	JVN	id:	JVNVU96592426	Trust: 0.8
db:	ICS CERT	id:	ICSA-21-350-19	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-016369	Trust: 0.8
db:	CNVD	id:	CNVD-2021-100377	Trust: 0.6
db:	CS-HELP	id:	SB2022010612	Trust: 0.6
db:	CNNVD	id:	CNNVD-202112-1236	Trust: 0.6
db:	VULHUB	id:	VHN-407755	Trust: 0.1

sources: CNVD: CNVD-2021-100377 // VULHUB: VHN-407755 // JVNDB: JVNDB-2021-016369 // CNNVD: CNNVD-202112-1236 // NVD: CVE-2021-44524

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-160202.pdf	Trust: 2.3
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-463116.pdf	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-44524	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu96592426/	Trust: 0.8
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-21-350-14	Trust: 0.8
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-21-350-19	Trust: 0.8
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-350-14	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022010612	Trust: 0.6

sources: CNVD: CNVD-2021-100377 // VULHUB: VHN-407755 // JVNDB: JVNDB-2021-016369 // CNNVD: CNNVD-202112-1236 // NVD: CVE-2021-44524

CREDITS

Siemens reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202112-1236

SOURCES

db:	CNVD	id:	CNVD-2021-100377
db:	VULHUB	id:	VHN-407755
db:	JVNDB	id:	JVNDB-2021-016369
db:	CNNVD	id:	CNNVD-202112-1236
db:	NVD	id:	CVE-2021-44524

LAST UPDATE DATE

2024-08-14T12:19:26.506000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-100377	date:	2022-01-26T00:00:00
db:	VULHUB	id:	VHN-407755	date:	2021-12-17T00:00:00
db:	JVNDB	id:	JVNDB-2021-016369	date:	2022-12-13T08:08:00
db:	CNNVD	id:	CNNVD-202112-1236	date:	2022-01-07T00:00:00
db:	NVD	id:	CVE-2021-44524	date:	2021-12-17T16:56:44.223

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-100377	date:	2021-12-15T00:00:00
db:	VULHUB	id:	VHN-407755	date:	2021-12-14T00:00:00
db:	JVNDB	id:	JVNDB-2021-016369	date:	2022-12-13T00:00:00
db:	CNNVD	id:	CNNVD-202112-1236	date:	2021-12-14T00:00:00
db:	NVD	id:	CVE-2021-44524	date:	2021-12-14T12:15:12.147