Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-41057 (GCVE-0-2021-41057)
Vulnerability from cvelistv5 – Published: 2021-11-14 20:21 – Updated: 2024-08-04 02:59
VLAI?
EPSS
Summary
In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.383Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wibu.com/us/support/security-advisories.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-14T20:21:30.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wibu.com/us/support/security-advisories.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-41057",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wibu.com/us/support/security-advisories.html",
"refsource": "MISC",
"url": "https://www.wibu.com/us/support/security-advisories.html"
},
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf",
"refsource": "CONFIRM",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf"
},
{
"name": "https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf",
"refsource": "CONFIRM",
"url": "https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-41057",
"datePublished": "2021-11-14T20:21:30.000Z",
"dateReserved": "2021-09-13T00:00:00.000Z",
"dateUpdated": "2024-08-04T02:59:31.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:wibu:codemeter_runtime:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"7.30a\", \"matchCriteriaId\": \"C8B1884B-18F5-4B92-B83F-C756725FDAB9\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A2572D17-1DE6-457B-99CC-64AFD54487EA\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:siemens:pss_cape:14:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"76414178-E1E6-40A5-9DD2-FBAD698624C6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:siemens:pss_e:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"34.0.0\", \"versionEndExcluding\": \"34.9.1\", \"matchCriteriaId\": \"E01D2F88-8820-49E6-8865-3E20AB63289E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:siemens:pss_e:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"35.0.0\", \"versionEndExcluding\": \"35.3.2\", \"matchCriteriaId\": \"F42F3EBF-41A9-4F3B-BEED-2954B350E0FA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:siemens:pss_odms:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"12.2.6.1\", \"matchCriteriaId\": \"8707B418-2D99-4303-8102-316081B722D4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:siemens:sicam_230:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"8.0\", \"matchCriteriaId\": \"312E7EA5-61A8-4439-A9E0-87522E8DD141\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:siemens:simatic_information_server:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2019\", \"matchCriteriaId\": \"6FD2B7BE-73CA-4974-A61C-3E97FE5A2F7F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:siemens:simatic_information_server:2019:-:*:*:*:*:*:*\", \"matchCriteriaId\": \"4FA3A37A-6A43-42E1-80BF-7FF346D2F253\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:siemens:simatic_information_server:2019:sp1:*:*:*:*:*:*\", \"matchCriteriaId\": \"4BB95C8C-188D-430F-9D59-7F5E1832A0A5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:siemens:simatic_pcs_neo:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D61D4B81-7F51-49BE-83DD-D2C28D23B0EA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:siemens:simatic_process_historian:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"2019\", \"matchCriteriaId\": \"9A9C8C40-ABBD-496C-BF0B-24098B96D029\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:siemens:simatic_wincc_oa:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"3.18\", \"matchCriteriaId\": \"52504DDF-990A-419B-BEAF-E02B4403BBBA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:siemens:simit:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"10.0\", \"matchCriteriaId\": \"CE96110F-4874-42C5-A891-FD9022FE7803\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions.\"}, {\"lang\": \"es\", \"value\": \"En WIBU CodeMeter Runtime versiones anteriores a 7.30a, la creaci\\u00f3n de un enlace simb\\u00f3lico CmDongles dise\\u00f1ado sobrescribir\\u00e1 el archivo enlazado sin comprobar los permisos\"}]",
"id": "CVE-2021-41057",
"lastModified": "2024-11-21T06:25:21.627",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H\", \"baseScore\": 7.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.2}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:L/Au:N/C:N/I:P/A:P\", \"baseScore\": 3.6, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 3.9, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2021-11-14T21:15:07.797",
"references": "[{\"url\": \"https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf\", \"source\": \"cve@mitre.org\", \"tags\": [\"Mitigation\", \"Vendor Advisory\"]}, {\"url\": \"https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.wibu.com/us/support/security-advisories.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mitigation\", \"Vendor Advisory\"]}, {\"url\": \"https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.wibu.com/us/support/security-advisories.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-59\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-41057\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2021-11-14T21:15:07.797\",\"lastModified\":\"2024-11-21T06:25:21.627\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions.\"},{\"lang\":\"es\",\"value\":\"En WIBU CodeMeter Runtime versiones anteriores a 7.30a, la creaci\u00f3n de un enlace simb\u00f3lico CmDongles dise\u00f1ado sobrescribir\u00e1 el archivo enlazado sin comprobar los permisos\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:N/I:P/A:P\",\"baseScore\":3.6,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":3.9,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-59\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wibu:codemeter_runtime:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"7.30a\",\"matchCriteriaId\":\"C8B1884B-18F5-4B92-B83F-C756725FDAB9\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A2572D17-1DE6-457B-99CC-64AFD54487EA\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:pss_cape:14:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"76414178-E1E6-40A5-9DD2-FBAD698624C6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:pss_e:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"34.0.0\",\"versionEndExcluding\":\"34.9.1\",\"matchCriteriaId\":\"E01D2F88-8820-49E6-8865-3E20AB63289E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:pss_e:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"35.0.0\",\"versionEndExcluding\":\"35.3.2\",\"matchCriteriaId\":\"F42F3EBF-41A9-4F3B-BEED-2954B350E0FA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:pss_odms:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"12.2.6.1\",\"matchCriteriaId\":\"8707B418-2D99-4303-8102-316081B722D4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:sicam_230:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"8.0\",\"matchCriteriaId\":\"312E7EA5-61A8-4439-A9E0-87522E8DD141\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:simatic_information_server:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2019\",\"matchCriteriaId\":\"6FD2B7BE-73CA-4974-A61C-3E97FE5A2F7F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:simatic_information_server:2019:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"4FA3A37A-6A43-42E1-80BF-7FF346D2F253\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:simatic_information_server:2019:sp1:*:*:*:*:*:*\",\"matchCriteriaId\":\"4BB95C8C-188D-430F-9D59-7F5E1832A0A5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:simatic_pcs_neo:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D61D4B81-7F51-49BE-83DD-D2C28D23B0EA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:simatic_process_historian:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2019\",\"matchCriteriaId\":\"9A9C8C40-ABBD-496C-BF0B-24098B96D029\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:simatic_wincc_oa:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"3.18\",\"matchCriteriaId\":\"52504DDF-990A-419B-BEAF-E02B4403BBBA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:simit:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"10.0\",\"matchCriteriaId\":\"CE96110F-4874-42C5-A891-FD9022FE7803\"}]}]}],\"references\":[{\"url\":\"https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.wibu.com/us/support/security-advisories.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.wibu.com/us/support/security-advisories.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
CERTFR-2021-AVI-854
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Siemens. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Siemens | N/A | Capital VSTAR versions incluant les modules DNS | ||
| Siemens | N/A | Nucleus Source Code toutes versions | ||
| Siemens | N/A | Mendix Applications using Mendix 9 toutes versions antérieures à V9.6.2 | ||
| Siemens | N/A | Nucleus NET toutes versions | ||
| Siemens | N/A | SIMATIC WinCC V15 toutes versions | ||
| Siemens | N/A | SIMATIC WinCC V17 toutes versions | ||
| Siemens | N/A | SIMATIC WinCC OA V3.18 toutes versions | ||
| Siemens | N/A | NX 1980 Series toutes versions antérieures à V1984 | ||
| Siemens | N/A | APOGEE MEC (PPC) (BACnet) toutes versions | ||
| Siemens | N/A | APOGEE PXC Compact (P2 Ethernet) toutes versions | ||
| Siemens | N/A | SIMATIC WinCC V7.5 toutes versions antérieures à V7.5 SP2 Update 5 | ||
| Siemens | N/A | SIMATIC WinCC OA V3.17 toutes versions | ||
| Siemens | N/A | Climatix POL909 (AWM module) toutes versions antérieures à V11.34 | ||
| Siemens | N/A | SCALANCE W1750D toutes versions antérieures à V8.7.1.3 | ||
| Siemens | N/A | SIMATIC PCS 7 V9.0 toutes versions | ||
| Siemens | N/A | Siveillance Video DLNA Server 2021 R1 | ||
| Siemens | N/A | SIMATIC PCS 7 V9.1 toutes versions | ||
| Siemens | N/A | Mendix Applications using Mendix 7 toutes versions antérieures à V7.23.26 | ||
| Siemens | N/A | SIMATIC WinCC V7.4 toutes versions | ||
| Siemens | N/A | APOGEE PXC Modular (BACnet) toutes versions | ||
| Siemens | N/A | Nucleus Source Code versions incluant les modules DNS | ||
| Siemens | N/A | SIMATIC WinCC V16 toutes versions | ||
| Siemens | N/A | SIMATIC Information Server toutes versions >= V2019 SP1 | ||
| Siemens | N/A | SICAM 230 toutes versions | ||
| Siemens | N/A | Nucleus ReadyStart V4 toutes versions antérieures à V4.1.1 | ||
| Siemens | N/A | Mendix Applications using Mendix 8 toutes versions antérieures à V8.18.13 | ||
| Siemens | N/A | APOGEE PXC Modular (P2 Ethernet) toutes versions | ||
| Siemens | N/A | Nucleus ReadyStart V3 toutes versions antérieures à V2017.02.4 | ||
| Siemens | N/A | SIMATIC RTLS Locating Manager toutes versions antérieures à V2.12 | ||
| Siemens | N/A | Siveillance Video DLNA Server 2020 R1, 2020 R2, 2020 R3 | ||
| Siemens | N/A | Capital VSTAR toutes versions | ||
| Siemens | N/A | Siveillance Video DLNA Server 2019 R1, 2019 R2, 2019 R3 | ||
| Siemens | N/A | Nucleus ReadyStart V3 toutes versions antérieures à V2013.08 | ||
| Siemens | N/A | APOGEE MEC (PPC) (P2 Ethernet) toutes versions | ||
| Siemens | N/A | PSS(R)ODMS V12 toutes versions antérieures à V12.2.6.1 | ||
| Siemens | N/A | Nucleus ReadyStart V3 toutes versions antérieures à V2012.12 | ||
| Siemens | N/A | SENTRON powermanager V3 toutes versions | ||
| Siemens | N/A | APOGEE PXC Compact (BACnet) toutes versions | ||
| Siemens | N/A | TALON TC Compact (BACnet) toutes versions | ||
| Siemens | N/A | NX 1980 Series toutes versions antérieures à V1988 | ||
| Siemens | N/A | PSS(R)E V34 toutes versions antérieures à V34.9.1 | ||
| Siemens | N/A | APOGEE MBC (PPC) (P2 Ethernet) toutes versions | ||
| Siemens | N/A | NX 1953 Series toutes versions antérieures à V1973.3700 | ||
| Siemens | N/A | APOGEE MBC (PPC) (BACnet) toutes versions | ||
| Siemens | N/A | PSS(R)E V35 toutes versions antérieures à V35.3.2 | ||
| Siemens | N/A | SIMATIC PCS 7 V8.2 toutes versions | ||
| Siemens | N/A | TALON TC Modular (BACnet) toutes versions |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Capital VSTAR versions incluant les modules DNS",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Nucleus Source Code toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Mendix Applications using Mendix 9 toutes versions ant\u00e9rieures \u00e0 V9.6.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Nucleus NET toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC V15 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC V17 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC OA V3.18 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "NX 1980 Series toutes versions ant\u00e9rieures \u00e0 V1984",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "APOGEE MEC (PPC) (BACnet) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "APOGEE PXC Compact (P2 Ethernet) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC V7.5 toutes versions ant\u00e9rieures \u00e0 V7.5 SP2 Update 5",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC OA V3.17 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Climatix POL909 (AWM module) toutes versions ant\u00e9rieures \u00e0 V11.34",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE W1750D toutes versions ant\u00e9rieures \u00e0 V8.7.1.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC PCS 7 V9.0 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Siveillance Video DLNA Server 2021 R1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC PCS 7 V9.1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Mendix Applications using Mendix 7 toutes versions ant\u00e9rieures \u00e0 V7.23.26",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC V7.4 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "APOGEE PXC Modular (BACnet) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Nucleus Source Code versions incluant les modules DNS",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC V16 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC Information Server toutes versions \u003e= V2019 SP1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SICAM 230 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Nucleus ReadyStart V4 toutes versions ant\u00e9rieures \u00e0 V4.1.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Mendix Applications using Mendix 8 toutes versions ant\u00e9rieures \u00e0 V8.18.13",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "APOGEE PXC Modular (P2 Ethernet) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Nucleus ReadyStart V3 toutes versions ant\u00e9rieures \u00e0 V2017.02.4",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC RTLS Locating Manager toutes versions ant\u00e9rieures \u00e0 V2.12",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Siveillance Video DLNA Server 2020 R1, 2020 R2, 2020 R3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Capital VSTAR toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Siveillance Video DLNA Server 2019 R1, 2019 R2, 2019 R3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Nucleus ReadyStart V3 toutes versions ant\u00e9rieures \u00e0 V2013.08",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "APOGEE MEC (PPC) (P2 Ethernet) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "PSS(R)ODMS V12 toutes versions ant\u00e9rieures \u00e0 V12.2.6.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Nucleus ReadyStart V3 toutes versions ant\u00e9rieures \u00e0 V2012.12",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SENTRON powermanager V3 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "APOGEE PXC Compact (BACnet) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "TALON TC Compact (BACnet) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "NX 1980 Series toutes versions ant\u00e9rieures \u00e0 V1988",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "PSS(R)E V34 toutes versions ant\u00e9rieures \u00e0 V34.9.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "APOGEE MBC (PPC) (P2 Ethernet) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "NX 1953 Series toutes versions ant\u00e9rieures \u00e0 V1973.3700",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "APOGEE MBC (PPC) (BACnet) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "PSS(R)E V35 toutes versions ant\u00e9rieures \u00e0 V35.3.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC PCS 7 V8.2 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "TALON TC Modular (BACnet) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2020-27009",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27009"
