ID

VAR-202201-0778


CVE

CVE-2021-45034


TITLE

Vulnerability related to information leakage from log files in multiple Siemens products

Trust: 0.8

sources: JVNDB: JVNDB-2022-003194

DESCRIPTION

A vulnerability has been identified in CP-8000 MASTER MODULE WITH I/O -25/+70°C (All versions < V16.20), CP-8000 MASTER MODULE WITH I/O -40/+70°C (All versions < V16.20), CP-8021 MASTER MODULE (All versions < V16.20), CP-8022 MASTER MODULE WITH GPRS (All versions < V16.20). The web server of the affected system allows access to logfiles and diagnostic data generated by a privileged user. An unauthenticated attacker could access the files by knowing the corresponding download links. Multiple Siemens products contain vulnerabilities related to information disclosure from log files.Information may be obtained. SICAM A8000 is an automation application for all areas of remote control and energy supply. Siemens SICAM A8000 has an access control error vulnerability that could allow attackers to access some previously created log files

Trust: 2.25

sources: NVD: CVE-2021-45034 // JVNDB: JVNDB-2022-003194 // CNVD: CNVD-2022-02749 // VULMON: CVE-2021-45034

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2022-02749

AFFECTED PRODUCTS

vendor:siemensmodel:cp-8000 master module with i\/o -40\/\+70scope:ltversion:16.20

Trust: 1.0

vendor:siemensmodel:cp-8021 master modulescope:ltversion:16.20

Trust: 1.0

vendor:siemensmodel:cp-8000 master module with i\/o -25\/\+70scope:ltversion:16.20

Trust: 1.0

vendor:siemensmodel:cp-8022 master module with gprsscope:ltversion:16.20

Trust: 1.0

vendor:シーメンスmodel:cp-8021 master modulescope: - version: -

Trust: 0.8

vendor:シーメンスmodel:cp-8000 master module with i/o - 25/+70scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:cp-8022 master module with gprsscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:cp-8000 master module with i/o - 40/+70scope: - version: -

Trust: 0.8

vendor:siemensmodel:sicam a8000 cp-8000scope:ltversion:16.20

Trust: 0.6

vendor:siemensmodel:sicam a8000 cp-8021scope:ltversion:16.20

Trust: 0.6

vendor:siemensmodel:sicam a8000 cp-8022scope:ltversion:16.20

Trust: 0.6

sources: CNVD: CNVD-2022-02749 // JVNDB: JVNDB-2022-003194 // NVD: CVE-2021-45034

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-45034
value: HIGH

Trust: 1.0

NVD: CVE-2021-45034
value: HIGH

Trust: 0.8

CNVD: CNVD-2022-02749
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202201-868
value: HIGH

Trust: 0.6

VULMON: CVE-2021-45034
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-45034
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2022-02749
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2021-45034
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2021-45034
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2022-02749 // VULMON: CVE-2021-45034 // JVNDB: JVNDB-2022-003194 // CNNVD: CNNVD-202201-868 // NVD: CVE-2021-45034

PROBLEMTYPE DATA

problemtype:CWE-284

Trust: 1.0

problemtype:CWE-532

Trust: 1.0

problemtype:Information leakage from log files (CWE-532) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-003194 // NVD: CVE-2021-45034

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202201-868

TYPE

log information leak

Trust: 0.6

sources: CNNVD: CNNVD-202201-868

PATCH

title:SSA-324998url:https://cert-portal.siemens.com/productcert/pdf/ssa-324998.pdf

Trust: 0.8

title:Patch for Siemens SICAM A8000 Access Control Error Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/313111

Trust: 0.6

title:Siemens SICAM A8000 CP-8000 Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=178154

Trust: 0.6

title:Siemens Security Advisories: Siemens Security Advisoryurl:https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=d8675b4b15b4f30ad01f1390b99f640f

Trust: 0.1

sources: CNVD: CNVD-2022-02749 // VULMON: CVE-2021-45034 // JVNDB: JVNDB-2022-003194 // CNNVD: CNNVD-202201-868

EXTERNAL IDS

db:NVDid:CVE-2021-45034

Trust: 3.9

db:SIEMENSid:SSA-324998

Trust: 2.3

db:PACKETSTORMid:166743

Trust: 1.7

db:ICS CERTid:ICSA-22-013-02

Trust: 1.5

db:JVNid:JVNVU98508242

Trust: 0.8

db:JVNDBid:JVNDB-2022-003194

Trust: 0.8

db:CNVDid:CNVD-2022-02749

Trust: 0.6

db:CS-HELPid:SB2022011213

Trust: 0.6

db:CXSECURITYid:WLB-2022040064

Trust: 0.6

db:CNNVDid:CNNVD-202201-868

Trust: 0.6

db:VULMONid:CVE-2021-45034

Trust: 0.1

sources: CNVD: CNVD-2022-02749 // VULMON: CVE-2021-45034 // JVNDB: JVNDB-2022-003194 // CNNVD: CNNVD-202201-868 // NVD: CVE-2021-45034

REFERENCES

url:http://packetstormsecurity.com/files/166743/siemens-a8000-cp-8050-cp-8031-sicam-web-missing-file-download-missing-authentication.html

Trust: 2.4

url:https://cert-portal.siemens.com/productcert/pdf/ssa-324998.pdf

Trust: 2.3

url:http://seclists.org/fulldisclosure/2022/apr/20

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-45034

Trust: 1.4

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-013-02

Trust: 0.9

url:https://jvn.jp/vu/jvnvu98508242/index.html

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2022011213

Trust: 0.6

url:https://cxsecurity.com/issue/wlb-2022040064

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-013-02

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/532.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: CNVD: CNVD-2022-02749 // VULMON: CVE-2021-45034 // JVNDB: JVNDB-2022-003194 // CNNVD: CNNVD-202201-868 // NVD: CVE-2021-45034

CREDITS

Michael Messner of Siemens Energy reported these vulnerabilities to Siemens.

Trust: 0.6

sources: CNNVD: CNNVD-202201-868

SOURCES

db:CNVDid:CNVD-2022-02749
db:VULMONid:CVE-2021-45034
db:JVNDBid:JVNDB-2022-003194
db:CNNVDid:CNNVD-202201-868
db:NVDid:CVE-2021-45034

LAST UPDATE DATE

2024-11-23T21:04:28.448000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2022-02749date:2022-01-18T00:00:00
db:VULMONid:CVE-2021-45034date:2022-04-15T00:00:00
db:JVNDBid:JVNDB-2022-003194date:2023-02-10T05:14:00
db:CNNVDid:CNNVD-202201-868date:2022-04-18T00:00:00
db:NVDid:CVE-2021-45034date:2024-11-21T06:31:50.140

SOURCES RELEASE DATE

db:CNVDid:CNVD-2022-02749date:2022-01-12T00:00:00
db:VULMONid:CVE-2021-45034date:2022-01-11T00:00:00
db:JVNDBid:JVNDB-2022-003194date:2023-02-10T00:00:00
db:CNNVDid:CNNVD-202201-868date:2022-01-11T00:00:00
db:NVDid:CVE-2021-45034date:2022-01-11T12:15:10.143