Details of VAR-202203-0208

ID

VAR-202203-0208

CVE

CVE-2022-25311

TITLE

Siemens' SINEC NMS Vulnerability in privilege management in

Trust: 0.8

sources: JVNDB: JVNDB-2022-006466

DESCRIPTION

A vulnerability has been identified in SINEC NMS (All versions >= V1.0.3 < V2.0), SINEC NMS (All versions < V1.0.3), SINEMA Server V14 (All versions). The affected software do not properly check privileges between users during the same web browser session, creating an unintended sphere of control. This could allow an authenticated low privileged user to achieve privilege escalation. Siemens' SINEC NMS Exists in a permission management vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2022-25311 // JVNDB: JVNDB-2022-006466

AFFECTED PRODUCTS

vendor:	siemens	model:	sinema server	scope:	eq	version:	14.0	Trust: 1.0
vendor:	siemens	model:	sinec network management system	scope:	lt	version:	1.0.3	Trust: 1.0
vendor:	シーメンス	model:	sinec nms	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	sinec nms	scope:	eq	version:	-	Trust: 0.8
vendor:	シーメンス	model:	sinec nms	scope:	eq	version:	1.0.3	Trust: 0.8

sources: JVNDB: JVNDB-2022-006466 // NVD: CVE-2022-25311

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-25311
value:	HIGH
Trust: 1.0
productcert@siemens.com:	CVE-2022-25311
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-25311
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202203-747
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2022-25311
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2022-25311
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
productcert@siemens.com:	CVE-2022-25311
baseSeverity:	HIGH
baseScore:	7.3
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.3
impactScore:	5.9
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2022-006466
baseSeverity:	HIGH
baseScore:	7.3
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-006466 // CNNVD: CNNVD-202203-747 // NVD: CVE-2022-25311 // NVD: CVE-2022-25311

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	CWE-269	Trust: 1.0
problemtype:	Improper authority management (CWE-269) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-006466 // NVD: CVE-2022-25311

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202203-747

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202203-747

PATCH

title:

Siemens SINEC NMS Security vulnerabilities

url:

http://123.124.177.30/web/xxk/bdxqById.tag?id=185241

Trust: 0.6

sources: CNNVD: CNNVD-202203-747

EXTERNAL IDS

db:	NVD	id:	CVE-2022-25311	Trust: 3.2
db:	SIEMENS	id:	SSA-250085	Trust: 2.4
db:	ICS CERT	id:	ICSA-22-069-03	Trust: 1.4
db:	JVN	id:	JVNVU91709091	Trust: 0.8
db:	JVNDB	id:	JVNDB-2022-006466	Trust: 0.8
db:	CS-HELP	id:	SB2022031006	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.1043	Trust: 0.6
db:	CNNVD	id:	CNNVD-202203-747	Trust: 0.6

sources: JVNDB: JVNDB-2022-006466 // CNNVD: CNNVD-202203-747 // NVD: CVE-2022-25311

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-250085.pdf	Trust: 2.4
url:	https://jvn.jp/vu/jvnvu91709091/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-25311	Trust: 0.8
url:	https://www.cisa.gov/news-events/ics-advisories/icsa-22-069-03	Trust: 0.8
url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-069-03	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.1043	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022031006	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-25311/	Trust: 0.6

sources: JVNDB: JVNDB-2022-006466 // CNNVD: CNNVD-202203-747 // NVD: CVE-2022-25311

CREDITS

Siemens reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202203-747

SOURCES

db:	JVNDB	id:	JVNDB-2022-006466
db:	CNNVD	id:	CNNVD-202203-747
db:	NVD	id:	CVE-2022-25311

LAST UPDATE DATE

2024-08-14T13:06:41.316000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2022-006466	date:	2023-07-05T08:09:00
db:	CNNVD	id:	CNNVD-202203-747	date:	2023-07-11T00:00:00
db:	NVD	id:	CVE-2022-25311	date:	2023-10-10T11:15:10.477

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2022-006466	date:	2023-07-05T00:00:00
db:	CNNVD	id:	CNNVD-202203-747	date:	2022-03-08T00:00:00
db:	NVD	id:	CVE-2022-25311	date:	2022-03-08T12:15:11.727