},
{
"name": "CVE-2021-31881",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31881"
},
{
"name": "CVE-2020-28388",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28388"
},
{
"name": "CVE-2021-42026",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42026"
},
{
"name": "CVE-2021-37734",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37734"
},
{
"name": "CVE-2021-42025",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42025"
},
{
"name": "CVE-2021-37732",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37732"
},
{
"name": "CVE-2021-31888",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31888"
},
{
"name": "CVE-2020-27736",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27736"
},
{
"name": "CVE-2021-31885",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31885"
},
{
"name": "CVE-2021-31887",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31887"
},
{
"name": "CVE-2020-10053",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10053"
},
{
"name": "CVE-2021-37735",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37735"
},
{
"name": "CVE-2021-41533",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41533"
},
{
"name": "CVE-2021-25663",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25663"
},
{
"name": "CVE-2021-31884",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31884"
},
{
"name": "CVE-2021-42015",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42015"
},
{
"name": "CVE-2021-40366",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-40366"
},
{
"name": "CVE-2020-15795",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15795"
},
{
"name": "CVE-2021-31882",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31882"
},
{
"name": "CVE-2021-25664",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25664"
},
{
"name": "CVE-2021-41057",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41057"
},
{
"name": "CVE-2021-37207",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37207"
},
{
"name": "CVE-2021-40358",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-40358"
},
{
"name": "CVE-2020-10052",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10052"
},
{
"name": "CVE-2021-37726",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37726"
},
{
"name": "CVE-2020-10054",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10054"
},
{
"name": "CVE-2021-41535",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41535"
},
{
"name": "CVE-2021-37727",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37727"
},
{
"name": "CVE-2021-27393",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27393"
},
{
"name": "CVE-2021-31346",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31346"
},
{
"name": "CVE-2021-40364",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-40364"
},
{
"name": "CVE-2020-27738",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27738"
},
{
"name": "CVE-2021-31889",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31889"
},
{
"name": "CVE-2021-42021",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42021"
},
{
"name": "CVE-2021-31883",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31883"
},
{
"name": "CVE-2021-41538",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41538"
},
{
"name": "CVE-2021-40359",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-40359"
},
{
"name": "CVE-2021-31886",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31886"
},
{
"name": "CVE-2021-41534",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41534"
},
{
"name": "CVE-2021-31890",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31890"
},
{
"name": "CVE-2021-37730",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37730"
},
{
"name": "CVE-2021-31345",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31345"
},
{
"name": "CVE-2020-27737",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27737"
},
{
"name": "CVE-2021-31344",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31344"
},
{
"name": "CVE-2021-25677",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25677"
}
],
"links": [],
"reference": "CERTFR-2021-AVI-854",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-11-09T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSiemens. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0\ndistance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Siemens",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-248289 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-248289.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-703715 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-703715.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-840188 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-840188.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-362164 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-362164.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-044112 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-328042 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-328042.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-917476 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-917476.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-114589 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-114589.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-201384 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-201384.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-537983 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-537983.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-779699 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-779699.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-580693 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-185699 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-185699.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-740908 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-740908.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-145157 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-145157.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-338732 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-338732.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-755517 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-755517.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-705111 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-705111.pdf"
}
]
}
CERTFR-2021-AVI-854
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Siemens. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Siemens | N/A | Capital VSTAR versions incluant les modules DNS | ||
| Siemens | N/A | Nucleus Source Code toutes versions | ||
| Siemens | N/A | Mendix Applications using Mendix 9 toutes versions antérieures à V9.6.2 | ||
| Siemens | N/A | Nucleus NET toutes versions | ||
| Siemens | N/A | SIMATIC WinCC V15 toutes versions | ||
| Siemens | N/A | SIMATIC WinCC V17 toutes versions | ||
| Siemens | N/A | SIMATIC WinCC OA V3.18 toutes versions | ||
| Siemens | N/A | NX 1980 Series toutes versions antérieures à V1984 | ||
| Siemens | N/A | APOGEE MEC (PPC) (BACnet) toutes versions | ||
| Siemens | N/A | APOGEE PXC Compact (P2 Ethernet) toutes versions | ||
| Siemens | N/A | SIMATIC WinCC V7.5 toutes versions antérieures à V7.5 SP2 Update 5 | ||
| Siemens | N/A | SIMATIC WinCC OA V3.17 toutes versions | ||
| Siemens | N/A | Climatix POL909 (AWM module) toutes versions antérieures à V11.34 | ||
| Siemens | N/A | SCALANCE W1750D toutes versions antérieures à V8.7.1.3 | ||
| Siemens | N/A | SIMATIC PCS 7 V9.0 toutes versions | ||
| Siemens | N/A | Siveillance Video DLNA Server 2021 R1 | ||
| Siemens | N/A | SIMATIC PCS 7 V9.1 toutes versions | ||
| Siemens | N/A | Mendix Applications using Mendix 7 toutes versions antérieures à V7.23.26 | ||
| Siemens | N/A | SIMATIC WinCC V7.4 toutes versions | ||
| Siemens | N/A | APOGEE PXC Modular (BACnet) toutes versions | ||
| Siemens | N/A | Nucleus Source Code versions incluant les modules DNS | ||
| Siemens | N/A | SIMATIC WinCC V16 toutes versions | ||
| Siemens | N/A | SIMATIC Information Server toutes versions >= V2019 SP1 | ||
| Siemens | N/A | SICAM 230 toutes versions | ||
| Siemens | N/A | Nucleus ReadyStart V4 toutes versions antérieures à V4.1.1 | ||
| Siemens | N/A | Mendix Applications using Mendix 8 toutes versions antérieures à V8.18.13 | ||
| Siemens | N/A | APOGEE PXC Modular (P2 Ethernet) toutes versions | ||
| Siemens | N/A | Nucleus ReadyStart V3 toutes versions antérieures à V2017.02.4 | ||
| Siemens | N/A | SIMATIC RTLS Locating Manager toutes versions antérieures à V2.12 | ||
| Siemens | N/A | Siveillance Video DLNA Server 2020 R1, 2020 R2, 2020 R3 | ||
| Siemens | N/A | Capital VSTAR toutes versions | ||
| Siemens | N/A | Siveillance Video DLNA Server 2019 R1, 2019 R2, 2019 R3 | ||
| Siemens | N/A | Nucleus ReadyStart V3 toutes versions antérieures à V2013.08 | ||
| Siemens | N/A | APOGEE MEC (PPC) (P2 Ethernet) toutes versions | ||
| Siemens | N/A | PSS(R)ODMS V12 toutes versions antérieures à V12.2.6.1 | ||
| Siemens | N/A | Nucleus ReadyStart V3 toutes versions antérieures à V2012.12 | ||
| Siemens | N/A | SENTRON powermanager V3 toutes versions | ||
| Siemens | N/A | APOGEE PXC Compact (BACnet) toutes versions | ||
| Siemens | N/A | TALON TC Compact (BACnet) toutes versions | ||
| Siemens | N/A | NX 1980 Series toutes versions antérieures à V1988 | ||
| Siemens | N/A | PSS(R)E V34 toutes versions antérieures à V34.9.1 | ||
| Siemens | N/A | APOGEE MBC (PPC) (P2 Ethernet) toutes versions | ||
| Siemens | N/A | NX 1953 Series toutes versions antérieures à V1973.3700 | ||
| Siemens | N/A | APOGEE MBC (PPC) (BACnet) toutes versions | ||
| Siemens | N/A | PSS(R)E V35 toutes versions antérieures à V35.3.2 | ||
| Siemens | N/A | SIMATIC PCS 7 V8.2 toutes versions | ||
| Siemens | N/A | TALON TC Modular (BACnet) toutes versions |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Capital VSTAR versions incluant les modules DNS",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Nucleus Source Code toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Mendix Applications using Mendix 9 toutes versions ant\u00e9rieures \u00e0 V9.6.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Nucleus NET toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC V15 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC V17 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC OA V3.18 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "NX 1980 Series toutes versions ant\u00e9rieures \u00e0 V1984",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "APOGEE MEC (PPC) (BACnet) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "APOGEE PXC Compact (P2 Ethernet) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC V7.5 toutes versions ant\u00e9rieures \u00e0 V7.5 SP2 Update 5",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC OA V3.17 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Climatix POL909 (AWM module) toutes versions ant\u00e9rieures \u00e0 V11.34",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE W1750D toutes versions ant\u00e9rieures \u00e0 V8.7.1.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC PCS 7 V9.0 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Siveillance Video DLNA Server 2021 R1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC PCS 7 V9.1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Mendix Applications using Mendix 7 toutes versions ant\u00e9rieures \u00e0 V7.23.26",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC V7.4 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "APOGEE PXC Modular (BACnet) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Nucleus Source Code versions incluant les modules DNS",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC V16 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC Information Server toutes versions \u003e= V2019 SP1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SICAM 230 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Nucleus ReadyStart V4 toutes versions ant\u00e9rieures \u00e0 V4.1.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Mendix Applications using Mendix 8 toutes versions ant\u00e9rieures \u00e0 V8.18.13",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "APOGEE PXC Modular (P2 Ethernet) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Nucleus ReadyStart V3 toutes versions ant\u00e9rieures \u00e0 V2017.02.4",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC RTLS Locating Manager toutes versions ant\u00e9rieures \u00e0 V2.12",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Siveillance Video DLNA Server 2020 R1, 2020 R2, 2020 R3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Capital VSTAR toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Siveillance Video DLNA Server 2019 R1, 2019 R2, 2019 R3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Nucleus ReadyStart V3 toutes versions ant\u00e9rieures \u00e0 V2013.08",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "APOGEE MEC (PPC) (P2 Ethernet) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "PSS(R)ODMS V12 toutes versions ant\u00e9rieures \u00e0 V12.2.6.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Nucleus ReadyStart V3 toutes versions ant\u00e9rieures \u00e0 V2012.12",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SENTRON powermanager V3 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "APOGEE PXC Compact (BACnet) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "TALON TC Compact (BACnet) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "NX 1980 Series toutes versions ant\u00e9rieures \u00e0 V1988",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "PSS(R)E V34 toutes versions ant\u00e9rieures \u00e0 V34.9.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "APOGEE MBC (PPC) (P2 Ethernet) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "NX 1953 Series toutes versions ant\u00e9rieures \u00e0 V1973.3700",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "APOGEE MBC (PPC) (BACnet) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "PSS(R)E V35 toutes versions ant\u00e9rieures \u00e0 V35.3.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC PCS 7 V8.2 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "TALON TC Modular (BACnet) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2020-27009",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27009"
},
{
"name": "CVE-2021-31881",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31881"
},
{
"name": "CVE-2020-28388",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28388"
},
{
"name": "CVE-2021-42026",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42026"
},
{
"name": "CVE-2021-37734",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37734"
},
{
"name": "CVE-2021-42025",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42025"
},
{
"name": "CVE-2021-37732",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37732"
},
{
