ID

VAR-202203-0739


CVE

CVE-2021-37209


TITLE

Siemens'  RUGGEDCOM ROS  Cryptographic strength vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2021-018725

DESCRIPTION

A vulnerability has been identified in RUGGEDCOM i800 (All versions < V4.3.8), RUGGEDCOM i801 (All versions < V4.3.8), RUGGEDCOM i802 (All versions < V4.3.8), RUGGEDCOM i803 (All versions < V4.3.8), RUGGEDCOM M2100 (All versions < V4.3.8), RUGGEDCOM M2200 (All versions < V4.3.8), RUGGEDCOM M969 (All versions < V4.3.8), RUGGEDCOM RMC30 (All versions < V4.3.8), RUGGEDCOM RMC8388 V4.X (All versions < V4.3.8), RUGGEDCOM RMC8388 V5.X (All versions < V5.7.0), RUGGEDCOM RP110 (All versions < V4.3.8), RUGGEDCOM RS1600 (All versions < V4.3.8), RUGGEDCOM RS1600F (All versions < V4.3.8), RUGGEDCOM RS1600T (All versions < V4.3.8), RUGGEDCOM RS400 (All versions < V4.3.8), RUGGEDCOM RS401 (All versions < V4.3.8), RUGGEDCOM RS416 (All versions < V4.3.8), RUGGEDCOM RS416P (All versions < V4.3.8), RUGGEDCOM RS416Pv2 V4.X (All versions < V4.3.8), RUGGEDCOM RS416Pv2 V5.X (All versions < V5.7.0), RUGGEDCOM RS416v2 V4.X (All versions < V4.3.8), RUGGEDCOM RS416v2 V5.X (All versions < V5.7.0), RUGGEDCOM RS8000 (All versions < V4.3.8), RUGGEDCOM RS8000A (All versions < V4.3.8), RUGGEDCOM RS8000H (All versions < V4.3.8), RUGGEDCOM RS8000T (All versions < V4.3.8), RUGGEDCOM RS900 (All versions < V4.3.8), RUGGEDCOM RS900 (32M) V4.X (All versions < V4.3.8), RUGGEDCOM RS900 (32M) V5.X (All versions < V5.7.0), RUGGEDCOM RS900G (All versions < V4.3.8), RUGGEDCOM RS900G (32M) V4.X (All versions < V4.3.8), RUGGEDCOM RS900G (32M) V5.X (All versions < V5.7.0), RUGGEDCOM RS900GP (All versions < V4.3.8), RUGGEDCOM RS900L (All versions < V4.3.8), RUGGEDCOM RS900M-GETS-C01 (All versions < V4.3.8), RUGGEDCOM RS900M-GETS-XX (All versions < V4.3.8), RUGGEDCOM RS900M-STND-C01 (All versions < V4.3.8), RUGGEDCOM RS900M-STND-XX (All versions < V4.3.8), RUGGEDCOM RS900W (All versions < V4.3.8), RUGGEDCOM RS910 (All versions < V4.3.8), RUGGEDCOM RS910L (All versions < V4.3.8), RUGGEDCOM RS910W (All versions < V4.3.8), RUGGEDCOM RS920L (All versions < V4.3.8), RUGGEDCOM RS920W (All versions < V4.3.8), RUGGEDCOM RS930L (All versions < V4.3.8), RUGGEDCOM RS930W (All versions < V4.3.8), RUGGEDCOM RS940G (All versions < V4.3.8), RUGGEDCOM RS969 (All versions < V4.3.8), RUGGEDCOM RSG2100 (All versions < V4.3.8), RUGGEDCOM RSG2100 (32M) V4.X (All versions < V4.3.8), RUGGEDCOM RSG2100 (32M) V5.X (All versions < V5.7.0), RUGGEDCOM RSG2100P (All versions < V4.3.8), RUGGEDCOM RSG2200 (All versions < V4.3.8), RUGGEDCOM RSG2288 V4.X (All versions < V4.3.8), RUGGEDCOM RSG2288 V5.X (All versions < V5.7.0), RUGGEDCOM RSG2300 V4.X (All versions < V4.3.8), RUGGEDCOM RSG2300 V5.X (All versions < V5.7.0), RUGGEDCOM RSG2300P V4.X (All versions < V4.3.8), RUGGEDCOM RSG2300P V5.X (All versions < V5.7.0), RUGGEDCOM RSG2488 V4.X (All versions < V4.3.8), RUGGEDCOM RSG2488 V5.X (All versions < V5.7.0), RUGGEDCOM RSG907R (All versions < V5.7.0), RUGGEDCOM RSG908C (All versions < V5.7.0), RUGGEDCOM RSG909R (All versions < V5.7.0), RUGGEDCOM RSG910C (All versions < V5.7.0), RUGGEDCOM RSG920P V4.X (All versions < V4.3.8), RUGGEDCOM RSG920P V5.X (All versions < V5.7.0), RUGGEDCOM RSL910 (All versions < V5.7.0), RUGGEDCOM RST2228 (All versions < V5.7.0), RUGGEDCOM RST2228P (All versions < V5.7.0), RUGGEDCOM RST916C (All versions < V5.7.0), RUGGEDCOM RST916P (All versions < V5.7.0). The SSH server on affected devices is configured to offer weak ciphers by default. This could allow an unauthorized attacker in a man-in-the-middle position to read and modify any data passed over the connection between legitimate clients and the affected device. Siemens' RUGGEDCOM ROS There is a security level vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. RUGGEDCOM ROS-based devices are typically switches and serial-to-Ethernet devices used to connect equipment operating in harsh environments, such as power utility substations and traffic control cabinets. Siemens RUGGEDCOM Devices has an information disclosure vulnerability, and attackers can use the vulnerability to obtain access passwords

