Details of VAR-202305-0435

ID

VAR-202305-0435

CVE

CVE-2023-27407

TITLE

Siemens' SCALANCE LPE9403 in the firmware OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2023-009649

DESCRIPTION

A vulnerability has been identified in SCALANCE LPE9403 (All versions < V2.1). The web based management of affected device does not properly validate user input, making it susceptible to command injection. This could allow an authenticated remote attacker to access the underlying operating system as the root user. Siemens' SCALANCE LPE9403 The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Siemens SCALANCE LPE9403 is a local processing driver

Trust: 2.25

sources: NVD: CVE-2023-27407 // JVNDB: JVNDB-2023-009649 // CNVD: CNVD-2023-35767 // VULMON: CVE-2023-27407

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2023-35767

AFFECTED PRODUCTS

vendor:	siemens	model:	scalance lpe9403	scope:	lt	version:	2.1	Trust: 1.0
vendor:	シーメンス	model:	scalance lpe9403	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	scalance lpe9403	scope:	eq	version:	-	Trust: 0.8
vendor:	シーメンス	model:	scalance lpe9403	scope:	eq	version:	scalance lpe9403 firmware 2.1	Trust: 0.8
vendor:	siemens	model:	scalance lpe9403	scope:	lt	version:	v2.1	Trust: 0.6

sources: CNVD: CNVD-2023-35767 // JVNDB: JVNDB-2023-009649 // NVD: CVE-2023-27407

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-27407
value:	CRITICAL
Trust: 1.0
productcert@siemens.com:	CVE-2023-27407
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2023-27407
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2023-35767
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202305-654
value:	CRITICAL
Trust: 0.6

CNVD:	CNVD-2023-35767
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2023-27407
baseSeverity:	CRITICAL
baseScore:	9.9
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.1
impactScore:	6.0
version:	3.1
Trust: 2.0
NVD:	CVE-2023-27407
baseSeverity:	CRITICAL
baseScore:	9.9
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2023-35767 // JVNDB: JVNDB-2023-009649 // CNNVD: CNNVD-202305-654 // NVD: CVE-2023-27407 // NVD: CVE-2023-27407

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.0
problemtype:	CWE-78	Trust: 1.0
problemtype:	OS Command injection (CWE-78) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-009649 // NVD: CVE-2023-27407

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202305-654

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-202305-654

PATCH

title:	Patch for Siemens SCALANCE LPE9403 Command Injection Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/424721	Trust: 0.6
title:	Siemens SCALANCE Fixes for command injection vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=236526	Trust: 0.6

sources: CNVD: CNVD-2023-35767 // CNNVD: CNNVD-202305-654

EXTERNAL IDS

db:	NVD	id:	CVE-2023-27407	Trust: 3.9
db:	SIEMENS	id:	SSA-325383	Trust: 3.1
db:	JVN	id:	JVNVU98195668	Trust: 0.8
db:	ICS CERT	id:	ICSA-23-131-06	Trust: 0.8
db:	JVNDB	id:	JVNDB-2023-009649	Trust: 0.8
db:	CNVD	id:	CNVD-2023-35767	Trust: 0.6
db:	CNNVD	id:	CNNVD-202305-654	Trust: 0.6
db:	VULMON	id:	CVE-2023-27407	Trust: 0.1

sources: CNVD: CNVD-2023-35767 // VULMON: CVE-2023-27407 // JVNDB: JVNDB-2023-009649 // CNNVD: CNNVD-202305-654 // NVD: CVE-2023-27407

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-325383.pdf	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2023-27407	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu98195668/	Trust: 0.8
url:	https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-06	Trust: 0.8
url:	https://cert-portal.siemens.com/productcert/html/ssa-325383.html	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2023-27407/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/77.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2023-35767 // VULMON: CVE-2023-27407 // JVNDB: JVNDB-2023-009649 // CNNVD: CNNVD-202305-654 // NVD: CVE-2023-27407

SOURCES

db:	CNVD	id:	CNVD-2023-35767
db:	VULMON	id:	CVE-2023-27407
db:	JVNDB	id:	JVNDB-2023-009649
db:	CNNVD	id:	CNNVD-202305-654
db:	NVD	id:	CVE-2023-27407

LAST UPDATE DATE

2024-08-14T12:45:42.949000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2023-35767	date:	2023-05-10T00:00:00
db:	VULMON	id:	CVE-2023-27407	date:	2023-05-09T00:00:00
db:	JVNDB	id:	JVNDB-2023-009649	date:	2023-12-06T05:17:00
db:	CNNVD	id:	CNNVD-202305-654	date:	2023-05-11T00:00:00
db:	NVD	id:	CVE-2023-27407	date:	2023-05-15T18:47:18.340

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2023-35767	date:	2023-05-10T00:00:00
db:	VULMON	id:	CVE-2023-27407	date:	2023-05-09T00:00:00
db:	JVNDB	id:	JVNDB-2023-009649	date:	2023-12-06T00:00:00
db:	CNNVD	id:	CNNVD-202305-654	date:	2023-05-09T00:00:00
db:	NVD	id:	CVE-2023-27407	date:	2023-05-09T13:15:16.640