"name": "CVE-2021-31888",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31888"
},
{
"name": "CVE-2020-27736",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27736"
},
{
"name": "CVE-2021-31885",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31885"
},
{
"name": "CVE-2021-31887",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31887"
},
{
"name": "CVE-2020-10053",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10053"
},
{
"name": "CVE-2021-37735",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37735"
},
{
"name": "CVE-2021-41533",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41533"
},
{
"name": "CVE-2021-25663",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25663"
},
{
"name": "CVE-2021-31884",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31884"
},
{
"name": "CVE-2021-42015",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42015"
},
{
"name": "CVE-2021-40366",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-40366"
},
{
"name": "CVE-2020-15795",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15795"
},
{
"name": "CVE-2021-31882",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31882"
},
{
"name": "CVE-2021-25664",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25664"
},
{
"name": "CVE-2021-41057",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41057"
},
{
"name": "CVE-2021-37207",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37207"
},
{
"name": "CVE-2021-40358",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-40358"
},
{
"name": "CVE-2020-10052",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10052"
},
{
"name": "CVE-2021-37726",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37726"
},
{
"name": "CVE-2020-10054",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10054"
},
{
"name": "CVE-2021-41535",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41535"
},
{
"name": "CVE-2021-37727",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37727"
},
{
"name": "CVE-2021-27393",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27393"
},
{
"name": "CVE-2021-31346",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31346"
},
{
"name": "CVE-2021-40364",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-40364"
},
{
"name": "CVE-2020-27738",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27738"
},
{
"name": "CVE-2021-31889",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31889"
},
{
"name": "CVE-2021-42021",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42021"
},
{
"name": "CVE-2021-31883",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31883"
},
{
"name": "CVE-2021-41538",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41538"
},
{
"name": "CVE-2021-40359",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-40359"
},
{
"name": "CVE-2021-31886",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31886"
},
{
"name": "CVE-2021-41534",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41534"
},
{
"name": "CVE-2021-31890",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31890"
},
{
"name": "CVE-2021-37730",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37730"
},
{
"name": "CVE-2021-31345",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31345"
},
{
"name": "CVE-2020-27737",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27737"
},
{
"name": "CVE-2021-31344",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31344"
},
{
"name": "CVE-2021-25677",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25677"
}
],
"links": [],
"reference": "CERTFR-2021-AVI-854",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-11-09T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSiemens. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0\ndistance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Siemens",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-248289 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-248289.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-703715 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-703715.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-840188 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-840188.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-362164 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-362164.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-044112 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-328042 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-328042.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-917476 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-917476.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-114589 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-114589.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-201384 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-201384.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-537983 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-537983.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-779699 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-779699.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-580693 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-185699 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-185699.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-740908 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-740908.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-145157 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-145157.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-338732 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-338732.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-755517 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-755517.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-705111 du 9 novembre 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-705111.pdf"
}
]
}
FKIE_CVE-2021-41057
Vulnerability from fkie_nvd - Published: 2021-11-14 21:15 - Updated: 2024-11-21 06:25
Severity ?
Summary
In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf | Mitigation, Vendor Advisory | |
| cve@mitre.org | https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf | Third Party Advisory | |
| cve@mitre.org | https://www.wibu.com/us/support/security-advisories.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.wibu.com/us/support/security-advisories.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wibu | codemeter_runtime | * | |
| microsoft | windows | - | |
| siemens | pss_cape | 14 | |
| siemens | pss_e | * | |
| siemens | pss_e | * | |
| siemens | pss_odms | * | |
| siemens | sicam_230 | * | |
| siemens | simatic_information_server | * | |
| siemens | simatic_information_server | 2019 | |
| siemens | simatic_information_server | 2019 | |
| siemens | simatic_pcs_neo | * | |
| siemens | simatic_process_historian | * | |
| siemens | simatic_wincc_oa | * | |
| siemens | simit | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wibu:codemeter_runtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C8B1884B-18F5-4B92-B83F-C756725FDAB9",
"versionEndExcluding": "7.30a",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:siemens:pss_cape:14:*:*:*:*:*:*:*",
"matchCriteriaId": "76414178-E1E6-40A5-9DD2-FBAD698624C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:siemens:pss_e:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E01D2F88-8820-49E6-8865-3E20AB63289E",
"versionEndExcluding": "34.9.1",
"versionStartIncluding": "34.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:siemens:pss_e:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F42F3EBF-41A9-4F3B-BEED-2954B350E0FA",
"versionEndExcluding": "35.3.2",
"versionStartIncluding": "35.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:siemens:pss_odms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8707B418-2D99-4303-8102-316081B722D4",
"versionEndExcluding": "12.2.6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:siemens:sicam_230:*:*:*:*:*:*:*:*",
"matchCriteriaId": "312E7EA5-61A8-4439-A9E0-87522E8DD141",
"versionEndExcluding": "8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:siemens:simatic_information_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6FD2B7BE-73CA-4974-A61C-3E97FE5A2F7F",
"versionEndExcluding": "2019",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:siemens:simatic_information_server:2019:-:*:*:*:*:*:*",
"matchCriteriaId": "4FA3A37A-6A43-42E1-80BF-7FF346D2F253",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:siemens:simatic_information_server:2019:sp1:*:*:*:*:*:*",
"matchCriteriaId": "4BB95C8C-188D-430F-9D59-7F5E1832A0A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:siemens:simatic_pcs_neo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D61D4B81-7F51-49BE-83DD-D2C28D23B0EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:siemens:simatic_process_historian:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A9C8C40-ABBD-496C-BF0B-24098B96D029",
"versionEndIncluding": "2019",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:siemens:simatic_wincc_oa:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52504DDF-990A-419B-BEAF-E02B4403BBBA",
"versionEndIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:siemens:simit:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CE96110F-4874-42C5-A891-FD9022FE7803",
"versionEndIncluding": "10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions."
},
{
"lang": "es",
"value": "En WIBU CodeMeter Runtime versiones anteriores a 7.30a, la creaci\u00f3n de un enlace simb\u00f3lico CmDongles dise\u00f1ado sobrescribir\u00e1 el archivo enlazado sin comprobar los permisos"
}
],
"id": "CVE-2021-41057",
"lastModified": "2024-11-21T06:25:21.627",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 3.6,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-14T21:15:07.797",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.wibu.com/us/support/security-advisories.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.wibu.com/us/support/security-advisories.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-59"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
ICSA-21-350-03
Vulnerability from csaf_cisa - Published: 2021-12-16 00:00 - Updated: 2021-12-16 00:00Summary
Wibu-Systems CodeMeter Runtime
Notes
CISA Disclaimer
This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Risk evaluation
Successful exploitation of this vulnerability could allow an attacker to crash the CodeMeter Runtime Server, which could cause a denial-of-service condition.
Critical infrastructure sectors
Multiple
Countries/areas deployed
Worldwide
Company headquarters location
Germany
Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
Recommended Practices
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
Exploitability
No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.
{
"document": {
"acknowledgments": [
{
"names": [
"Jok\u016bbas Arsoba"
],
"summary": "reporting this vulnerability to Wibu-Systems"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
"title": "CISA Disclaimer"
},
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "summary",
"text": "Successful exploitation of this vulnerability could allow an attacker to crash the CodeMeter Runtime Server, which could cause a denial-of-service condition.",
"title": "Risk evaluation"
},
{
"category": "other",
"text": "Multiple",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "Germany",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.",
"title": "Recommended Practices"
},
{
"category": "other",
"text": "No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.",
"title": "Exploitability"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSA-21-350-03 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2021/icsa-21-350-03.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-21-350-03 Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-21-350-03"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
}
],
"title": "Wibu-Systems CodeMeter Runtime",
"tracking": {
"current_release_date": "2021-12-16T00:00:00.000000Z",
"generator": {
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSA-21-350-03",
"initial_release_date": "2021-12-16T00:00:00.000000Z",
"revision_history": [
{
"date": "2021-12-16T00:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "ICSA-21-350-03 Wibu-Systems CodeMeter Runtime"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c 7.30a",
"product": {
"name": "CodeMeter Runtime: All versions prior to Version 7.30a",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "CodeMeter Runtime"
}
],
"category": "vendor",
"name": "Wibu-Systems AG"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-41057",
"cwe": {
"id": "CWE-269",
"name": "Improper Privilege Management"
},
"notes": [
{
"category": "summary",
"text": "A local attacker using the Microsoft Windows OS could cause CodeMeter Runtime to improperly control file access permissions by setting up a link to a special system file used with CmDongles. This could result in overwriting of essential files or a crash of the CodeMeter Runtime Server.CVE-2021-41057 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41057"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Wibu-Systems recommends the following:",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://www.wibu.com/support/security-advisories.html"
},
{
"category": "vendor_fix",
"details": "The following measures are recommended to reduce the risk until the fixed version can be installed. Please be aware not all mitigations apply to every possible product configuration, so please check which of these could be relevant or applicable.",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://www.wibu.com/support/security-advisories.html"
},
{
"category": "vendor_fix",
"details": "General security best practices can help protect systems from local and network attacks.",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://www.wibu.com/support/security-advisories.html"
},
{
"category": "vendor_fix",
"details": "For more information on products dependent on the affected CodeMeter see the following vendor security advisories:",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://www.wibu.com/support/security-advisories.html"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
]
}
]
}
GHSA-VM84-HXMH-36RV
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20
VLAI?
Details
In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions.
{
"affected": [],
"aliases": [
"CVE-2021-41057"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-14T21:15:00Z",
"severity": "HIGH"
},
"details": "In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions.",
"id": "GHSA-vm84-hxmh-36rv",
"modified": "2022-05-24T19:20:39Z",
"published": "2022-05-24T19:20:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41057"
},
{
"type": "WEB",
"url": "https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf"
},
{
"type": "WEB",
"url": "https://www.wibu.com/us/support/security-advisories.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
CVE-2021-41057
Vulnerability from csaf_endresshauserag - Published: 2022-06-02 15:11 - Updated: 2022-06-02 15:11Summary
Endress+Hauser: Multiple products utilizing vulnerable WIBU-SYSTEMS CodeMeter components
Notes
Summary
For detailed information please refer to WIBU SYSTEMS original Advisories at https://wibu.com/support/security-advisories.html.
Mitigation
All vulnerabilities have already been fixed in several CodeMeter versions. Endress+Hauser recommends to use CodeMeter version >=7.40b.
The version is available at https://www.wibu.com/support.
For the Operating System WIN 7 it's recommended to update the operating system, use/re-install the Endress+Hauser Software Application supporting the newer operating system and update Code Meter to version >= 7.40b.
