Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2019-13924 (GCVE-0-2019-13924)
Vulnerability from cvelistv5
Published
2020-02-11 00:00
Modified
2024-08-05 00:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-693 - Protection Mechanism Failure
Summary
A vulnerability has been identified in SCALANCE S602 (All versions < V4.1), SCALANCE S612 (All versions < V4.1), SCALANCE S623 (All versions < V4.1), SCALANCE S627-2M (All versions < V4.1), SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions < 5.2.4), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5.5.0), SCALANCE X-200RNA switch family (All versions < V3.2.7), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions < 4.1.3). The device does not send the X-Frame-Option Header in the administrative web interface, which makes it vulnerable to Clickjacking attacks. The security vulnerability could be exploited by an attacker that is able to trick an administrative user with a valid session on the target device into clicking on a website controlled by the attacker. The vulnerability could allow an attacker to perform administrative actions via the web interface.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Siemens | SCALANCE S602 |
Version: All versions < V4.1 |
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:05:43.919Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-951513.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-042-07"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SCALANCE S602",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V4.1"
}
]
},
{
"product": "SCALANCE S612",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V4.1"
}
]
},
{
"product": "SCALANCE S623",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V4.1"
}
]
},
{
"product": "SCALANCE S627-2M",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V4.1"
}
]
},
{
"product": "SCALANCE X-200 switch family (incl. SIPLUS NET variants)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c 5.2.4"
}
]
},
{
"product": "SCALANCE X-200IRT switch family (incl. SIPLUS NET variants)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V5.5.0"
}
]
},
{
"product": "SCALANCE X-200RNA switch family",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V3.2.7"
}
]
},
{
"product": "SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c 4.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in SCALANCE S602 (All versions \u003c V4.1), SCALANCE S612 (All versions \u003c V4.1), SCALANCE S623 (All versions \u003c V4.1), SCALANCE S627-2M (All versions \u003c V4.1), SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions \u003c 5.2.4), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions \u003c V5.5.0), SCALANCE X-200RNA switch family (All versions \u003c V3.2.7), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions \u003c 4.1.3). The device does not send the X-Frame-Option Header in the administrative web interface, which makes it vulnerable to Clickjacking attacks. The security vulnerability could be exploited by an attacker that is able to trick an administrative user with a valid session on the target device into clicking on a website controlled by the attacker. The vulnerability could allow an attacker to perform administrative actions via the web interface."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-13T00:00:00",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-951513.pdf"
},
{
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-042-07"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2019-13924",
"datePublished": "2020-02-11T00:00:00",
"dateReserved": "2019-07-18T00:00:00",
"dateUpdated": "2024-08-05T00:05:43.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2019-13924\",\"sourceIdentifier\":\"productcert@siemens.com\",\"published\":\"2020-02-11T16:15:14.430\",\"lastModified\":\"2024-11-21T04:25:42.543\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability has been identified in SCALANCE S602 (All versions \u003c V4.1), SCALANCE S612 (All versions \u003c V4.1), SCALANCE S623 (All versions \u003c V4.1), SCALANCE S627-2M (All versions \u003c V4.1), SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions \u003c 5.2.4), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions \u003c V5.5.0), SCALANCE X-200RNA switch family (All versions \u003c V3.2.7), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions \u003c 4.1.3). The device does not send the X-Frame-Option Header in the administrative web interface, which makes it vulnerable to Clickjacking attacks. The security vulnerability could be exploited by an attacker that is able to trick an administrative user with a valid session on the target device into clicking on a website controlled by the attacker. The vulnerability could allow an attacker to perform administrative actions via the web interface.