Details of VAR-202201-0777

ID

VAR-202201-0777

CVE

CVE-2021-45033

TITLE

Vulnerability related to use of hardcoded credentials in multiple Siemens products

Trust: 0.8

sources: JVNDB: JVNDB-2022-003191

DESCRIPTION

A vulnerability has been identified in CP-8000 MASTER MODULE WITH I/O -25/+70°C (All versions < V16.20), CP-8000 MASTER MODULE WITH I/O -40/+70°C (All versions < V16.20), CP-8021 MASTER MODULE (All versions < V16.20), CP-8022 MASTER MODULE WITH GPRS (All versions < V16.20). An undocumented debug port uses hard-coded default credentials. If this port is enabled by a privileged user, an attacker aware of the credentials could access an administrative debug shell on the affected device. Multiple Siemens products are vulnerable to the use of hardcoded credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. SICAM A8000 is an automation application for all areas of remote control and energy supply

Trust: 2.16

sources: NVD: CVE-2021-45033 // JVNDB: JVNDB-2022-003191 // CNVD: CNVD-2022-02750

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-02750

AFFECTED PRODUCTS

vendor:	siemens	model:	cp-8000 master module with i\/o -40\/\+70	scope:	lt	version:	16.20	Trust: 1.0
vendor:	siemens	model:	cp-8021 master module	scope:	lt	version:	16.20	Trust: 1.0
vendor:	siemens	model:	cp-8000 master module with i\/o -25\/\+70	scope:	lt	version:	16.20	Trust: 1.0
vendor:	siemens	model:	cp-8022 master module with gprs	scope:	lt	version:	16.20	Trust: 1.0
vendor:	シーメンス	model:	cp-8021 master module	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	cp-8000 master module with i/o - 25/+70	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	cp-8022 master module with gprs	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	cp-8000 master module with i/o - 40/+70	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	sicam a8000 cp-8000	scope:	lt	version:	16.20	Trust: 0.6
vendor:	siemens	model:	sicam a8000 cp-8021	scope:	lt	version:	16.20	Trust: 0.6
vendor:	siemens	model:	sicam a8000 cp-8022	scope:	lt	version:	16.20	Trust: 0.6

sources: CNVD: CNVD-2022-02750 // JVNDB: JVNDB-2022-003191 // NVD: CVE-2021-45033

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-45033
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-45033
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2022-02750
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202201-867
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2021-45033
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.8
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2022-02750
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-45033
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2021-45033
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-02750 // JVNDB: JVNDB-2022-003191 // CNNVD: CNNVD-202201-867 // NVD: CVE-2021-45033

PROBLEMTYPE DATA

problemtype:	CWE-798	Trust: 1.0
problemtype:	Use hard-coded credentials (CWE-798) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-003191 // NVD: CVE-2021-45033

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202201-867

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-202201-867

PATCH

title:	SSA-324998	url:	https://cert-portal.siemens.com/productcert/pdf/ssa-324998.pdf	Trust: 0.8
title:	Patch for Siemens SICAM A8000 Hardcoded Credentials Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/313116	Trust: 0.6
title:	Siemens SICAM A8000 CP-8000 Repair measures for trust management problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=178153	Trust: 0.6

sources: CNVD: CNVD-2022-02750 // JVNDB: JVNDB-2022-003191 // CNNVD: CNNVD-202201-867

EXTERNAL IDS

db:	NVD	id:	CVE-2021-45033	Trust: 3.8
db:	SIEMENS	id:	SSA-324998	Trust: 2.2
db:	ICS CERT	id:	ICSA-22-013-02	Trust: 1.4
db:	JVN	id:	JVNVU98508242	Trust: 0.8
db:	JVNDB	id:	JVNDB-2022-003191	Trust: 0.8
db:	CNVD	id:	CNVD-2022-02750	Trust: 0.6
db:	CS-HELP	id:	SB2022011213	Trust: 0.6
db:	CNNVD	id:	CNNVD-202201-867	Trust: 0.6

sources: CNVD: CNVD-2022-02750 // JVNDB: JVNDB-2022-003191 // CNNVD: CNNVD-202201-867 // NVD: CVE-2021-45033

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-324998.pdf	Trust: 2.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-45033	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu98508242/index.html	Trust: 0.8
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-22-013-02	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2022011213	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-013-02	Trust: 0.6

sources: CNVD: CNVD-2022-02750 // JVNDB: JVNDB-2022-003191 // CNNVD: CNNVD-202201-867 // NVD: CVE-2021-45033

CREDITS

Michael Messner of Siemens Energy reported these vulnerabilities to Siemens.

Trust: 0.6

sources: CNNVD: CNNVD-202201-867

SOURCES

db:	CNVD	id:	CNVD-2022-02750
db:	JVNDB	id:	JVNDB-2022-003191
db:	CNNVD	id:	CNNVD-202201-867
db:	NVD	id:	CVE-2021-45033

LAST UPDATE DATE

2024-11-23T19:43:19.058000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-02750	date:	2022-01-18T00:00:00
db:	JVNDB	id:	JVNDB-2022-003191	date:	2023-02-10T04:47:00
db:	CNNVD	id:	CNNVD-202201-867	date:	2022-02-10T00:00:00
db:	NVD	id:	CVE-2021-45033	date:	2024-11-21T06:31:50.027

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-02750	date:	2022-01-12T00:00:00
db:	JVNDB	id:	JVNDB-2022-003191	date:	2023-02-10T00:00:00
db:	CNNVD	id:	CNNVD-202201-867	date:	2022-01-11T00:00:00
db:	NVD	id:	CVE-2021-45033	date:	2022-01-11T12:15:10.093