ID

VAR-202202-0369


CVE

CVE-2021-40363


TITLE

SIMATIC PCS 7  and  SIMATIC WinCC  Vulnerability in plaintext storage of important information in

Trust: 0.8

sources: JVNDB: JVNDB-2022-005071

DESCRIPTION

A vulnerability has been identified in SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions), SIMATIC PCS 7 V9.1 (All versions < V9.1 SP1), SIMATIC WinCC V15 and earlier (All versions < V15 SP1 Update 7), SIMATIC WinCC V16 (All versions < V16 Update 5), SIMATIC WinCC V17 (All versions < V17 Update 2), SIMATIC WinCC V17 (All versions <= V17 Update 4), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 19), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 6). The affected component stores the credentials of a local system account in a potentially publicly accessible project file using an outdated cipher algorithm. An attacker may use this to brute force the credentials and take over the system. SIMATIC PCS 7 and SIMATIC WinCC There is a vulnerability in plaintext storage of important information.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Siemens SIMATIC WinCC is an automated data acquisition and monitoring (SCADA) system. An information disclosure vulnerability exists in Siemens SIMATIC WinCC, which could allow an attacker to use this command to forcibly obtain credentials and take over the system

Trust: 2.25

sources: NVD: CVE-2021-40363 // JVNDB: JVNDB-2022-005071 // CNVD: CNVD-2022-10000 // VULHUB: VHN-401720

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2022-10000

AFFECTED PRODUCTS

vendor:siemensmodel:simatic winccscope:eqversion:7.5

Trust: 1.0

vendor:siemensmodel:simatic winccscope:eqversion:15.1

Trust: 1.0

vendor:siemensmodel:simatic winccscope:eqversion:13

Trust: 1.0

vendor:siemensmodel:simatic winccscope:eqversion:14.0.1

Trust: 1.0

vendor:siemensmodel:simatic winccscope:eqversion:16

Trust: 1.0

vendor:siemensmodel:simatic pcs 7scope:lteversion:8.2

Trust: 1.0

vendor:siemensmodel:simatic pcs 7scope:eqversion:9.0

Trust: 1.0

vendor:siemensmodel:simatic pcs 7scope:eqversion:9.1

Trust: 1.0

vendor:siemensmodel:simatic winccscope:eqversion:7.4

Trust: 1.0

vendor:siemensmodel:simatic winccscope:ltversion:7.4

Trust: 1.0

vendor:siemensmodel:simatic winccscope:eqversion:15

Trust: 1.0

vendor:siemensmodel:simatic winccscope:eqversion:17

Trust: 1.0

vendor:シーメンスmodel:simatic pcs 7scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:simatic winccscope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic wincc updatescope:gteversion:v172

Trust: 0.6

sources: CNVD: CNVD-2022-10000 // JVNDB: JVNDB-2022-005071 // NVD: CVE-2021-40363

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-40363
value: HIGH

Trust: 1.0

NVD: CVE-2021-40363
value: HIGH

Trust: 0.8

CNVD: CNVD-2022-10000
value: LOW

Trust: 0.6

CNNVD: CNNVD-202202-592
value: HIGH

Trust: 0.6

VULHUB: VHN-401720
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2021-40363
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2022-10000
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-401720
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-40363
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2021-40363
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2022-10000 // VULHUB: VHN-401720 // JVNDB: JVNDB-2022-005071 // CNNVD: CNNVD-202202-592 // NVD: CVE-2021-40363

PROBLEMTYPE DATA

problemtype:CWE-538

Trust: 1.1

problemtype:CWE-312

Trust: 1.0

problemtype:Plaintext storage of important information (CWE-312) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-401720 // JVNDB: JVNDB-2022-005071 // NVD: CVE-2021-40363

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202202-592

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202202-592

PATCH

title:SSA-914168url:https://cert-portal.siemens.com/productcert/pdf/ssa-914168.pdf

Trust: 0.8

title:Patch for Siemens SIMATIC WinCC Information Disclosure Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/318461

Trust: 0.6

title:Siemens SIMATIC PCS 7 and SIMATIC WinCC Remediation measures for authorization problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=181960

Trust: 0.6

sources: CNVD: CNVD-2022-10000 // JVNDB: JVNDB-2022-005071 // CNNVD: CNNVD-202202-592

EXTERNAL IDS

db:NVDid:CVE-2021-40363

Trust: 3.9

db:SIEMENSid:SSA-914168

Trust: 2.3

db:ICS CERTid:ICSA-22-041-02

Trust: 1.4

db:JVNid:JVNVU98748974

Trust: 0.8

db:JVNDBid:JVNDB-2022-005071

Trust: 0.8

db:CNVDid:CNVD-2022-10000

Trust: 0.7

db:CS-HELPid:SB2022021106

Trust: 0.6

db:AUSCERTid:ESB-2022.0606

Trust: 0.6

db:CNNVDid:CNNVD-202202-592

Trust: 0.6

db:VULHUBid:VHN-401720

Trust: 0.1

sources: CNVD: CNVD-2022-10000 // VULHUB: VHN-401720 // JVNDB: JVNDB-2022-005071 // CNNVD: CNNVD-202202-592 // NVD: CVE-2021-40363

REFERENCES

url:https://cert-portal.siemens.com/productcert/pdf/ssa-914168.pdf

Trust: 2.3

url:https://nvd.nist.gov/vuln/detail/cve-2021-40363

Trust: 1.4

url:https://jvn.jp/vu/jvnvu98748974/index.html

Trust: 0.8

url:https://www.cisa.gov/news-events/ics-advisories/icsa-22-041-02

Trust: 0.8

url:https://vigilance.fr/vulnerability/simatic-user-access-via-credentials-brute-force-37483

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.0606

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022021106

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-041-02

Trust: 0.6

sources: CNVD: CNVD-2022-10000 // VULHUB: VHN-401720 // JVNDB: JVNDB-2022-005071 // CNNVD: CNNVD-202202-592 // NVD: CVE-2021-40363

CREDITS

Siemens reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202202-592

SOURCES

db:CNVDid:CNVD-2022-10000
db:VULHUBid:VHN-401720
db:JVNDBid:JVNDB-2022-005071
db:CNNVDid:CNNVD-202202-592
db:NVDid:CVE-2021-40363

LAST UPDATE DATE

2024-08-14T13:05:48.129000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2022-10000date:2022-02-14T00:00:00
db:VULHUBid:VHN-401720date:2022-10-06T00:00:00
db:JVNDBid:JVNDB-2022-005071date:2023-05-16T08:53:00
db:CNNVDid:CNNVD-202202-592date:2022-08-11T00:00:00
db:NVDid:CVE-2021-40363date:2022-10-06T16:46:47.823

SOURCES RELEASE DATE

db:CNVDid:CNVD-2022-10000date:2022-02-14T00:00:00
db:VULHUBid:VHN-401720date:2022-02-09T00:00:00
db:JVNDBid:JVNDB-2022-005071date:2023-05-16T00:00:00
db:CNNVDid:CNNVD-202202-592date:2022-02-08T00:00:00
db:NVDid:CVE-2021-40363date:2022-02-09T16:15:13.877