Remediation
Update the software application of the affected products:
| # | Product Name | Fixed Version |
|----------------------------------|-----------------------------------------------|-------------------|
| SCE30B | | |
| SCE31B | SupplyCare Enterprise | >= 3.5.1 |
| SCE32B | | |
| SFE100 | DeviceCare | >= 1.07.07 |
| SFE500 | FieldCare | >= 2.17.00 |
| SMT50 | | |
| SMT70 | Field Xpert | >= 1.06.00 |
| SMT77 | | |
| MS20 | | |
| MS21 | Field Data Manager | >= 1.6.3 |
| Freeware for the | | |
| Proline Promag W 800/5W8C | Proline Promag W 800 OPC/UA Connectivity Server | > V1.3.7926 |
| via Endress+Hauser Download Portal | | |
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "For detailed information please refer to WIBU SYSTEMS original Advisories at https://wibu.com/support/security-advisories.html.",
"title": "Summary"
},
{
"category": "description",
"text": "All vulnerabilities have already been fixed in several CodeMeter versions. Endress+Hauser recommends to use CodeMeter version \u003e=7.40b.\nThe version is available at https://www.wibu.com/support.\nFor the Operating System WIN 7 it\u0027s recommended to update the operating system, use/re-install the Endress+Hauser Software Application supporting the newer operating system and update Code Meter to version \u003e= 7.40b.",
"title": "Mitigation"
},
{
"category": "description",
"text": "Update the software application of the affected products:\n\n| # | Product Name | Fixed Version |\n|----------------------------------|-----------------------------------------------|-------------------|\n| SCE30B | | |\n| SCE31B | SupplyCare Enterprise | \u003e= 3.5.1 |\n| SCE32B | | |\n| SFE100 | DeviceCare | \u003e= 1.07.07 |\n| SFE500 | FieldCare | \u003e= 2.17.00 |\n| SMT50 | | |\n| SMT70 | Field Xpert | \u003e= 1.06.00 |\n| SMT77 | | |\n| MS20 | | |\n| MS21 | Field Data Manager | \u003e= 1.6.3 |\n| Freeware for the | | |\n| Proline Promag W 800/5W8C | Proline Promag W 800 OPC/UA Connectivity Server | \u003e V1.3.7926 |\n| via Endress+Hauser Download Portal | | |",
"title": "Remediation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@endress.com",
"name": "Endress+Hauser AG",
"namespace": "https://www.endress.com"
},
"references": [
{
"category": "self",
"summary": "VDE-2022-019: Endress+Hauser: Multiple products utilizing vulnerable WIBU-SYSTEMS CodeMeter components - HTML",
"url": "https://certvde.com/en/advisories/VDE-2022-019/"
},
{
"category": "self",
"summary": "VDE-2022-019: Endress+Hauser: Multiple products utilizing vulnerable WIBU-SYSTEMS CodeMeter components - CSAF",
"url": "https://endress-hauser.csaf-tp.certvde.com/.well-known/csaf/white/2022/vde-2022-019.json"
},
{
"category": "external",
"summary": "Vendor PSIRT",
"url": "https://www.endress.com"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for Endress+Hauser AG",
"url": "https://certvde.com/en/advisories/vendor/endress-hauser/"
}
],
"title": "Endress+Hauser: Multiple products utilizing vulnerable WIBU-SYSTEMS CodeMeter components",
"tracking": {
"aliases": [
"VDE-2022-019"
],
"current_release_date": "2022-06-02T15:11:00.000Z",
"generator": {
"date": "2025-06-23T09:40:56.803Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.28"
}
},
"id": "VDE-2022-019",
"initial_release_date": "2022-06-02T15:11:00.000Z",
"revision_history": [
{
"date": "2022-06-02T15:11:00.000Z",
"number": "1.0.0",
"summary": "Initial revision."
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "1.02.xx\u003c=1.07.06",
"product": {
"name": "DeviceCare 1.02.xx\u003c=1.07.06",
"product_id": "CSAFPID-51001",
"product_identification_helper": {
"model_numbers": [
"SFE100"
]
}
}
},
{
"category": "product_version",
"name": "1.07.07",
"product": {
"name": "DeviceCare 1.07.07",
"product_id": "CSAFPID-52001",
"product_identification_helper": {
"model_numbers": [
"SFE100"
]
}
}
}
],
"category": "product_name",
"name": "DeviceCare"
},
{
"branches": [
{
"category": "product_version_range",
"name": "2.15.xx\u003c=2.16.xx",
"product": {
"name": "FieldCare 2.15.xx\u003c=2.16.xx",
"product_id": "CSAFPID-51002",
"product_identification_helper": {
"model_numbers": [
"SFE500"
]
}
}
},
{
"category": "product_version",
"name": "2.17.00",
"product": {
"name": "FieldCare 2.17.00",
"product_id": "CSAFPID-52002",
"product_identification_helper": {
"model_numbers": [
"SFE500"
]
}
}
}
],
"category": "product_name",
"name": "FieldCare"
},
{
"branches": [
{
"category": "product_version_range",
"name": "1.4.0\u003c=1.6.2",
"product": {
"name": "Field Data Manager 1.4.0\u003c=1.6.2",
"product_id": "CSAFPID-51003",
"product_identification_helper": {
"model_numbers": [
"MS21"
]
}
}
},
{
"category": "product_version",
"name": "1.6.3",
"product": {
"name": "Field Data Manager 1.6.3",
"product_id": "CSAFPID-52003",
"product_identification_helper": {
"model_numbers": [
"MS21"
]
}
}
}
],
"category": "product_name",
"name": "Field Data Manager"
},
{
"branches": [
{
"category": "product_version_range",
"name": "1.03.xx\u003c=1.05.xx",
"product": {
"name": "Field Xpert 1.03.xx\u003c=1.05.xx",
"product_id": "CSAFPID-51004",
"product_identification_helper": {
"model_numbers": [
"SMT50"
]
}
}
},
{
"category": "product_version",
"name": "1.06.00",
"product": {
"name": "Field Xpert 1.06.00",
"product_id": "CSAFPID-52004",
"product_identification_helper": {
"model_numbers": [
"SMT50"
]
}
}
}
],
"category": "product_name",
"name": "Field Xpert"
},
{
"branches": [
{
"category": "product_version",
"name": "V1.3.7926",
"product": {
"name": "Proline Promag W 800 OPC/UA Connectivity Server V1.3.7926",
"product_id": "CSAFPID-51005"
}
}
],
"category": "product_name",
"name": "Proline Promag W 800 OPC/UA Connectivity Server"
},
{
"branches": [
{
"category": "product_version_range",
"name": "3.0.x\u003c=3.4.x",
"product": {
"name": "SupplyCare Enterprise 3.0.x\u003c=3.4.x",
"product_id": "CSAFPID-51006",
"product_identification_helper": {
"model_numbers": [
"SCE31B"
]
}
}
},
{
"category": "product_version",
"name": "3.5.1",
"product": {
"name": "SupplyCare Enterprise 3.5.1",
"product_id": "CSAFPID-52005",
"product_identification_helper": {
"model_numbers": [
"SCE31B"
]
}
}
}
],
"category": "product_name",
"name": "SupplyCare Enterprise"
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "Endress+Hauser"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006"
],
"summary": "Affected products."
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-52001",
"CSAFPID-52002",
"CSAFPID-52003",
"CSAFPID-52004",
"CSAFPID-52005"
],
"summary": "Fixed products."
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-22901",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-52001",
"CSAFPID-52002",
"CSAFPID-52003",
"CSAFPID-52004",
"CSAFPID-52005"
],
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "All vulnerabilities have already been fixed in several CodeMeter versions. Endress+Hauser recommends to use CodeMeter version \u003e=7.40b.\nThe version is available at https://www.wibu.com/support.\nFor the Operating System WIN 7 it\u0027s recommended to update the operating system, use/re-install the Endress+Hauser Software Application supporting the newer operating system and update Code Meter to version \u003e= 7.40b.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update the software application of the affected products:\n\n| # | Product Name | Fixed Version |\n|----------------------------------|-----------------------------------------------|-------------------|\n| SCE30B | | |\n| SCE31B | SupplyCare Enterprise | \u003e= 3.5.1 |\n| SCE32B | | |\n| SFE100 | DeviceCare | \u003e= 1.07.07 |\n| SFE500 | FieldCare | \u003e= 2.17.00 |\n| SMT50 | | |\n| SMT70 | Field Xpert | \u003e= 1.06.00 |\n| SMT77 | | |\n| MS20 | | |\n| MS21 | Field Data Manager | \u003e= 1.6.3 |\n| Freeware for the | | |\n| Proline Promag W 800/5W8C | Proline Promag W 800 OPC/UA Connectivity Server | \u003e V1.3.7926 |\n| via Endress+Hauser Download Portal | | |",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.1,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 8.1,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006"
]
}
],
"title": "CVE-2021-22901"
},
{
"cve": "CVE-2021-41183",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "description",
"text": "jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-52001",
"CSAFPID-52002",
"CSAFPID-52003",
"CSAFPID-52004",
"CSAFPID-52005"
],
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "All vulnerabilities have already been fixed in several CodeMeter versions. Endress+Hauser recommends to use CodeMeter version \u003e=7.40b.\nThe version is available at https://www.wibu.com/support.\nFor the Operating System WIN 7 it\u0027s recommended to update the operating system, use/re-install the Endress+Hauser Software Application supporting the newer operating system and update Code Meter to version \u003e= 7.40b.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update the software application of the affected products:\n\n| # | Product Name | Fixed Version |\n|----------------------------------|-----------------------------------------------|-------------------|\n| SCE30B | | |\n| SCE31B | SupplyCare Enterprise | \u003e= 3.5.1 |\n| SCE32B | | |\n| SFE100 | DeviceCare | \u003e= 1.07.07 |\n| SFE500 | FieldCare | \u003e= 2.17.00 |\n| SMT50 | | |\n| SMT70 | Field Xpert | \u003e= 1.06.00 |\n| SMT77 | | |\n| MS20 | | |\n| MS21 | Field Data Manager | \u003e= 1.6.3 |\n| Freeware for the | | |\n| Proline Promag W 800/5W8C | Proline Promag W 800 OPC/UA Connectivity Server | \u003e V1.3.7926 |\n| via Endress+Hauser Download Portal | | |",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalScore": 6.1,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"temporalScore": 6.1,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006"
]
}
],
"title": "CVE-2021-41183"
},
{
"cve": "CVE-2021-41182",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "description",
"text": "jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-52001",
"CSAFPID-52002",
"CSAFPID-52003",
"CSAFPID-52004",
"CSAFPID-52005"
],
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "All vulnerabilities have already been fixed in several CodeMeter versions. Endress+Hauser recommends to use CodeMeter version \u003e=7.40b.\nThe version is available at https://www.wibu.com/support.\nFor the Operating System WIN 7 it\u0027s recommended to update the operating system, use/re-install the Endress+Hauser Software Application supporting the newer operating system and update Code Meter to version \u003e= 7.40b.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update the software application of the affected products:\n\n| # | Product Name | Fixed Version |\n|----------------------------------|-----------------------------------------------|-------------------|\n| SCE30B | | |\n| SCE31B | SupplyCare Enterprise | \u003e= 3.5.1 |\n| SCE32B | | |\n| SFE100 | DeviceCare | \u003e= 1.07.07 |\n| SFE500 | FieldCare | \u003e= 2.17.00 |\n| SMT50 | | |\n| SMT70 | Field Xpert | \u003e= 1.06.00 |\n| SMT77 | | |\n| MS20 | | |\n| MS21 | Field Data Manager | \u003e= 1.6.3 |\n| Freeware for the | | |\n| Proline Promag W 800/5W8C | Proline Promag W 800 OPC/UA Connectivity Server | \u003e V1.3.7926 |\n| via Endress+Hauser Download Portal | | |",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalScore": 6.1,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"temporalScore": 6.1,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006"
]
}
],
"title": "CVE-2021-41182"
},
{
"cve": "CVE-2020-8286",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"notes": [
