cnvd - cnvd-2021-71427

cnvd-2021-71427

Vulnerability from cnvd

Title: Siemens Desigo CC系列CCOM Communication组件反序列化漏洞

Description:

Cerberus DMS是一个危险管理站，帮助用户管理消防安全和安保事件。Desigo CC是管理高性能建筑的综合建筑管理平台。Desigo CC Compact通过为中小型建筑量身定制的解决方案扩展了产品组合。

Siemens Desigo CC系列CCOM Communication组件存在反序列化漏洞，允许未经身份验证的攻击者可利用漏洞在受影响的系统中执行代码。

Severity: 高

Patch Name: Siemens Desigo CC系列CCOM Communication组件反序列化漏洞的补丁

Patch Description:

Siemens Desigo CC系列CCOM Communication组件存在反序列化漏洞，允许未经身份验证的攻击者可利用漏洞在受影响的系统中执行代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

用户可参考如下供应商提供的安全公告获得补丁信息： https://cert-portal.siemens.com/productcert/pdf/ssa-453715.pdf

Reference: https://cert-portal.siemens.com/productcert/pdf/ssa-453715.pdf

Impacted products

Name
['Siemens Cerberus DMS V4.0', 'Siemens Cerberus DMS V4.1', 'Siemens Cerberus DMS V4.2', 'Siemens Cerberus DMS < v5.0 QU1', 'Siemens Desigo CC Compact V4.0', 'Siemens Desigo CC Compact V4.1', 'Siemens Desigo CC Compact V4.2', 'Siemens Desigo CC Compact V5.0', 'Siemens Desigo CC V4.0', 'Siemens Desigo CC V4.1', 'Siemens Desigo CC V4.2', 'Siemens Desigo CC < V5.0 QU1']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-37181"
    }
  },
  "description": "Cerberus DMS\u662f\u4e00\u4e2a\u5371\u9669\u7ba1\u7406\u7ad9\uff0c\u5e2e\u52a9\u7528\u6237\u7ba1\u7406\u6d88\u9632\u5b89\u5168\u548c\u5b89\u4fdd\u4e8b\u4ef6\u3002Desigo CC\u662f\u7ba1\u7406\u9ad8\u6027\u80fd\u5efa\u7b51\u7684\u7efc\u5408\u5efa\u7b51\u7ba1\u7406\u5e73\u53f0\u3002Desigo CC Compact\u901a\u8fc7\u4e3a\u4e2d\u5c0f\u578b\u5efa\u7b51\u91cf\u8eab\u5b9a\u5236\u7684\u89e3\u51b3\u65b9\u6848\u6269\u5c55\u4e86\u4ea7\u54c1\u7ec4\u5408\u3002\n\nSiemens Desigo CC\u7cfb\u5217CCOM Communication\u7ec4\u4ef6\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff0c\u5141\u8bb8\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u5728\u53d7\u5f71\u54cd\u7684\u7cfb\u7edf\u4e2d\u6267\u884c\u4ee3\u7801\u3002",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://cert-portal.siemens.com/productcert/pdf/ssa-453715.pdf",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-71427",
  "openTime": "2021-09-15",
  "patchDescription": "Cerberus DMS\u662f\u4e00\u4e2a\u5371\u9669\u7ba1\u7406\u7ad9\uff0c\u5e2e\u52a9\u7528\u6237\u7ba1\u7406\u6d88\u9632\u5b89\u5168\u548c\u5b89\u4fdd\u4e8b\u4ef6\u3002Desigo CC\u662f\u7ba1\u7406\u9ad8\u6027\u80fd\u5efa\u7b51\u7684\u7efc\u5408\u5efa\u7b51\u7ba1\u7406\u5e73\u53f0\u3002Desigo CC Compact\u901a\u8fc7\u4e3a\u4e2d\u5c0f\u578b\u5efa\u7b51\u91cf\u8eab\u5b9a\u5236\u7684\u89e3\u51b3\u65b9\u6848\u6269\u5c55\u4e86\u4ea7\u54c1\u7ec4\u5408\u3002\r\n\r\nSiemens Desigo CC\u7cfb\u5217CCOM Communication\u7ec4\u4ef6\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff0c\u5141\u8bb8\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u5728\u53d7\u5f71\u54cd\u7684\u7cfb\u7edf\u4e2d\u6267\u884c\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Siemens Desigo CC\u7cfb\u5217CCOM Communication\u7ec4\u4ef6\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Siemens Cerberus DMS V4.0",
      "Siemens Cerberus DMS V4.1",
      "Siemens Cerberus DMS V4.2",
      "Siemens Cerberus DMS \u003c v5.0 QU1",
      "Siemens Desigo CC Compact V4.0",
      "Siemens Desigo CC Compact V4.1",
      "Siemens Desigo CC Compact V4.2",
      "Siemens Desigo CC Compact V5.0",
      "Siemens Desigo CC V4.0",
      "Siemens Desigo CC V4.1",
      "Siemens Desigo CC V4.2",
      "Siemens Desigo CC \u003c V5.0 QU1"
    ]
  },
  "referenceLink": "https://cert-portal.siemens.com/productcert/pdf/ssa-453715.pdf",
  "serverity": "\u9ad8",
  "submitTime": "2021-09-15",
  "title": "Siemens Desigo CC\u7cfb\u5217CCOM Communication\u7ec4\u4ef6\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e"
}