\"},{\"lang\":\"es\",\"value\":\"Se ha identificado una vulnerabilidad en la SCALANCE S602 (Todas las versiones anteriores a V4.1), SCALANCE S612 (Todas las versiones anteriores a V4.1), SCALANCE S623 (Todas las versiones anteriores a V4.1), SCALANCE S627-2M (Todas las versiones anteriores a V4.1), familia de switches SCALANCE X-200 (incluidas las variantes SIPLUS NET) (Todas las versiones anteriores a 5.2.4), familia de switches SCALANCE X-200IRT (incluidas las variantes SIPLUS NET) (Todas las versiones anteriores a V5.5.0), familia de switches SCALANCE X-300 (incluidas las variantes X408 y SIPLUS NET) (Todas las versiones anteriores a 4.1.3). El dispositivo no env\u00eda el encabezado X-Frame-Option en la interfaz web administrativa, lo que lo hace vulnerable a los ataques de Clickjacking. La vulnerabilidad de seguridad podr\u00eda ser explotada por un atacante que es capaz de enga\u00f1ar a un usuario administrativo con una sesi\u00f3n v\u00e1lida en el dispositivo de destino para que haga clic en un sitio web controlado por el atacante. La vulnerabilidad podr\u00eda permitir a un atacante realizar acciones administrativas a trav\u00e9s de la interfaz web\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"productcert@siemens.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-693\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1021\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:siemens:scalance_xc-200_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.2.4\",\"matchCriteriaId\":\"C4E946F8-C80D-4765-AB71-5A69C4B167E9\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:siemens:scalance_xc-200:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7719E194-EE3D-4CE8-8C85-CF0D82A553AA\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:siemens:scalance_xf-200_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.2.4\",\"matchCriteriaId\":\"72EABB5D-56FE-4AF7-BDE4-B920566AB9A3\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:siemens:scalance_xf-200:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BB503096-C528-478C-BD07-019C2CC882E4\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:siemens:scalance_xp-200_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.2.4\",\"matchCriteriaId\":\"3E0EEF4A-CC34-4F10-9BED-0EB1BE23811F\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:siemens:scalance_xp-200:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8F962FC7-0616-467F-8CCA-ADEA224B5F7B\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:siemens:scalance_x-200irt_firmware:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"602CAF2E-2276-455C-82E5-A05BBFC198C5\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:siemens:scalance_x-200irt:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"94C7BE35-D3A6-488C-BB3D-D17D65DF4B80\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:siemens:scalance_xb-200_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.2.4\",\"matchCriteriaId\":\"6C09B7A1-FC9C-4FF7-BA75-8AD8CE933C5C\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:siemens:scalance_xb-200:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6CB3CC2D-CBF0-4F53-A412-01BBC39E34C2\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:siemens:scalance_xr-300wg_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.1.3\",\"matchCriteriaId\":\"02B398C3-3EDD-4FD4-977A-8461DB27CC49\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:siemens:scalance_xr-300wg:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"434BC9BE-C5DB-4DAF-8E07-DFE4EEA0D7FE\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:siemens:scalance_x-300_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.1.3\",\"matchCriteriaId\":\"076F3DDE-2B70-4F53-9B12-7CE3D9641E7E\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:siemens:scalance_x-300:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B2D0AB50-6F0B-4232-8C8E-1647410D362D\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:siemens:scalance_xr-300_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.1.3\",\"matchCriteriaId\":\"129E733C-0BF1-4DF0-9772-66009BA3C64D\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:siemens:scalance_xr-300:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"889CF2C0-EE6C-447F-85F1-005730EAD232\"}]}]}],\"references\":[{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-951513.pdf\",\"source\":\"productcert@siemens.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.us-cert.gov/ics/advisories/icsa-20-042-07\",\"source\":\"productcert@siemens.com\"},{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-951513.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.us-cert.gov/ics/advisories/icsa-20-042-07\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
gsd-2019-13924
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
A vulnerability has been identified in SCALANCE S602 (All versions < V4.1), SCALANCE S612 (All versions < V4.1), SCALANCE S623 (All versions < V4.1), SCALANCE S627-2M (All versions < V4.1), SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions < 5.2.4), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5.5.0), SCALANCE X-200RNA switch family (All versions < V3.2.7), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions < 4.1.3). The device does not send the X-Frame-Option Header in the administrative web interface, which makes it vulnerable to Clickjacking attacks. The security vulnerability could be exploited by an attacker that is able to trick an administrative user with a valid session on the target device into clicking on a website controlled by the attacker. The vulnerability could allow an attacker to perform administrative actions via the web interface.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2019-13924",