{
"category": "description",
"text": "curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-52001",
"CSAFPID-52002",
"CSAFPID-52003",
"CSAFPID-52004",
"CSAFPID-52005"
],
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "All vulnerabilities have already been fixed in several CodeMeter versions. Endress+Hauser recommends to use CodeMeter version \u003e=7.40b.\nThe version is available at https://www.wibu.com/support.\nFor the Operating System WIN 7 it\u0027s recommended to update the operating system, use/re-install the Endress+Hauser Software Application supporting the newer operating system and update Code Meter to version \u003e= 7.40b.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update the software application of the affected products:\n\n| # | Product Name | Fixed Version |\n|----------------------------------|-----------------------------------------------|-------------------|\n| SCE30B | | |\n| SCE31B | SupplyCare Enterprise | \u003e= 3.5.1 |\n| SCE32B | | |\n| SFE100 | DeviceCare | \u003e= 1.07.07 |\n| SFE500 | FieldCare | \u003e= 2.17.00 |\n| SMT50 | | |\n| SMT70 | Field Xpert | \u003e= 1.06.00 |\n| SMT77 | | |\n| MS20 | | |\n| MS21 | Field Data Manager | \u003e= 1.6.3 |\n| Freeware for the | | |\n| Proline Promag W 800/5W8C | Proline Promag W 800 OPC/UA Connectivity Server | \u003e V1.3.7926 |\n| via Endress+Hauser Download Portal | | |",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006"
]
}
],
"title": "CVE-2020-8286"
},
{
"cve": "CVE-2021-41184",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "description",
"text": "jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-52001",
"CSAFPID-52002",
"CSAFPID-52003",
"CSAFPID-52004",
"CSAFPID-52005"
],
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "All vulnerabilities have already been fixed in several CodeMeter versions. Endress+Hauser recommends to use CodeMeter version \u003e=7.40b.\nThe version is available at https://www.wibu.com/support.\nFor the Operating System WIN 7 it\u0027s recommended to update the operating system, use/re-install the Endress+Hauser Software Application supporting the newer operating system and update Code Meter to version \u003e= 7.40b.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update the software application of the affected products:\n\n| # | Product Name | Fixed Version |\n|----------------------------------|-----------------------------------------------|-------------------|\n| SCE30B | | |\n| SCE31B | SupplyCare Enterprise | \u003e= 3.5.1 |\n| SCE32B | | |\n| SFE100 | DeviceCare | \u003e= 1.07.07 |\n| SFE500 | FieldCare | \u003e= 2.17.00 |\n| SMT50 | | |\n| SMT70 | Field Xpert | \u003e= 1.06.00 |\n| SMT77 | | |\n| MS20 | | |\n| MS21 | Field Data Manager | \u003e= 1.6.3 |\n| Freeware for the | | |\n| Proline Promag W 800/5W8C | Proline Promag W 800 OPC/UA Connectivity Server | \u003e V1.3.7926 |\n| via Endress+Hauser Download Portal | | |",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalScore": 6.1,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"temporalScore": 6.1,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006"
]
}
],
"title": "CVE-2021-41184"
},
{
"cve": "CVE-2021-20093",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "A buffer over-read vulnerability exists in Wibu-Systems CodeMeter versions \u003c 7.21a. An unauthenticated remote attacker can exploit this issue to disclose heap memory contents or crash the CodeMeter Runtime Server.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-52001",
"CSAFPID-52002",
"CSAFPID-52003",
"CSAFPID-52004",
"CSAFPID-52005"
],
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "All vulnerabilities have already been fixed in several CodeMeter versions. Endress+Hauser recommends to use CodeMeter version \u003e=7.40b.\nThe version is available at https://www.wibu.com/support.\nFor the Operating System WIN 7 it\u0027s recommended to update the operating system, use/re-install the Endress+Hauser Software Application supporting the newer operating system and update Code Meter to version \u003e= 7.40b.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update the software application of the affected products:\n\n| # | Product Name | Fixed Version |\n|----------------------------------|-----------------------------------------------|-------------------|\n| SCE30B | | |\n| SCE31B | SupplyCare Enterprise | \u003e= 3.5.1 |\n| SCE32B | | |\n| SFE100 | DeviceCare | \u003e= 1.07.07 |\n| SFE500 | FieldCare | \u003e= 2.17.00 |\n| SMT50 | | |\n| SMT70 | Field Xpert | \u003e= 1.06.00 |\n| SMT77 | | |\n| MS20 | | |\n| MS21 | Field Data Manager | \u003e= 1.6.3 |\n| Freeware for the | | |\n| Proline Promag W 800/5W8C | Proline Promag W 800 OPC/UA Connectivity Server | \u003e V1.3.7926 |\n| via Endress+Hauser Download Portal | | |",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.1,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.1,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006"
]
}
],
"title": "CVE-2021-20093"
},
{
"cve": "CVE-2021-41057",
"cwe": {
"id": "CWE-59",
"name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
},
"notes": [
{
"category": "description",
"text": "In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-52001",
"CSAFPID-52002",
"CSAFPID-52003",
"CSAFPID-52004",
"CSAFPID-52005"
],
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "All vulnerabilities have already been fixed in several CodeMeter versions. Endress+Hauser recommends to use CodeMeter version \u003e=7.40b.\nThe version is available at https://www.wibu.com/support.\nFor the Operating System WIN 7 it\u0027s recommended to update the operating system, use/re-install the Endress+Hauser Software Application supporting the newer operating system and update Code Meter to version \u003e= 7.40b.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update the software application of the affected products:\n\n| # | Product Name | Fixed Version |\n|----------------------------------|-----------------------------------------------|-------------------|\n| SCE30B | | |\n| SCE31B | SupplyCare Enterprise | \u003e= 3.5.1 |\n| SCE32B | | |\n| SFE100 | DeviceCare | \u003e= 1.07.07 |\n| SFE500 | FieldCare | \u003e= 2.17.00 |\n| SMT50 | | |\n| SMT70 | Field Xpert | \u003e= 1.06.00 |\n| SMT77 | | |\n| MS20 | | |\n| MS21 | Field Data Manager | \u003e= 1.6.3 |\n| Freeware for the | | |\n| Proline Promag W 800/5W8C | Proline Promag W 800 OPC/UA Connectivity Server | \u003e V1.3.7926 |\n| via Endress+Hauser Download Portal | | |",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.1,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.1,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006"
]
}
],
"title": "CVE-2021-41057"
},
{
"cve": "CVE-2021-20094",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability exists in Wibu-Systems CodeMeter versions \u003c 7.21a. An unauthenticated remote attacker can exploit this issue to crash the CodeMeter Runtime Server.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-52001",
"CSAFPID-52002",
"CSAFPID-52003",
"CSAFPID-52004",
"CSAFPID-52005"
],
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "All vulnerabilities have already been fixed in several CodeMeter versions. Endress+Hauser recommends to use CodeMeter version \u003e=7.40b.\nThe version is available at https://www.wibu.com/support.\nFor the Operating System WIN 7 it\u0027s recommended to update the operating system, use/re-install the Endress+Hauser Software Application supporting the newer operating system and update Code Meter to version \u003e= 7.40b.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update the software application of the affected products:\n\n| # | Product Name | Fixed Version |\n|----------------------------------|-----------------------------------------------|-------------------|\n| SCE30B | | |\n| SCE31B | SupplyCare Enterprise | \u003e= 3.5.1 |\n| SCE32B | | |\n| SFE100 | DeviceCare | \u003e= 1.07.07 |\n| SFE500 | FieldCare | \u003e= 2.17.00 |\n| SMT50 | | |\n| SMT70 | Field Xpert | \u003e= 1.06.00 |\n| SMT77 | | |\n| MS20 | | |\n| MS21 | Field Data Manager | \u003e= 1.6.3 |\n| Freeware for the | | |\n| Proline Promag W 800/5W8C | Proline Promag W 800 OPC/UA Connectivity Server | \u003e V1.3.7926 |\n| via Endress+Hauser Download Portal | | |",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006"
]
}
],
"title": "CVE-2021-20094"
}
]
}
CVE-2021-41057
Vulnerability from csaf_festosecokg - Published: 2022-12-13 11:50 - Updated: 2025-10-01 10:50Summary
Festo: Vulnerable WIBU-SYSTEMS CodeMeter Runtime in multiple products
Notes
Summary
A vulnerability was reported in WIBU-SYSTEMS CodeMeter Runtime. WIBU-SYSTEMS CodeMeter Runtime is part of the installation packages of several Festo products.FluidDraw < 6.2c and CIROS <= 7.0.6 contain a vulnerable version of WIBU-SYSTEMS CodeMeter Runtime.
Remediation
### FluidDraw P5, FluidDraw P6
Avoid any FluidDraw installation with a FluidDraw installation package below version 6.2c.
Updated versions of FluidDraw are available on the Festo website.
In case of a FluidDraw installation package with a version below 6.2c:
- **Do not use** the WIBU CodeMeter package that is part of the FluidDraw installation package.
- Skip the CodeMeter installation step during the FluidDraw installation.
- Instead, use a current CodeMeter version from the WIBU website and install it separately.
- In case of an already installed vulnerable CodeMeter version, update all these WIBU CodeMeter installations with the current version of WIBU CodeMeter.
> Please refer to the WIBU CodeMeter documentation and website for further details and mitigations on usage of WIBU CodeMeter Runtime before 7.30a.
---
### CIROS
For future installations:
- Use a CIROS installer downloaded from [https://ip.festo-didactic.com/](https://ip.festo-didactic.com/)
- Make sure it is downloaded **after September 15, 2022**
For existing installations:
- Update the WIBU CodeMeter Runtime separately to at least **version 7.30a** (downloaded from the WIBU Systems website).
- Refer to the WIBU CodeMeter documentation and website for further details and mitigations.
---
## MES PC
If your copy of MES4 came preinstalled on a PC shipped **before December 2022**:
- Ensure the PC has at least **CodeMeter Runtime 7.30a** installed.
- If necessary, download the update from the WIBU Systems website.
---
### Additional to the above
Festo strongly recommends:
- Restricting **unprivileged access** to machines running Festo software.
- Minimizing and protecting **network access** to connected devices using state-of-the-art techniques and processes.
> For secure operation, follow the recommendations in the product manuals.
Disclaimer
Festo assumes no liability whatsoever for indirect, collateral, accidental or consequential losses that occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided free of charge and on good faith by Festo. Insofar as permissible by law, however, none of this information shall establish any warranty, guarantee, commitment, or liability on the part of Festo.\n\nNote: In no case does this information release the operator or responsible person from the obligation to check the effect on his system or installation before using the information and, in the event of negative consequences, not to use the information.\n\nIn addition, the actual general terms, and conditions for delivery, payment and software use of Festo, available under http://www.festo.com and the special provisions for the use of Festo Security Advisory available at https://www.festo.com/psirt shall apply.
