Details of VAR-202407-0140

ID

VAR-202407-0140

CVE

CVE-2024-39875

TITLE

Siemens' SINEMA Remote Connect Server Vulnerability in improper permission assignment for critical resources in

Trust: 0.8

sources: JVNDB: JVNDB-2024-005767

DESCRIPTION

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application allows authenticated, low privilege users with the 'Manage own remote connections' permission to retrieve details about other users and group memberships. The platform is mainly used for remote access, maintenance, control and diagnosis of underlying networks

Trust: 2.16

sources: NVD: CVE-2024-39875 // JVNDB: JVNDB-2024-005767 // CNVD: CNVD-2024-31246

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-31246

AFFECTED PRODUCTS

vendor:	siemens	model:	sinema remote connect server	scope:	lt	version:	3.2	Trust: 1.0
vendor:	siemens	model:	sinema remote connect server	scope:	eq	version:	3.2	Trust: 1.0
vendor:	シーメンス	model:	sinema remote connect server	scope:	eq	version:	-	Trust: 0.8
vendor:	シーメンス	model:	sinema remote connect server	scope:	eq	version:	3.2	Trust: 0.8
vendor:	シーメンス	model:	sinema remote connect server	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	sinema remote connect server sp1	scope:	lt	version:	v3.2	Trust: 0.6

sources: CNVD: CNVD-2024-31246 // JVNDB: JVNDB-2024-005767 // NVD: CVE-2024-39875

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2024-39875
value:	MEDIUM
Trust: 1.0
productcert@siemens.com:	CVE-2024-39875
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2024-39875
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2024-31246
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2024-31246
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2024-39875
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	1.4
version:	3.1
Trust: 2.0
NVD:	CVE-2024-39875
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2024-31246 // JVNDB: JVNDB-2024-005767 // NVD: CVE-2024-39875 // NVD: CVE-2024-39875

PROBLEMTYPE DATA

problemtype:	CWE-732	Trust: 1.0
problemtype:	Improper permission assignment for critical resources (CWE-732) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-005767 // NVD: CVE-2024-39875

PATCH

title:

Patch for Siemens SINEMA Remote Connect Server critical resource permissions incorrectly assigned vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/567811

Trust: 0.6

sources: CNVD: CNVD-2024-31246

EXTERNAL IDS

db:	NVD	id:	CVE-2024-39875	Trust: 3.2
db:	SIEMENS	id:	SSA-381581	Trust: 2.4
db:	JVN	id:	JVNVU99298639	Trust: 0.8
db:	ICS CERT	id:	ICSA-24-193-01	Trust: 0.8
db:	JVNDB	id:	JVNDB-2024-005767	Trust: 0.8
db:	CNVD	id:	CNVD-2024-31246	Trust: 0.6

sources: CNVD: CNVD-2024-31246 // JVNDB: JVNDB-2024-005767 // NVD: CVE-2024-39875

REFERENCES

url:	https://cert-portal.siemens.com/productcert/html/ssa-381581.html	Trust: 2.4
url:	https://jvn.jp/vu/jvnvu99298639/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2024-39875	Trust: 0.8
url:	https://www.cisa.gov/news-events/ics-advisories/icsa-24-193-01	Trust: 0.8

sources: CNVD: CNVD-2024-31246 // JVNDB: JVNDB-2024-005767 // NVD: CVE-2024-39875

SOURCES

db:	CNVD	id:	CNVD-2024-31246
db:	JVNDB	id:	JVNDB-2024-005767
db:	NVD	id:	CVE-2024-39875

LAST UPDATE DATE

2024-08-21T20:01:42.159000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-31246	date:	2024-07-10T00:00:00
db:	JVNDB	id:	JVNDB-2024-005767	date:	2024-08-20T01:19:00
db:	NVD	id:	CVE-2024-39875	date:	2024-08-07T19:23:39.247

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-31246	date:	2024-07-11T00:00:00
db:	JVNDB	id:	JVNDB-2024-005767	date:	2024-08-20T00:00:00
db:	NVD	id:	CVE-2024-39875	date:	2024-07-09T12:15:19.803