Trust: 2.16

sources: NVD: CVE-2021-37209 // JVNDB: JVNDB-2021-018725 // CNVD: CNVD-2022-17777

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2022-17777

AFFECTED PRODUCTS

vendor:siemensmodel:ruggedcom ros rs900gscope:ltversion:v5.6.0

Trust: 1.2

vendor:siemensmodel:ruggedcom rosscope:eqversion:*

Trust: 1.0

vendor:シーメンスmodel:ruggedcom rosscope:eqversion: -

Trust: 0.8

vendor:シーメンスmodel:ruggedcom rosscope: - version: -

Trust: 0.8

vendor:siemensmodel:ruggedcom ros m2100scope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rs416v2scope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rsg2100pscope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rsl910scope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rst916cscope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rst916pscope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rst2228scope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros i800scope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros i801scope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros i802scope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros i803scope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros m969scope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros m2200scope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rmcscope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rmc20scope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rmc30scope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rmc40scope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rmc41scope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rmc8388scope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rp110scope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rs400scope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rs401scope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rs416scope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rs900scope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rs900gpscope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rs900lscope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rs900wscope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rs910scope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rs910lscope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rs920lscope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rs920wscope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rs930lscope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rs930wscope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rs940gscope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rs969scope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rs8000scope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rs8000ascope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rs8000hscope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rs8000tscope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rsg900scope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rsg900cscope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rsg900gscope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rsg900rscope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rsg907rscope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rsg908cscope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rsg909rscope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rsg910cscope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rsg920pscope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rsg2100scope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rsg2488scope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rsg2300pscope:ltversion:v5.6.0

Trust: 0.6

vendor:siemensmodel:ruggedcom ros rsg2300scope:ltversion:v5.6.0

Trust: 0.6

sources: CNVD: CNVD-2022-17777 // JVNDB: JVNDB-2021-018725 // NVD: CVE-2021-37209