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination and support with this publication",
"urls": [
"https://certvde.com"
]
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "summary",
"text": "A vulnerability\u00a0was\u00a0reported in WIBU-SYSTEMS CodeMeter Runtime. WIBU-SYSTEMS CodeMeter Runtime is part of the installation packages of several Festo products.FluidDraw \u003c 6.2c and CIROS \u003c= 7.0.6 contain a vulnerable version of WIBU-SYSTEMS CodeMeter Runtime.",
"title": "Summary"
},
{
"category": "description",
"text": "### FluidDraw P5, FluidDraw P6\n\nAvoid any FluidDraw installation with a FluidDraw installation package below version 6.2c. \nUpdated versions of FluidDraw are available on the Festo website.\n\nIn case of a FluidDraw installation package with a version below 6.2c:\n\n- **Do not use** the WIBU CodeMeter package that is part of the FluidDraw installation package.\n- Skip the CodeMeter installation step during the FluidDraw installation.\n- Instead, use a current CodeMeter version from the WIBU website and install it separately.\n- In case of an already installed vulnerable CodeMeter version, update all these WIBU CodeMeter installations with the current version of WIBU CodeMeter.\n\n\u003e Please refer to the WIBU CodeMeter documentation and website for further details and mitigations on usage of WIBU CodeMeter Runtime before 7.30a.\n\n---\n\n### CIROS\n\nFor future installations:\n\n- Use a CIROS installer downloaded from [https://ip.festo-didactic.com/](https://ip.festo-didactic.com/) \n- Make sure it is downloaded **after September 15, 2022**\n\nFor existing installations:\n\n- Update the WIBU CodeMeter Runtime separately to at least **version 7.30a** (downloaded from the WIBU Systems website).\n- Refer to the WIBU CodeMeter documentation and website for further details and mitigations.\n\n---\n\n## MES PC\n\nIf your copy of MES4 came preinstalled on a PC shipped **before December 2022**:\n\n- Ensure the PC has at least **CodeMeter Runtime 7.30a** installed.\n- If necessary, download the update from the WIBU Systems website.\n\n---\n\n### Additional to the above\n\nFesto strongly recommends:\n\n- Restricting **unprivileged access** to machines running Festo software.\n- Minimizing and protecting **network access** to connected devices using state-of-the-art techniques and processes.\n\n\u003e For secure operation, follow the recommendations in the product manuals.",
"title": "Remediation"
},
{
"category": "legal_disclaimer",
"text": "Festo assumes no liability whatsoever for indirect, collateral, accidental or consequential losses that occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided free of charge and on good faith by Festo. Insofar as permissible by law, however, none of this information shall establish any warranty, guarantee, commitment, or liability on the part of Festo.\\n\\nNote: In no case does this information release the operator or responsible person from the obligation to check the effect on his system or installation before using the information and, in the event of negative consequences, not to use the information.\\n\\nIn addition, the actual general terms, and conditions for delivery, payment and software use of Festo, available under http://www.festo.com and the special provisions for the use of Festo Security Advisory available at https://www.festo.com/psirt shall apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@festo.com",
"name": "Festo SE \u0026 Co. KG",
"namespace": "https://festo.com"
},
"references": [
{
"category": "self",
"summary": "FSA-202206: Festo: Vulnerable WIBU-SYSTEMS CodeMeter Runtime in multiple products - HTML",
"url": "https://certvde.com/en/advisories/VDE-2022-038/"
},
{
"category": "self",
"summary": "FSA-202206: Festo: Vulnerable WIBU-SYSTEMS CodeMeter Runtime in multiple products - CSAF",
"url": "https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2022/fsa-202206.json"
},
{
"category": "external",
"summary": "For further security-related issues in Festo products please contact the Festo Product Security Incident Response Team (PSIRT)",
"url": "https://festo.com/psirt"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories",
"url": "https://certvde.com/en/advisories/vendor/festo/"
},
{
"category": "external",
"summary": "WIBU Systems Security Advisory WIBU-210910-01",
"url": "https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf"
},
{
"category": "external",
"summary": "CVE-2021-41057",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41057"
}
],
"title": "Festo: Vulnerable WIBU-SYSTEMS CodeMeter Runtime in multiple products",
"tracking": {
"aliases": [
"VDE-2022-038"
],
"current_release_date": "2025-10-01T10:50:00.000Z",
"generator": {
"date": "2025-10-02T08:24:43.077Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.36"
}
},
"id": "FSA-202206",
"initial_release_date": "2022-12-13T11:50:00.000Z",
"revision_history": [
{
"date": "2022-12-13T11:50:00.000Z",
"number": "1.0.0",
"summary": "Initial revision."
},
{
"date": "2024-01-11T10:00:00.000Z",
"legacy_version": "1.01",
"number": "1.0.1",
"summary": "Adjust link to VDE Advisory"
},
{
"date": "2025-10-01T10:50:00.000Z",
"number": "1.0.2",
"summary": "Adjusted to VDE template. Changed title from \"Vulnerable WIBU-SYSTEMS CodeMeter Runtime in multiple Festo products\" to \"Festo: Vulnerable WIBU-SYSTEMS CodeMeter Runtime in multiple products\"."
}
],
"status": "final",
"version": "1.0.2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=6.4.6(before 2022-09-15)",
"product": {
"name": "CIROS \u003c=6.4.6 (before 2022-09-15)",
"product_id": "CSAFPID-51001",
"product_identification_helper": {
"model_numbers": [
"8038980"
],
"x_generic_uris": [
{
"namespace": "Festo:Partnumber",
"uri": "Festo:Partnumber:8038980"
}
]
}
}
},
{
"category": "product_version_range",
"name": "\u003c=7.0.6(before 2022-09-15)",
"product": {
"name": "CIROS \u003c=7.0.6 (before 2022-09-15)",
"product_id": "CSAFPID-51002",
"product_identification_helper": {
"model_numbers": [
"8140772",
"8140773"
],
"x_generic_uris": [
{
"namespace": "Festo:Partnumber",
"uri": "Festo:Partnumber:8140772"
},
{
"namespace": "Festo:Partnumber",
"uri": "Festo:Partnumber:8140773"
}
]
}
}
}
],
"category": "product_name",
"name": "CIROS"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "FluidDraw P5 vers:all/*",
"product_id": "CSAFPID-51003"
}
}
],
"category": "product_name",
"name": "FluidDraw P5"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c6.2c",
"product": {
"name": "FluidDraw P6 \u003c6.2c",
"product_id": "CSAFPID-51004"
}
}
],
"category": "product_name",
"name": "FluidDraw P6"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "MES PC vers:all/*",
"product_id": "CSAFPID-51005"
}
}
],
"category": "product_name",
"name": "MES PC"
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "Festo"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005"
],
"summary": "Affected products."
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-41057",
"cwe": {
"id": "CWE-59",
"name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
},
"notes": [
{
"category": "description",
"text": "In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "FluidDraw P5, FluidDraw P6\nAvoid any FluidDraw installation with a FluidDraw installation package below version 6.2c. Updated versions of FluidDraw are available on the Festo website.\nIn case of a FluidDraw installation package with a version below 6.2c, do not use the WIBU CodeMeter package, that is part of the FluidDraw installation package. Skip the CodeMeter installation step during the FluidDraw installation and instead use a current CodeMeter version from the WIBU website and install that separately. In case of an already installed vulnerable CodeMeter version, update all of these WIBU CodeMeter installations with the current version of WIBU CodeMeter.\nPlease refer to the WIBU CodeMeter documentation and website for further details and mitigations on usage of WIBU CodeMeter Runtime before 7.30a.\n\n\n\n\nCIROS\nFor future installations, ensure you\u0027re using a CIROS installer downloaded from https://ip.festo-didactic.com/ Infoportal/CIROS/EN/Download.html after September 15, 2022. For existing installations, update the WIBU CodeMeter Runtime separately with at least version 7.30a downloaded from the WIBU Systems website. Please refer to the WIBU CodeMeter documentation and website for further details and mitigations on usage of WIBU CodeMeter Runtime before 7.30a.\nMES PC\nIf your copy of MES4 came preinstalled on a PC shipped before December 2022, you\u0027ll need to make sure this PC has at least CodeMeter Runtime 7.30a installed. If necessary, download the update from the WIBU Systems website.\nAdditional to the above:\n\n\n\n\n\n\n\n\nFesto strongly recommends to restrict unprivileged access to machines running Festo software and to minimize and protect network access to connected devices with state of the art techniques and processes. \nFor a secure operation follow the recommendations in the product manuals.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.1,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.1,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005"
]
}
],
"title": "CVE-2021-41057"
}
]
}
GSD-2021-41057
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-41057",
"description": "In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions.",
"id": "GSD-2021-41057"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-41057"
],
"details": "In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions.",
"id": "GSD-2021-41057",
"modified": "2023-12-13T01:23:27.226564Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-41057",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wibu.com/us/support/security-advisories.html",
"refsource": "MISC",
"url": "https://www.wibu.com/us/support/security-advisories.html"
},
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf",
"refsource": "CONFIRM",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf"
},
{
"name": "https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf",
"refsource": "CONFIRM",
"url": "https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:wibu:codemeter_runtime:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "7.30a",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:siemens:pss_cape:14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:pss_e:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "34.9.1",
"versionStartIncluding": "34.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:pss_e:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "35.3.2",
"versionStartIncluding": "35.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:pss_odms:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "12.2.6.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:sicam_230:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "8.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:simatic_information_server:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2019",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:simatic_information_server:2019:-:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:simatic_information_server:2019:sp1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:simatic_pcs_neo:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:simatic_process_historian:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2019",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:simatic_wincc_oa:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "3.18",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:simit:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "10.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-41057"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-59"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf"
},
{
"name": "https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf",
"refsource": "CONFIRM",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf"
},
{
"name": "https://www.wibu.com/us/support/security-advisories.html",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://www.wibu.com/us/support/security-advisories.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 3.6,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.2
}
},
"lastModifiedDate": "2021-11-17T18:49Z",
"publishedDate": "2021-11-14T21:15Z"
}
}
}
VAR-202111-0784
Vulnerability from variot - Updated: 2023-12-18 12:16In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202111-0784",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "pss odms",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "12.2.6.1"
},
{
"model": "pss e",
"scope": "gte",
"trust": 1.0,
"vendor": "siemens",
"version": "35.0.0"
},
{
"model": "sicam 230",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "8.0"
},
{
"model": "simatic pcs neo",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "simatic information server",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "2019"
},
{
"model": "simatic information server",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "2019"
},
{
"model": "pss cape",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "14"
},
{
"model": "codemeter runtime",
"scope": "lt",
"trust": 1.0,
"vendor": "wibu",
"version": "7.30a"
},
{
"model": "pss e",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "35.3.2"
},
{
"model": "pss e",
"scope": "gte",
"trust": 1.0,
"vendor": "siemens",
"version": "34.0.0"
},
{
"model": "simatic process historian",
"scope": "lte",
"trust": 1.0,
"vendor": "siemens",
"version": "2019"
},
{
"model": "simatic wincc oa",
"scope": "lte",
"trust": 1.0,
"vendor": "siemens",
"version": "3.18"
},
{
"model": "pss e",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "34.9.1"
},
{
"model": "simit",
"scope": "lte",
"trust": 1.0,
"vendor": "siemens",
"version": "10.0"
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-41057"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:wibu:codemeter_runtime:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "7.30a",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:siemens:pss_cape:14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:pss_e:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "34.9.1",
"versionStartIncluding": "34.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:pss_e:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "35.3.2",
"versionStartIncluding": "35.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:pss_odms:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "12.2.6.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:sicam_230:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "8.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:simatic_information_server:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2019",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:simatic_information_server:2019:-:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:simatic_information_server:2019:sp1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:simatic_pcs_neo:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:simatic_process_historian:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2019",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:simatic_wincc_oa:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "3.18",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:simit:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "10.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-41057"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Jok\u016bbas Arsoba reported this vulnerability to Wibu-Systems.",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202111-772"
}
],
"trust": 0.6
},
"cve": "CVE-2021-41057",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 3.6,
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 3.6,
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "VHN-402322",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "LOW",
"trust": 0.1,
"vectorString": "AV:L/AC:L/AU:N/C:N/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 1.8,
"impactScore": 5.2,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2021-41057",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202111-772",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-402322",
"trust": 0.1,
"value": "LOW"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-402322"
},
{
"db": "NVD",
"id": "CVE-2021-41057"
},
{
"db": "CNNVD",
"id": "CNNVD-202111-772"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-41057"
},
{
"db": "VULHUB",
"id": "VHN-402322"
}
],
"trust": 0.99
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-41057",
"trust": 1.7
},
{
"db": "SIEMENS",
"id": "SSA-580693",
"trust": 1.7
},
{
"db": "AUSCERT",
"id": "ESB-2021.4286",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022010503",
"trust": 0.6
},
{
"db": "ICS CERT",
"id": "ICSA-21-350-03",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202111-772",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-402322",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-402322"
},
{
"db": "NVD",
"id": "CVE-2021-41057"
},
{
"db": "CNNVD",
"id": "CNNVD-202111-772"
}
]
},
"id": "VAR-202111-0784",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-402322"
}
],
"trust": 0.639684002
},
"last_update_date": "2023-12-18T12:16:10.701000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "CodeMeter Post-link vulnerability fixes",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=170234"
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202111-772"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-59",
"trust": 1.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-402322"
},
{
"db": "NVD",
"id": "CVE-2021-41057"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/advisory_wibu-210910-01.pdf"
},
{
"trust": 1.7,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf"
},
{
"trust": 1.7,
"url": "https://www.wibu.com/us/support/security-advisories.html"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-41057"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4286"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/simatic-denial-of-service-via-wibu-systems-codemeter-runtime-36834"
},
{
"trust": 0.6,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-350-03"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022010503"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-402322"
},
{
"db": "NVD",
"id": "CVE-2021-41057"
},
{
"db": "CNNVD",
"id": "CNNVD-202111-772"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-402322"
},
{
"db": "NVD",
"id": "CVE-2021-41057"
},
{
"db": "CNNVD",
"id": "CNNVD-202111-772"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-11-14T00:00:00",
"db": "VULHUB",
"id": "VHN-402322"
},
{
"date": "2021-11-14T21:15:07.797000",
"db": "NVD",
"id": "CVE-2021-41057"
},
{
"date": "2021-11-09T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202111-772"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-11-17T00:00:00",
"db": "VULHUB",
"id": "VHN-402322"
},
{
"date": "2021-11-17T18:49:11.867000",
"db": "NVD",
"id": "CVE-2021-41057"
},
{
"date": "2022-01-06T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202111-772"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202111-772"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "CodeMeter Post link vulnerability",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202111-772"
}
],
"trust": 0.6
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "post link",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202111-772"
}
],
"trust": 0.6
}
}
CVE-2021-41057
Vulnerability from csaf_wagogmbhcokg - Published: 2022-01-31 13:00 - Updated: 2025-05-22 13:03Summary
WAGO: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro
Notes
Summary
A vulnerability is reported in WIBU-SYSTEMS Codemeter. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) installations. All currently existing e!COCKPIT installation bundles and WAGO-I/O-Pro (CODESYS 2.3) installation bundles are affected with vulnerable versions of WIBU-SYSTEMS Codemeter.