CVE-2021-37181 (GCVE-0-2021-37181)

Vulnerability from cvelistv5

Published

2021-09-14 10:47

Modified

2024-08-04 01:16

Severity ?

CWE

CWE-502 - Deserialization of Untrusted Data

Summary

A vulnerability has been identified in Cerberus DMS V4.0 (All versions), Cerberus DMS V4.1 (All versions), Cerberus DMS V4.2 (All versions), Cerberus DMS V5.0 (All versions < v5.0 QU1), Desigo CC Compact V4.0 (All versions), Desigo CC Compact V4.1 (All versions), Desigo CC Compact V4.2 (All versions), Desigo CC Compact V5.0 (All versions < V5.0 QU1), Desigo CC V4.0 (All versions), Desigo CC V4.1 (All versions), Desigo CC V4.2 (All versions), Desigo CC V5.0 (All versions < V5.0 QU1). The application deserialises untrusted data without sufficient validations, that could result in an arbitrary deserialization. This could allow an unauthenticated attacker to execute code in the affected system. The CCOM communication component used for Windows App / Click-Once and IE Web / XBAP client connectivity are affected by the vulnerability.

References

▼	URL	Tags
	https://cert-portal.siemens.com/productcert/pdf/ssa-453715.pdf	x_refsource_MISC