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-37209
value: MEDIUM

Trust: 1.0

productcert@siemens.com: CVE-2021-37209
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-37209
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2022-17777
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202203-763
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2021-37209
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2022-17777
severity: MEDIUM
baseScore: 5.4
vectorString: AV:N/AC:H/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 4.9
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2021-37209
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

productcert@siemens.com: CVE-2021-37209
baseSeverity: MEDIUM
baseScore: 6.7
vectorString: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H
attackVector: ADJACENT
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.5
version: 3.1

Trust: 1.0

OTHER: JVNDB-2021-018725
baseSeverity: MEDIUM
baseScore: 6.7
vectorString: CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H
attackVector: ADJACENT NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2022-17777 // JVNDB: JVNDB-2021-018725 // CNNVD: CNNVD-202203-763 // NVD: CVE-2021-37209 // NVD: CVE-2021-37209

PROBLEMTYPE DATA

problemtype:CWE-311

Trust: 1.0

problemtype:CWE-326

Trust: 1.0

problemtype:Inappropriate cryptographic strength (CWE-326) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-018725 // NVD: CVE-2021-37209

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202203-763

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-202203-763

PATCH

title:Patch for Siemens RUGGEDCOM Devices Information Disclosure Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/324176

Trust: 0.6

title:Siemens RUGGEDCOM Security vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=185252

Trust: 0.6

sources: CNVD: CNVD-2022-17777 // CNNVD: CNNVD-202203-763

EXTERNAL IDS

db:NVDid:CVE-2021-37209

Trust: 3.8

db:SIEMENSid:SSA-764417

Trust: 3.0

db:ICS CERTid:ICSA-22-069-01

Trust: 1.4

db:JVNid:JVNVU91709091

Trust: 0.8

db:JVNDBid:JVNDB-2021-018725

Trust: 0.8

db:CNVDid:CNVD-2022-17777

Trust: 0.6

db:CS-HELPid:SB2022031111

Trust: 0.6

db:AUSCERTid:ESB-2022.1045

Trust: 0.6

db:CNNVDid:CNNVD-202203-763

Trust: 0.6

sources: CNVD: CNVD-2022-17777 // JVNDB: JVNDB-2021-018725 // CNNVD: CNNVD-202203-763 // NVD: CVE-2021-37209

REFERENCES

url:https://cert-portal.siemens.com/productcert/pdf/ssa-764417.pdf

Trust: 3.0

url:https://jvn.jp/vu/jvnvu91709091/

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-37209

Trust: 0.8

url:https://www.cisa.gov/news-events/ics-advisories/icsa-22-069-01

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2022031111

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2021-37209/

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-069-01

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.1045

Trust: 0.6

url:https://vigilance.fr/vulnerability/ruggedcom-rox-user-access-via-unencrypted-passwords-37746

Trust: 0.6

sources: CNVD: CNVD-2022-17777 // JVNDB: JVNDB-2021-018725 // CNNVD: CNNVD-202203-763 // NVD: CVE-2021-37209

CREDITS

Michael Messner from Siemens Energy reported this vulnerability to Siemens.

Trust: 0.6

sources: CNNVD: CNNVD-202203-763

SOURCES

db:CNVDid:CNVD-2022-17777
db:JVNDBid:JVNDB-2021-018725
db:CNNVDid:CNNVD-202203-763
db:NVDid:CVE-2021-37209

LAST UPDATE DATE

2024-08-14T12:51:04.999000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2022-17777date:2022-03-09T00:00:00
db:JVNDBid:JVNDB-2021-018725date:2023-07-05T08:12:00
db:CNNVDid:CNNVD-202203-763date:2023-03-15T00:00:00
db:NVDid:CVE-2021-37209date:2023-11-14T11:15:07.980

SOURCES RELEASE DATE

db:CNVDid:CNVD-2022-17777date:2022-03-09T00:00:00
db:JVNDBid:JVNDB-2021-018725date:2023-07-05T00:00:00
db:CNNVDid:CNNVD-202203-763date:2022-03-08T00:00:00
db:NVDid:CVE-2021-37209date:2022-03-08T12:15:10.330