Impact
WAGO controllers and IO-Devices are not affected by WIBU-SYSTEMS Codemeter vulnerabilities. However, due to compatibility reasons to the CODESYS Group CODESYS store, the e!COCKPIT and engineering software is bundled with a WIBU-SYSTEMS Codemeter installation.
Mitigation
- Use general security best practices to protect systems from local and network attacks.
- Disable the container type 'Mass Storage' in CodeMeter via the Windows Registry.
Remediation
We strongly encourage e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) users to update WIBU-SYSTEMS Codemeter by installing the latest available stand-alone WIBU-SYSTEMS Codemeter Version.
WAGO will provide updated e!COCKPIT setup routines (Version 1.11) with the latest WIBU- SYSTEMS Codemeter version in Q2/2022.
Additionally WAGO will provide a security patch for e!COCKPIT Version 1.10 in February 2022.
WAGO will provide updated WAGO-I/O-Pro (CODESYS 2.3) (Version 2.3.9.68) setup routines with the latest WIBU-SYSTEMS Codemeter version in Q1/2022.
For further details on risk mitigation and impact of this vulnerability, please refer to the official WIBU-SYSTEMS Advisory WIBU-210910-01 at Website https://www.wibu.com/support/security-advisories.html external link.
Further details on the corresponding CVEs can be obtained here:
https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf external link
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "A vulnerability is reported in WIBU-SYSTEMS Codemeter. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) installations. All currently existing e!COCKPIT installation bundles and WAGO-I/O-Pro (CODESYS 2.3) installation bundles are affected with vulnerable versions of WIBU-SYSTEMS Codemeter.",
"title": "Summary"
},
{
"category": "description",
"text": "WAGO controllers and IO-Devices are not affected by WIBU-SYSTEMS Codemeter vulnerabilities. However, due to compatibility reasons to the CODESYS Group CODESYS store, the e!COCKPIT and engineering software is bundled with a WIBU-SYSTEMS Codemeter installation.",
"title": "Impact"
},
{
"category": "description",
"text": "- Use general security best practices to protect systems from local and network attacks.\n- Disable the container type \u0027Mass Storage\u0027 in CodeMeter via the Windows Registry.",
"title": "Mitigation"
},
{
"category": "description",
"text": "We strongly encourage e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) users to update WIBU-SYSTEMS Codemeter by installing the latest available stand-alone WIBU-SYSTEMS Codemeter Version.\n\nWAGO will provide updated e!COCKPIT setup routines (Version 1.11) with the latest WIBU- SYSTEMS Codemeter version in Q2/2022.\n\nAdditionally WAGO will provide a security patch for e!COCKPIT Version 1.10 in February 2022.\nWAGO will provide updated WAGO-I/O-Pro (CODESYS 2.3) (Version 2.3.9.68) setup routines with the latest WIBU-SYSTEMS Codemeter version in Q1/2022.\n\nFor further details on risk mitigation and impact of this vulnerability, please refer to the official WIBU-SYSTEMS Advisory WIBU-210910-01 at Website https://www.wibu.com/support/security-advisories.html external link.\n\nFurther details on the corresponding CVEs can be obtained here:\nhttps://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf external link",
"title": "Remediation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@wago.com",
"name": "WAGO GmbH \u0026 Co. KG",
"namespace": "https://www.wago.com/psirt"
},
"references": [
{
"category": "self",
"summary": "VDE-2022-002: WAGO: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro - HTML",
"url": "https://certvde.com/en/advisories/VDE-2022-002/"
},
{
"category": "self",
"summary": "VDE-2022-002: WAGO: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro - CSAF",
"url": "https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2022/vde-2022-002.json"
},
{
"category": "external",
"summary": "Vendor PSIRT",
"url": "https://www.wago.com/psirt"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for WAGO GmbH \u0026 Co. KG",
"url": "https://certvde.com/en/advisories/vendor/wago/"
}
],
"title": "WAGO: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro",
"tracking": {
"aliases": [
"VDE-2022-002"
],
"current_release_date": "2025-05-22T13:03:10.000Z",
"generator": {
"date": "2025-04-28T08:43:49.504Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.24"
}
},
"id": "VDE-2022-002",
"initial_release_date": "2022-01-31T13:00:00.000Z",
"revision_history": [
{
"date": "2022-01-31T13:00:00.000Z",
"number": "1",
"summary": "Initial revision."
},
{
"date": "2025-05-22T13:03:10.000Z",
"number": "2",
"summary": "Fix: quotation mark"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cV1.11",
"product": {
"name": "WAGO e!COCKPIT engineering software installation bundle \u003cV1.11",
"product_id": "CSAFPID-51001"
}
},
{
"category": "product_version",
"name": "V1.11",
"product": {
"name": "WAGO e!COCKPIT engineering software installation bundle V1.11",
"product_id": "CSAFPID-52001"
}
}
],
"category": "product_name",
"name": "WAGO e!COCKPIT engineering software installation bundle"
},
{
"branches": [
{
"category": "product_version",
"name": "2.3.9.53",
"product": {
"name": "WAGO-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.53",
"product_id": "CSAFPID-51002"
}
},
{
"category": "product_version",
"name": "2.3.9.68",
"product": {
"name": "WAGO-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.68",
"product_id": "CSAFPID-52002"
}
},
{
"category": "product_version",
"name": "2.3.9.55",
"product": {
"name": "WAGO-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.55",
"product_id": "CSAFPID-51003"
}
},
{
"category": "product_version",
"name": "2.3.9.61",
"product": {
"name": "WAGO-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.61",
"product_id": "CSAFPID-51004"
}
},
{
"category": "product_version",
"name": "2.3.9.66",
"product": {
"name": "WAGO-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.66",
"product_id": "CSAFPID-51005"
}
},
{
"category": "product_version",
"name": "2.3.9.46",
"product": {
"name": "WAGO-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.46",
"product_id": "CSAFPID-51006"
}
},
{
"category": "product_version",
"name": "2.3.9.49",
"product": {
"name": "WAGO-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.49",
"product_id": "CSAFPID-51007"
}
},
{
"category": "product_version",
"name": "2.3.9.47",
"product": {
"name": "WAGO-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.47",
"product_id": "CSAFPID-51008"
}
}
],
"category": "product_name",
"name": "WAGO-I/O-Pro (CODESYS 2.3) engineering software installation"
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "WAGO"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008"
],
"summary": "Affected products."
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-52001",
"CSAFPID-52002"
],
"summary": "Fixed products."
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-41057",
"cwe": {
"id": "CWE-59",
"name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
},
"notes": [
{
"category": "description",
"text": "In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-52001",
"CSAFPID-52002"
],
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Mitigation\n\nUse general security best practices to protect systems from local and network attacks.\nDisable the container type \u0027Mass Storage\u0027 in CodeMeter via the Windows Registry.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "We strongly encourage e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) users to update WIBU-SYSTEMS Codemeter by installing the latest available stand-alone WIBU-SYSTEMS Codemeter Version.\nWAGO will provide updated e!COCKPIT setup routines (Version 1.11) with the latest WIBU- SYSTEMS Codemeter version in Q2/2022.\nAdditionally WAGO will provide a security patch for e!COCKPIT Version 1.10 in February 2022.WAGO will provide updated WAGO-I/O-Pro (CODESYS 2.3) (Version 2.3.9.68) setup routines with the latest WIBU-SYSTEMS Codemeter version in Q1/2022.\nFor further details on risk mitigation and impact of this vulnerability, please refer to the official WIBU-SYSTEMS Advisory WIBU-210910-01 at Website https://www.wibu.com/support/security-advisories.html.\nFurther details on the corresponding CVEs can be obtained here:https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.1,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.1,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008"
]
}
],
"title": "CVE-2021-41057"
}
]
}
CNVD-2021-89426
Vulnerability from cnvd - Published: 2021-11-12
VLAI Severity ?
Title
Siemens产品WIBU Systems CodeMeter Runtime拒绝服务漏洞
Description
PSS(R)CAPE是一个输配电网络保护仿真软件。PSS(R)E i是用于输电运行和规划的电力系统仿真和分析工具。PSS(R)ODMS i是一种传输网络建模和分析工具。SICAM 230是一个可扩展的过程控制系统,适用于广泛的应用,可用于从公用事业公司的集成能源系统到智能电网应用的监控系统。SIMATIC PCS neo是一个分布式控制系统(DCS)。
Siemens产品WIBU Systems CodeMeter Runtime存在拒绝服务漏洞,攻击者可利用漏洞设法建立到CmDongles使用的特殊系统文件的链接,会覆盖系统中的基本文件,从而使CodeMeter运行时服务器(即CodeMeter.exe)崩溃。
Severity
低
Patch Name
Siemens产品WIBU Systems CodeMeter Runtime拒绝服务漏洞的补丁
Patch Description
PSS(R)CAPE是一个输配电网络保护仿真软件。PSS(R)E i是用于输电运行和规划的电力系统仿真和分析工具。PSS(R)ODMS i是一种传输网络建模和分析工具。SICAM 230是一个可扩展的过程控制系统,适用于广泛的应用,可用于从公用事业公司的集成能源系统到智能电网应用的监控系统。SIMATIC PCS neo是一个分布式控制系统(DCS)。
Siemens产品WIBU Systems CodeMeter Runtime存在拒绝服务漏洞,攻击者可利用漏洞设法建立到CmDongles使用的特殊系统文件的链接,会覆盖系统中的基本文件,从而使CodeMeter运行时服务器(即CodeMeter.exe)崩溃。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
厂商已发布了漏洞修复程序,请及时关注更新: https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf
Reference
https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf
Impacted products
| Name | ['Siemens SIMATIC PCS neo', 'Siemens PSS(R)CAPE', 'Siemens PSS(R)E V34 < V34.9.1', 'Siemens PSS(R)E V35 < V35.3.2', 'Siemens PSS(R)ODMS V12 < V12.2.6.1', 'Siemens SICAM 230', 'Siemens SIMATIC Information Server >= V2019 SP1', 'Siemens SIMATIC Process Historian (incl. Process Histo- rian OPC UA Server) >= V2019', 'Siemens SIMATIC WinCC OA V3.17', 'Siemens SIMATIC WinCC OA V3.18', 'Siemens SIMIT Simulation Platform >= V10.0'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2021-41057",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-41057"
}
},
"description": "PSS(R)CAPE\u662f\u4e00\u4e2a\u8f93\u914d\u7535\u7f51\u7edc\u4fdd\u62a4\u4eff\u771f\u8f6f\u4ef6\u3002PSS(R)E i\u662f\u7528\u4e8e\u8f93\u7535\u8fd0\u884c\u548c\u89c4\u5212\u7684\u7535\u529b\u7cfb\u7edf\u4eff\u771f\u548c\u5206\u6790\u5de5\u5177\u3002PSS(R)ODMS i\u662f\u4e00\u79cd\u4f20\u8f93\u7f51\u7edc\u5efa\u6a21\u548c\u5206\u6790\u5de5\u5177\u3002SICAM 230\u662f\u4e00\u4e2a\u53ef\u6269\u5c55\u7684\u8fc7\u7a0b\u63a7\u5236\u7cfb\u7edf\uff0c\u9002\u7528\u4e8e\u5e7f\u6cdb\u7684\u5e94\u7528\uff0c\u53ef\u7528\u4e8e\u4ece\u516c\u7528\u4e8b\u4e1a\u516c\u53f8\u7684\u96c6\u6210\u80fd\u6e90\u7cfb\u7edf\u5230\u667a\u80fd\u7535\u7f51\u5e94\u7528\u7684\u76d1\u63a7\u7cfb\u7edf\u3002SIMATIC PCS neo\u662f\u4e00\u4e2a\u5206\u5e03\u5f0f\u63a7\u5236\u7cfb\u7edf\uff08DCS\uff09\u3002\n\nSiemens\u4ea7\u54c1WIBU Systems CodeMeter Runtime\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u8bbe\u6cd5\u5efa\u7acb\u5230CmDongles\u4f7f\u7528\u7684\u7279\u6b8a\u7cfb\u7edf\u6587\u4ef6\u7684\u94fe\u63a5\uff0c\u4f1a\u8986\u76d6\u7cfb\u7edf\u4e2d\u7684\u57fa\u672c\u6587\u4ef6\uff0c\u4ece\u800c\u4f7fCodeMeter\u8fd0\u884c\u65f6\u670d\u52a1\u5668\uff08\u5373CodeMeter.exe\uff09\u5d29\u6e83\u3002",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a \r\nhttps://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2021-89426",
"openTime": "2021-11-12",
"patchDescription": "PSS(R)CAPE\u662f\u4e00\u4e2a\u8f93\u914d\u7535\u7f51\u7edc\u4fdd\u62a4\u4eff\u771f\u8f6f\u4ef6\u3002PSS(R)E i\u662f\u7528\u4e8e\u8f93\u7535\u8fd0\u884c\u548c\u89c4\u5212\u7684\u7535\u529b\u7cfb\u7edf\u4eff\u771f\u548c\u5206\u6790\u5de5\u5177\u3002PSS(R)ODMS i\u662f\u4e00\u79cd\u4f20\u8f93\u7f51\u7edc\u5efa\u6a21\u548c\u5206\u6790\u5de5\u5177\u3002SICAM 230\u662f\u4e00\u4e2a\u53ef\u6269\u5c55\u7684\u8fc7\u7a0b\u63a7\u5236\u7cfb\u7edf\uff0c\u9002\u7528\u4e8e\u5e7f\u6cdb\u7684\u5e94\u7528\uff0c\u53ef\u7528\u4e8e\u4ece\u516c\u7528\u4e8b\u4e1a\u516c\u53f8\u7684\u96c6\u6210\u80fd\u6e90\u7cfb\u7edf\u5230\u667a\u80fd\u7535\u7f51\u5e94\u7528\u7684\u76d1\u63a7\u7cfb\u7edf\u3002SIMATIC PCS neo\u662f\u4e00\u4e2a\u5206\u5e03\u5f0f\u63a7\u5236\u7cfb\u7edf\uff08DCS\uff09\u3002\r\n\r\nSiemens\u4ea7\u54c1WIBU Systems CodeMeter Runtime\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u8bbe\u6cd5\u5efa\u7acb\u5230CmDongles\u4f7f\u7528\u7684\u7279\u6b8a\u7cfb\u7edf\u6587\u4ef6\u7684\u94fe\u63a5\uff0c\u4f1a\u8986\u76d6\u7cfb\u7edf\u4e2d\u7684\u57fa\u672c\u6587\u4ef6\uff0c\u4ece\u800c\u4f7fCodeMeter\u8fd0\u884c\u65f6\u670d\u52a1\u5668\uff08\u5373CodeMeter.exe\uff09\u5d29\u6e83\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Siemens\u4ea7\u54c1WIBU Systems CodeMeter Runtime\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": [
"Siemens SIMATIC PCS neo",
"Siemens PSS(R)CAPE",
"Siemens PSS(R)E V34 \u003c V34.9.1",
"Siemens PSS(R)E V35 \u003c V35.3.2",
"Siemens PSS(R)ODMS V12 \u003c V12.2.6.1",
"Siemens SICAM 230",
"Siemens SIMATIC Information Server \u003e= V2019 SP1",
"Siemens SIMATIC Process Historian (incl. Process Histo- rian OPC UA Server) \u003e= V2019",
"Siemens SIMATIC WinCC OA V3.17",
"Siemens SIMATIC WinCC OA V3.18",
"Siemens SIMIT Simulation Platform \u003e= V10.0"
]
},
"referenceLink": "https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf",
"serverity": "\u4f4e",
"submitTime": "2021-11-12",
"title": "Siemens\u4ea7\u54c1WIBU Systems CodeMeter Runtime\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e"
}
CVE-2021-41057
Vulnerability from fstec - Published: 04.10.2021
VLAI Severity ?
Title
Уязвимость программного обеспечения контроля лицензий CodeMeter, связанная с недостатками разграничения доступа, позволяющая нарушителю вызвать отказ в обслуживании
Description
Уязвимость программного обеспечения контроля лицензий CodeMeter связана с недостатками разграничения доступа. Эксплуатация уязвимости может позволить нарушителю вызвать отказ в обслуживании
Severity ?
Vendor
ООО «Автоматизация Производств», Wibu-systems AG, Siemens AG
Software Name
SCADA-система APDAR (запись в едином реестре российских программ №29643), CodeMeter Runtime, PSS(R)CAPE, SICAM 230, SIMATIC Information Server, SIMATIC PCS neo, SIMATIC Process Historian, SIMATIC WinCC OA, SIMIT Simulation Platform, PSS(R)E, PSS(R)ODMS
Software Version
1.21.1 (SCADA-система APDAR), 3.17.23 (SCADA-система APDAR), 3.18.6 (SCADA-система APDAR), до 7.30a (CodeMeter Runtime), до 05.10.2021 CAPE 14 (PSS(R)CAPE), - (SICAM 230), от 2019 SP1 до 2020 Update 2 (SIMATIC Information Server), до 3.1 Upd1 (SIMATIC PCS neo), от 2019 до 2020 Update 2 (SIMATIC Process Historian), до 3.17 P015 (SIMATIC WinCC OA), до 3.18 P005 (SIMATIC WinCC OA), от 10.0 до 11.0 (SIMIT Simulation Platform), до 34.9.1 (PSS(R)E), до 35.3.2 (PSS(R)E), до 12.2.6.1 (PSS(R)ODMS)
Possible Mitigations
Использование рекомендаций производителя:
https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf
Для продуктов Siemens AG:
https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf
Для SCADA-системы APDAR:
Осуществить переход на версию 3.18.11.03 (пакет расширения 11, пакет исправления 03), исключающую использование WIBU CodeMeter.
Reference
https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf
CWE
CWE-269
{
"CVSS 2.0": "AV:L/AC:L/Au:S/C:N/I:C/A:C",
"CVSS 3.0": "AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0410\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0437\u0430\u0446\u0438\u044f \u041f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0441\u0442\u0432\u00bb, Wibu-systems AG, Siemens AG",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "1.21.1 (SCADA-\u0441\u0438\u0441\u0442\u0435\u043c\u0430 APDAR), 3.17.23 (SCADA-\u0441\u0438\u0441\u0442\u0435\u043c\u0430 APDAR), 3.18.6 (SCADA-\u0441\u0438\u0441\u0442\u0435\u043c\u0430 APDAR), \u0434\u043e 7.30a (CodeMeter Runtime), \u0434\u043e 05.10.2021 CAPE 14 (PSS(R)CAPE), - (SICAM 230), \u043e\u0442 2019 SP1 \u0434\u043e 2020 Update 2 (SIMATIC Information Server), \u0434\u043e 3.1 Upd1 (SIMATIC PCS neo), \u043e\u0442 2019 \u0434\u043e 2020 Update 2 (SIMATIC Process Historian), \u0434\u043e 3.17 P015 (SIMATIC WinCC OA), \u0434\u043e 3.18 P005 (SIMATIC WinCC OA), \u043e\u0442 10.0 \u0434\u043e 11.0 (SIMIT Simulation Platform), \u0434\u043e 34.9.1 (PSS(R)E), \u0434\u043e 35.3.2 (PSS(R)E), \u0434\u043e 12.2.6.1 (PSS(R)ODMS)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f:\nhttps://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Siemens AG:\nhttps://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf\n\n\u0414\u043b\u044f SCADA-\u0441\u0438\u0441\u0442\u0435\u043c\u044b APDAR:\n\u041e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0438\u0442\u044c \u043f\u0435\u0440\u0435\u0445\u043e\u0434 \u043d\u0430 \u0432\u0435\u0440\u0441\u0438\u044e 3.18.11.03 (\u043f\u0430\u043a\u0435\u0442 \u0440\u0430\u0441\u0448\u0438\u0440\u0435\u043d\u0438\u044f 11, \u043f\u0430\u043a\u0435\u0442 \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f 03), \u0438\u0441\u043a\u043b\u044e\u0447\u0430\u044e\u0449\u0443\u044e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 WIBU CodeMeter.",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "04.10.2021",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "13.02.2026",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "13.02.2026",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2026-01770",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2021-41057",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "SCADA-\u0441\u0438\u0441\u0442\u0435\u043c\u0430 APDAR (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u211629643), CodeMeter Runtime, PSS(R)CAPE, SICAM 230, SIMATIC Information Server, SIMATIC PCS neo, SIMATIC Process Historian, SIMATIC WinCC OA, SIMIT Simulation Platform, PSS(R)E, PSS(R)ODMS",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044f \u043b\u0438\u0446\u0435\u043d\u0437\u0438\u0439 CodeMeter, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0430\u043c\u0438 \u0440\u0430\u0437\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0430, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0435 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u044f\u043c\u0438 (CWE-269)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044f \u043b\u0438\u0446\u0435\u043d\u0437\u0438\u0439 CodeMeter \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0430\u043c\u0438 \u0440\u0430\u0437\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0430. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210910-01.pdf\nhttps://cert-portal.siemens.com/productcert/pdf/ssa-580693.pdf",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u0421\u0440\u0435\u0434\u0441\u0442\u0432\u043e \u0410\u0421\u0423 \u0422\u041f, \u041f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e \u0410\u0421\u0423 \u0422\u041f, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u041f\u041e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e-\u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u044b\u0445 \u0441\u0440\u0435\u0434\u0441\u0442\u0432 \u0437\u0430\u0449\u0438\u0442\u044b, \u041c\u0438\u043a\u0440\u043e\u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0439 \u043a\u043e\u0434",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-269",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,2)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.1 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,1)"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…