ID

VAR-202405-0157


CVE

CVE-2024-33499


TITLE

Siemens SIMATIC RTLS Locating Manager Critical Resource Permission Assignment Improper Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2024-24520

DESCRIPTION

A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). The affected application assigns incorrect permissions to a user management component. This could allow a privileged attacker to escalate their privileges from the Administrators group to the Systemadministrator group. SIMATIC RTLS Locating Manager is used to configure, operate, and maintain SIMATIC RTLS devices, which are real-time wireless location systems that provide location solutions

Trust: 1.44

sources: NVD: CVE-2024-33499 // CNVD: CNVD-2024-24520

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2024-24520

AFFECTED PRODUCTS

vendor:siemensmodel:simatic rtls locating managerscope:ltversion:v3.0.1.1

Trust: 4.2

sources: CNVD: CNVD-2024-24520

CVSS

SEVERITY

CVSSV2

CVSSV3

productcert@siemens.com: CVE-2024-33499
value: CRITICAL

Trust: 1.0

CNVD: CNVD-2024-24520
value: HIGH

Trust: 0.6

CNVD: CNVD-2024-24520
severity: HIGH
baseScore: 8.3
vectorString: AV:N/AC:L/AU:M/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: MULTIPLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

productcert@siemens.com: CVE-2024-33499
baseSeverity: CRITICAL
baseScore: 9.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.3
impactScore: 6.0
version: 3.1

Trust: 1.0

sources: CNVD: CNVD-2024-24520 // NVD: CVE-2024-33499

PROBLEMTYPE DATA

problemtype:CWE-732

Trust: 1.0

sources: NVD: CVE-2024-33499

PATCH

title:Patch for Siemens SIMATIC RTLS Locating Manager Critical Resource Permission Assignment Improper Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/547646

Trust: 0.6

sources: CNVD: CNVD-2024-24520

EXTERNAL IDS

db:NVDid:CVE-2024-33499

Trust: 1.6

db:SIEMENSid:SSA-093430

Trust: 1.6

db:CNVDid:CNVD-2024-24520

Trust: 0.6

sources: CNVD: CNVD-2024-24520 // NVD: CVE-2024-33499

REFERENCES

url:https://cert-portal.siemens.com/productcert/html/ssa-093430.html

Trust: 1.6

sources: CNVD: CNVD-2024-24520 // NVD: CVE-2024-33499

SOURCES

db:CNVDid:CNVD-2024-24520
db:NVDid:CVE-2024-33499

LAST UPDATE DATE

2024-08-14T13:41:07.153000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2024-24520date:2024-05-28T00:00:00
db:NVDid:CVE-2024-33499date:2024-06-11T12:15:15.850

SOURCES RELEASE DATE

db:CNVDid:CNVD-2024-24520date:2024-05-30T00:00:00
db:NVDid:CVE-2024-33499date:2024-05-14T16:17:20.240