Impacted products

Vendor

Product

Version

▼

Siemens

Cerberus DMS V4.0

Version: All versions

Siemens	Cerberus DMS V4.1	Version: All versions
Siemens	Cerberus DMS V4.2	Version: All versions
Siemens	Cerberus DMS V5.0	Version: All versions < v5.0 QU1
Siemens	Desigo CC Compact V4.0	Version: All versions
Siemens	Desigo CC Compact V4.1	Version: All versions
Siemens	Desigo CC Compact V4.2	Version: All versions
Siemens	Desigo CC Compact V5.0	Version: All versions < V5.0 QU1
Siemens	Desigo CC V4.0	Version: All versions
Siemens	Desigo CC V4.1	Version: All versions
Siemens	Desigo CC V4.2	Version: All versions
Siemens	Desigo CC V5.0	Version: All versions < V5.0 QU1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T01:16:03.922Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-453715.pdf"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cerberus DMS V4.0",
          "vendor": "Siemens",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "product": "Cerberus DMS V4.1",
          "vendor": "Siemens",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "product": "Cerberus DMS V4.2",
          "vendor": "Siemens",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "product": "Cerberus DMS V5.0",
          "vendor": "Siemens",
          "versions": [
            {
              "status": "affected",
              "version": "All versions \u003c v5.0 QU1"
            }
          ]
        },
        {
          "product": "Desigo CC Compact V4.0",
          "vendor": "Siemens",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "product": "Desigo CC Compact V4.1",
          "vendor": "Siemens",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "product": "Desigo CC Compact V4.2",
          "vendor": "Siemens",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "product": "Desigo CC Compact V5.0",
          "vendor": "Siemens",
          "versions": [
            {
              "status": "affected",
              "version": "All versions \u003c V5.0 QU1"
            }
          ]
        },
        {
          "product": "Desigo CC V4.0",
          "vendor": "Siemens",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "product": "Desigo CC V4.1",
          "vendor": "Siemens",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "product": "Desigo CC V4.2",
          "vendor": "Siemens",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "product": "Desigo CC V5.0",
          "vendor": "Siemens",
          "versions": [
            {
              "status": "affected",
              "version": "All versions \u003c V5.0 QU1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been identified in Cerberus DMS V4.0 (All versions), Cerberus DMS V4.1 (All versions), Cerberus DMS V4.2 (All versions), Cerberus DMS V5.0 (All versions \u003c v5.0 QU1), Desigo CC Compact V4.0 (All versions), Desigo CC Compact V4.1 (All versions), Desigo CC Compact V4.2 (All versions), Desigo CC Compact V5.0 (All versions \u003c V5.0 QU1), Desigo CC V4.0 (All versions), Desigo CC V4.1 (All versions), Desigo CC V4.2 (All versions), Desigo CC V5.0 (All versions \u003c V5.0 QU1). The application deserialises untrusted data without sufficient validations, that could result in an arbitrary deserialization. This could allow an unauthenticated attacker to execute code in the affected system. The CCOM communication component used for Windows App / Click-Once and IE Web / XBAP client connectivity are affected by the vulnerability."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-09-14T10:47:46",
        "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
        "shortName": "siemens"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-453715.pdf"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "productcert@siemens.com",
          "ID": "CVE-2021-37181",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Cerberus DMS V4.0",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Cerberus DMS V4.1",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Cerberus DMS V4.2",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Cerberus DMS V5.0",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions \u003c v5.0 QU1"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Desigo CC Compact V4.0",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Desigo CC Compact V4.1",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Desigo CC Compact V4.2",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Desigo CC Compact V5.0",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions \u003c V5.0 QU1"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Desigo CC V4.0",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Desigo CC V4.1",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Desigo CC V4.2",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Desigo CC V5.0",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions \u003c V5.0 QU1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Siemens"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability has been identified in Cerberus DMS V4.0 (All versions), Cerberus DMS V4.1 (All versions), Cerberus DMS V4.2 (All versions), Cerberus DMS V5.0 (All versions \u003c v5.0 QU1), Desigo CC Compact V4.0 (All versions), Desigo CC Compact V4.1 (All versions), Desigo CC Compact V4.2 (All versions), Desigo CC Compact V5.0 (All versions \u003c V5.0 QU1), Desigo CC V4.0 (All versions), Desigo CC V4.1 (All versions), Desigo CC V4.2 (All versions), Desigo CC V5.0 (All versions \u003c V5.0 QU1). The application deserialises untrusted data without sufficient validations, that could result in an arbitrary deserialization. This could allow an unauthenticated attacker to execute code in the affected system. The CCOM communication component used for Windows App / Click-Once and IE Web / XBAP client connectivity are affected by the vulnerability."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-502: Deserialization of Untrusted Data"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-453715.pdf",
              "refsource": "MISC",
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-453715.pdf"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
    "assignerShortName": "siemens",
    "cveId": "CVE-2021-37181",
    "datePublished": "2021-09-14T10:47:46",
    "dateReserved": "2021-07-21T00:00:00",
    "dateUpdated": "2024-08-04T01:16:03.922Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted