Details of VAR-202408-0001

ID

VAR-202408-0001

CVE

CVE-2024-41977

TITLE

Vulnerabilities in multiple Siemens products

Trust: 0.8

sources: JVNDB: JVNDB-2024-006497

DESCRIPTION

A vulnerability has been identified in RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2) (All versions < V8.1), RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2) (All versions < V8.1), SCALANCE M804PB (6GK5804-0AP00-2AA2) (All versions < V8.1), SCALANCE M812-1 ADSL-Router family (All versions < V8.1), SCALANCE M816-1 ADSL-Router family (All versions < V8.1), SCALANCE M826-2 SHDSL-Router (6GK5826-2AB00-2AB2) (All versions < V8.1), SCALANCE M874-2 (6GK5874-2AA00-2AA2) (All versions < V8.1), SCALANCE M874-3 (6GK5874-3AA00-2AA2) (All versions < V8.1), SCALANCE M874-3 3G-Router (CN) (6GK5874-3AA00-2FA2) (All versions < V8.1), SCALANCE M876-3 (6GK5876-3AA02-2BA2) (All versions < V8.1), SCALANCE M876-3 (ROK) (6GK5876-3AA02-2EA2) (All versions < V8.1), SCALANCE M876-4 (6GK5876-4AA10-2BA2) (All versions < V8.1), SCALANCE M876-4 (EU) (6GK5876-4AA00-2BA2) (All versions < V8.1), SCALANCE M876-4 (NAM) (6GK5876-4AA00-2DA2) (All versions < V8.1), SCALANCE MUM853-1 (A1) (6GK5853-2EA10-2AA1) (All versions < V8.1), SCALANCE MUM853-1 (B1) (6GK5853-2EA10-2BA1) (All versions < V8.1), SCALANCE MUM853-1 (EU) (6GK5853-2EA00-2DA1) (All versions < V8.1), SCALANCE MUM856-1 (A1) (6GK5856-2EA10-3AA1) (All versions < V8.1), SCALANCE MUM856-1 (B1) (6GK5856-2EA10-3BA1) (All versions < V8.1), SCALANCE MUM856-1 (CN) (6GK5856-2EA00-3FA1) (All versions < V8.1), SCALANCE MUM856-1 (EU) (6GK5856-2EA00-3DA1) (All versions < V8.1), SCALANCE MUM856-1 (RoW) (6GK5856-2EA00-3AA1) (All versions < V8.1), SCALANCE S615 EEC LAN-Router (6GK5615-0AA01-2AA2) (All versions < V8.1), SCALANCE S615 LAN-Router (6GK5615-0AA00-2AA2) (All versions < V8.1). Affected devices do not properly enforce isolation between user sessions in their web server component. This could allow an authenticated remote attacker to escalate their privileges on the devices. ruggedcom rm1224 lte(4g) eu firmware, ruggedcom rm1224 lte(4g) nam firmware, scalance m804pb Multiple Siemens products such as firmware have unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. SCALANCE M-800, MUM-800, S615, RUGGEDCOM RM1224 are all industrial routers

Trust: 2.16

sources: NVD: CVE-2024-41977 // JVNDB: JVNDB-2024-006497 // CNVD: CNVD-2024-35437

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-35437

AFFECTED PRODUCTS

vendor:	siemens	model:	scalance mum856-1 \	scope:	lt	version:	8.1	Trust: 5.0
vendor:	シーメンス	model:	scalance mum856-1	scope:	-	version:	-	Trust: 4.0
vendor:	siemens	model:	scalance mum853-1 \	scope:	lt	version:	8.1	Trust: 3.0
vendor:	シーメンス	model:	scalance m876-4	scope:	-	version:	-	Trust: 2.4
vendor:	シーメンス	model:	scalance mum853-1	scope:	-	version:	-	Trust: 2.4
vendor:	siemens	model:	scalance m816-1 \	scope:	lt	version:	8.1	Trust: 2.0
vendor:	siemens	model:	scalance m876-4 \	scope:	lt	version:	8.1	Trust: 2.0
vendor:	siemens	model:	scalance m812-1 \	scope:	lt	version:	8.1	Trust: 2.0
vendor:	シーメンス	model:	scalance m876-3	scope:	-	version:	-	Trust: 1.6
vendor:	siemens	model:	scalance s615 eec lan-router	scope:	lt	version:	8.1	Trust: 1.0
vendor:	siemens	model:	scalance m874-3	scope:	lt	version:	8.1	Trust: 1.0
vendor:	siemens	model:	scalance m876-3	scope:	lt	version:	8.1	Trust: 1.0
vendor:	siemens	model:	scalance s615 lan-router	scope:	lt	version:	8.1	Trust: 1.0
vendor:	siemens	model:	scalance m874-2	scope:	lt	version:	8.1	Trust: 1.0
vendor:	siemens	model:	scalance m826-2 shdsl-router	scope:	lt	version:	8.1	Trust: 1.0
vendor:	siemens	model:	scalance m874-3 3g-router \	scope:	lt	version:	8.1	Trust: 1.0
vendor:	siemens	model:	scalance m876-3 \	scope:	lt	version:	8.1	Trust: 1.0
vendor:	siemens	model:	scalance m804pb	scope:	lt	version:	8.1	Trust: 1.0
vendor:	siemens	model:	ruggedcom rm1224 lte\ eu	scope:	lt	version:	8.1	Trust: 1.0
vendor:	siemens	model:	scalance m876-4	scope:	lt	version:	8.1	Trust: 1.0
vendor:	siemens	model:	ruggedcom rm1224 lte\ nam	scope:	lt	version:	8.1	Trust: 1.0
vendor:	シーメンス	model:	scalance m804pb	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	scalance m874-3	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	scalance m874-3 3g-router	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	scalance m874-2	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	ruggedcom rm1224 lte eu	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	scalance m826-2 shdsl-router	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	ruggedcom rm1224 lte nam	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	scalance m-800 family	scope:	lt	version:	8.1	Trust: 0.6

sources: CNVD: CNVD-2024-35437 // JVNDB: JVNDB-2024-006497 // NVD: CVE-2024-41977

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2024-41977
value:	HIGH
Trust: 1.0
productcert@siemens.com:	CVE-2024-41977
value:	HIGH
Trust: 1.0
NVD:	CVE-2024-41977
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2024-35437
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2024-35437
severity:	HIGH
baseScore:	7.1
vectorString:	AV:N/AC:H/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2024-41977
baseSeverity:	HIGH
baseScore:	8.0
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.1
impactScore:	5.9
version:	3.1
Trust: 1.0
productcert@siemens.com:	CVE-2024-41977
baseSeverity:	HIGH
baseScore:	7.1
vectorString:	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2024-41977
baseSeverity:	HIGH
baseScore:	8.0
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2024-35437 // JVNDB: JVNDB-2024-006497 // NVD: CVE-2024-41977 // NVD: CVE-2024-41977

PROBLEMTYPE DATA

problemtype:	CWE-488	Trust: 1.0
problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	others (CWE-Other) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-006497 // NVD: CVE-2024-41977

PATCH

title:

Patch for Siemens SCALANCE M-800 Series Configuration Error Vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/576906

Trust: 0.6

sources: CNVD: CNVD-2024-35437

EXTERNAL IDS

db:	NVD	id:	CVE-2024-41977	Trust: 3.2
db:	SIEMENS	id:	SSA-087301	Trust: 2.4
db:	JVN	id:	JVNVU99084687	Trust: 0.8
db:	ICS CERT	id:	ICSA-24-228-01	Trust: 0.8
db:	JVNDB	id:	JVNDB-2024-006497	Trust: 0.8
db:	CNVD	id:	CNVD-2024-35437	Trust: 0.6

sources: CNVD: CNVD-2024-35437 // JVNDB: JVNDB-2024-006497 // NVD: CVE-2024-41977

REFERENCES

url:	https://cert-portal.siemens.com/productcert/html/ssa-087301.html	Trust: 2.4
url:	https://jvn.jp/vu/jvnvu99084687/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2024-41977	Trust: 0.8
url:	https://www.cisa.gov/news-events/ics-advisories/icsa-24-228-01	Trust: 0.8

sources: CNVD: CNVD-2024-35437 // JVNDB: JVNDB-2024-006497 // NVD: CVE-2024-41977

SOURCES

db:	CNVD	id:	CNVD-2024-35437
db:	JVNDB	id:	JVNDB-2024-006497
db:	NVD	id:	CVE-2024-41977

LAST UPDATE DATE

2024-08-27T19:43:14.983000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-35437	date:	2024-08-14T00:00:00
db:	JVNDB	id:	JVNDB-2024-006497	date:	2024-08-26T05:28:00
db:	NVD	id:	CVE-2024-41977	date:	2024-08-23T18:39:13.990

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-35437	date:	2024-08-14T00:00:00
db:	JVNDB	id:	JVNDB-2024-006497	date:	2024-08-26T00:00:00
db:	NVD	id:	CVE-2024-41977	date:	2024-08-13T08:15:15.640