"description": "A vulnerability has been identified in SCALANCE S602 (All versions \u003c V4.1), SCALANCE S612 (All versions \u003c V4.1), SCALANCE S623 (All versions \u003c V4.1), SCALANCE S627-2M (All versions \u003c V4.1), SCALANCE X-200 switch family (incl. SIPLUS NET variants) (all versions \u003c 5.2.4), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions \u003c V5.5.0), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (all versions \u003c 4.1.3). The device does not send the X-Frame-Option Header in the administrative web interface, which makes it vulnerable to Clickjacking attacks. The security vulnerability could be exploited by an attacker that is able to trick an administrative user with a valid session on the target device into clicking on a website controlled by the attacker. The vulnerability could allow an attacker to perform administrative actions via the web interface.",
"id": "GSD-2019-13924"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2019-13924"
],
"details": "A vulnerability has been identified in SCALANCE S602 (All versions \u003c V4.1), SCALANCE S612 (All versions \u003c V4.1), SCALANCE S623 (All versions \u003c V4.1), SCALANCE S627-2M (All versions \u003c V4.1), SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions \u003c 5.2.4), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions \u003c V5.5.0), SCALANCE X-200RNA switch family (All versions \u003c V3.2.7), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions \u003c 4.1.3). The device does not send the X-Frame-Option Header in the administrative web interface, which makes it vulnerable to Clickjacking attacks. The security vulnerability could be exploited by an attacker that is able to trick an administrative user with a valid session on the target device into clicking on a website controlled by the attacker. The vulnerability could allow an attacker to perform administrative actions via the web interface.",
"id": "GSD-2019-13924",
"modified": "2023-12-13T01:23:41.557713Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "productcert@siemens.com",
"ID": "CVE-2019-13924",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SCALANCE S602",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V4.1"
}
]
}
},
{
"product_name": "SCALANCE S612",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V4.1"
}
]
}
},
{
"product_name": "SCALANCE S623",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V4.1"
}
]
}
},
{
"product_name": "SCALANCE S627-2M",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V4.1"
}
]
}
},
{
"product_name": "SCALANCE X-200 switch family (incl. SIPLUS NET variants)",
"version": {
"version_data": [
{
"version_value": "All versions \u003c 5.2.4"
}
]
}
},
{
"product_name": "SCALANCE X-200IRT switch family (incl. SIPLUS NET variants)",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V5.5.0"
}
]
}
},
{
"product_name": "SCALANCE X-200RNA switch family",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V3.2.7"
}
]
}
},
{
"product_name": "SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants)",
"version": {
"version_data": [
{
"version_value": "All versions \u003c 4.1.3"
}
]
}
}
]
},
"vendor_name": "Siemens"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability has been identified in SCALANCE S602 (All versions \u003c V4.1), SCALANCE S612 (All versions \u003c V4.1), SCALANCE S623 (All versions \u003c V4.1), SCALANCE S627-2M (All versions \u003c V4.1), SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions \u003c 5.2.4), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions \u003c V5.5.0), SCALANCE X-200RNA switch family (All versions \u003c V3.2.7), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions \u003c 4.1.3). The device does not send the X-Frame-Option Header in the administrative web interface, which makes it vulnerable to Clickjacking attacks. The security vulnerability could be exploited by an attacker that is able to trick an administrative user with a valid session on the target device into clicking on a website controlled by the attacker. The vulnerability could allow an attacker to perform administrative actions via the web interface."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-693: Protection Mechanism Failure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-951513.pdf",
"refsource": "MISC",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-951513.pdf"
},
{
"name": "https://www.us-cert.gov/ics/advisories/icsa-20-042-07",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-042-07"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:siemens:scalance_xc-200_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.2.4",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:siemens:scalance_xc-200:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:siemens:scalance_xf-200_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.2.4",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:siemens:scalance_xf-200:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:siemens:scalance_xp-200_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.2.4",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:siemens:scalance_xp-200:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:siemens:scalance_x-200irt_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:siemens:scalance_x-200irt:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:siemens:scalance_xb-200_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.2.4",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:siemens:scalance_xb-200:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:siemens:scalance_xr-300wg_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.1.3",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:siemens:scalance_xr-300wg:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:siemens:scalance_x-300_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.1.3",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:siemens:scalance_x-300:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:siemens:scalance_xr-300_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.1.3",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:siemens:scalance_xr-300:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "productcert@siemens.com",
"ID": "CVE-2019-13924"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "A vulnerability has been identified in SCALANCE S602 (All versions \u003c V4.1), SCALANCE S612 (All versions \u003c V4.1), SCALANCE S623 (All versions \u003c V4.1), SCALANCE S627-2M (All versions \u003c V4.1), SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions \u003c 5.2.4), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions \u003c V5.5.0), SCALANCE X-200RNA switch family (All versions \u003c V3.2.7), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions \u003c 4.1.3). The device does not send the X-Frame-Option Header in the administrative web interface, which makes it vulnerable to Clickjacking attacks. The security vulnerability could be exploited by an attacker that is able to trick an administrative user with a valid session on the target device into clicking on a website controlled by the attacker. The vulnerability could allow an attacker to perform administrative actions via the web interface."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-693"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-951513.pdf",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-951513.pdf"
},
{
"name": "https://www.us-cert.gov/ics/advisories/icsa-20-042-07",
"refsource": "MISC",
"tags": [],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-042-07"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5
}
},
"lastModifiedDate": "2022-12-13T17:15Z",
"publishedDate": "2020-02-11T16:15Z"
}
}
}
icsa-20-042-07
Vulnerability from csaf_cisa
Published
2020-02-11 00:00
Modified
2022-12-13 00:00
Summary
Siemens SCALANCE X Switches (Update B)
Notes
Summary
Several SCALANCE X switches contain a vulnerability that could allow an attacker to perform administrative actions
if the victim is tricked into clicking on a website controlled by the attacker.
The attack only works if the victim has an authenticated session on the administrative interface of the switch.
Siemens has released updates for the affected products and recommends to update to the latest versions.
General Recommendations
As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download:
https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.
Additional information on Industrial Security by Siemens can be found at:
https://www.siemens.com/industrialsecurity
Additional Resources
For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories
Terms of Use
Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Advisory Conversion Disclaimer
This CISA CSAF advisory was converted from Siemens ProductCERT's CSAF advisory.
Critical infrastructure sectors
Multiple
Countries/areas deployed
Worldwide
Company headquarters location
Germany
Recommended Practices
CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities.
Recommended Practices
Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.
Recommended Practices
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
Recommended Practices
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.
Recommended Practices
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Recommended Practices
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Recommended Practices
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
{
"document": {
"acknowledgments": [
{
"organization": "Siemens ProductCERT",
"summary": "reporting this vulnerability to CISA."
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"notes": [
{
"category": "summary",
"text": "Several SCALANCE X switches contain a vulnerability that could allow an attacker to perform administrative actions\nif the victim is tricked into clicking on a website controlled by the attacker.\nThe attack only works if the victim has an authenticated session on the administrative interface of the switch.\n\nSiemens has released updates for the affected products and recommends to update to the latest versions.",
"title": "Summary"
},
{
"category": "general",
"text": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: \nhttps://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: \nhttps://www.siemens.com/industrialsecurity",
"title": "General Recommendations"
},
{
"category": "general",
"text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "Siemens Security Advisories are subject to the terms and conditions contained in Siemens\u0027 underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter \"License Terms\"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens\u0027 Global Website (https://www.siemens.com/terms_of_use, hereinafter \"Terms of Use\"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.",
"title": "Terms of Use"
},
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "other",
"text": "This CISA CSAF advisory was converted from Siemens ProductCERT\u0027s CSAF advisory.",
"title": "Advisory Conversion Disclaimer"
},
{
"category": "other",
"text": "Multiple",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "Germany",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Locate control system networks and remote devices behind firewalls and isolate them from business networks.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
"title": "Recommended Practices"
}
],
"publisher": {
"category": "other",
"contact_details": "central@cisa.dhs.gov",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "SSA-951513: Clickjacking Vulnerability in SCALANCE S, SCALANCE X-300, X-200IRT, X-200RNA and X-200 Switch Families - CSAF Version",
"url": "https://cert-portal.siemens.com/productcert/csaf/ssa-951513.json"
},
{
"category": "self",
"summary": "SSA-951513: Clickjacking Vulnerability in SCALANCE S, SCALANCE X-300, X-200IRT, X-200RNA and X-200 Switch Families - TXT Version",
"url": "https://cert-portal.siemens.com/productcert/txt/ssa-951513.txt"
},
{
"category": "self",
"summary": "SSA-951513: Clickjacking Vulnerability in SCALANCE S, SCALANCE X-300, X-200IRT, X-200RNA and X-200 Switch Families - PDF Version",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-951513.pdf"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-20-042-07 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2020/icsa-20-042-07.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-20-042-07 - Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-20-042-07"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/topics/industrial-control-systems"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
}
],
"title": "Siemens SCALANCE X Switches (Update B)",
"tracking": {
"current_release_date": "2022-12-13T00:00:00.000000Z",
"generator": {
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSA-20-042-07",
"initial_release_date": "2020-02-11T00:00:00.000000Z",
"revision_history": [
{
"date": "2020-02-11T00:00:00.000000Z",
"legacy_version": "1.0",
"number": "1",
"summary": "Publication Date"
},
{
"date": "2021-02-09T00:00:00.000000Z",
"legacy_version": "1.1",
"number": "2",
"summary": "Added solution for SCALANCE X-200IRT switch family"
},
{
"date": "2021-04-13T00:00:00.000000Z",
"legacy_version": "1.2",
"number": "3",
"summary": "Added affected products SCALANCE S602, SCALANCE S612, SCALANCE S623, and SCALANCE S627-2M"
},
{
"date": "2022-12-13T00:00:00.000000Z",
"legacy_version": "1.3",
"number": "4",
"summary": "Added SCALANCE X-200RNA switch family"
}
],
"status": "final",
"version": "4"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cV4.1",
"product": {
"name": "SCALANCE S602",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "SCALANCE S602"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cV4.1",
"product": {
"name": "SCALANCE S612",
"product_id": "CSAFPID-0002"
}
}
],
"category": "product_name",
"name": "SCALANCE S612"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cV4.1",
"product": {
"name": "SCALANCE S623",
"product_id": "CSAFPID-0003"
}
}
],
"category": "product_name",
"name": "SCALANCE S623"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cV4.1",
"product": {
"name": "SCALANCE S627-2M",
"product_id": "CSAFPID-0004"
}
}
],
"category": "product_name",
"name": "SCALANCE S627-2M"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c5.2.4",
"product": {
"name": "SCALANCE X-200 switch family (incl. SIPLUS NET variants)",
"product_id": "CSAFPID-0005"
}
}
],
"category": "product_name",
"name": "SCALANCE X-200 switch family (incl. SIPLUS NET variants)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cV5.5.0",
"product": {
"name": "SCALANCE X-200IRT switch family (incl. SIPLUS NET variants)",
"product_id": "CSAFPID-0006"
}
}
],
"category": "product_name",
"name": "SCALANCE X-200IRT switch family (incl. SIPLUS NET variants)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cV3.2.7",
"product": {
"name": "SCALANCE X-200RNA switch family",
"product_id": "CSAFPID-0007"
}
}
],
"category": "product_name",
"name": "SCALANCE X-200RNA switch family"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.1.3",
"product": {
"name": "SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants)",
"product_id": "CSAFPID-0008"
}
}
],
"category": "product_name",
"name": "SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants)"
}
],
"category": "vendor",
"name": "Siemens"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-13924",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"notes": [
{
"category": "summary",
"text": "The device does not send the X-Frame-Option Header in the administrative web\ninterface, which makes it vulnerable to Clickjacking attacks. \n\nThe security vulnerability could be exploited by an attacker that is able\nto trick an administrative user with a valid session on the target device into\nclicking on a website controlled by the attacker. The vulnerability could\nallow an attacker to perform administrative actions via the web interface.\n",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Only access links from trusted sources in the browser you use to configure the SCALANCE X switches.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008"
]
},
{
"category": "mitigation",
"details": "Upgrade hardware to successor product from SCALANCE SC-600 family (\nhttps://support.industry.siemens.com/cs/document/109756957) and apply patches when available, or follow recommendations from section Workarounds and Mitigations",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "Update to V4.1.3 or later version",
"product_ids": [
"CSAFPID-0008"
],
"url": "https://support.industry.siemens.com/cs/document/109773547/"
},
{
"category": "vendor_fix",
"details": "Update to V5.2.4 or later version",
"product_ids": [
"CSAFPID-0005"
],
"url": "https://support.industry.siemens.com/cs/document/109767965/"
},
{
"category": "vendor_fix",
"details": "Update to V5.5.0 or later version",
"product_ids": [
"CSAFPID-0006"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109792534/"
},
{
"category": "vendor_fix",
"details": "Update to V4.1 or later version\nUpdate is only available via Siemens Support contact",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "Update to V3.2.7 or later version",
"product_ids": [
"CSAFPID-0007"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109814809/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L/E:P/RL:U/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008"
]
}
],
"title": "CVE-2019-13924"
}
]
}
ICSA-20-042-07
Vulnerability from csaf_cisa
Published
2020-02-11 00:00
Modified
2022-12-13 00:00
Summary
Siemens SCALANCE X Switches (Update B)
Notes
Summary
Several SCALANCE X switches contain a vulnerability that could allow an attacker to perform administrative actions
if the victim is tricked into clicking on a website controlled by the attacker.
The attack only works if the victim has an authenticated session on the administrative interface of the switch.
Siemens has released updates for the affected products and recommends to update to the latest versions.
General Recommendations
As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download:
https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.
Additional information on Industrial Security by Siemens can be found at:
https://www.siemens.com/industrialsecurity
Additional Resources
For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories
Terms of Use
Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Advisory Conversion Disclaimer
This CISA CSAF advisory was converted from Siemens ProductCERT's CSAF advisory.
Critical infrastructure sectors
Multiple
Countries/areas deployed
Worldwide
Company headquarters location
Germany
Recommended Practices
CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities.
Recommended Practices
Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.
Recommended Practices
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
Recommended Practices
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.
Recommended Practices
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Recommended Practices
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Recommended Practices
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
{
"document": {
"acknowledgments": [
{
"organization": "Siemens ProductCERT",
"summary": "reporting this vulnerability to CISA."
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"notes": [
{
"category": "summary",
"text": "Several SCALANCE X switches contain a vulnerability that could allow an attacker to perform administrative actions\nif the victim is tricked into clicking on a website controlled by the attacker.\nThe attack only works if the victim has an authenticated session on the administrative interface of the switch.\n\nSiemens has released updates for the affected products and recommends to update to the latest versions.",
"title": "Summary"
},
{
"category": "general",
"text": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: \nhttps://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: \nhttps://www.siemens.com/industrialsecurity",
"title": "General Recommendations"
},
{
"category": "general",
"text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "Siemens Security Advisories are subject to the terms and conditions contained in Siemens\u0027 underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter \"License Terms\"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens\u0027 Global Website (https://www.siemens.com/terms_of_use, hereinafter \"Terms of Use\"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.",
"title": "Terms of Use"
},
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "other",
"text": "This CISA CSAF advisory was converted from Siemens ProductCERT\u0027s CSAF advisory.",
"title": "Advisory Conversion Disclaimer"
},
{
"category": "other",
"text": "Multiple",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "Germany",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Locate control system networks and remote devices behind firewalls and isolate them from business networks.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
"title": "Recommended Practices"
}
],
"publisher": {
"category": "other",
"contact_details": "central@cisa.dhs.gov",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "SSA-951513: Clickjacking Vulnerability in SCALANCE S, SCALANCE X-300, X-200IRT, X-200RNA and X-200 Switch Families - CSAF Version",
"url": "https://cert-portal.siemens.com/productcert/csaf/ssa-951513.json"
},
{
"category": "self",
"summary": "SSA-951513: Clickjacking Vulnerability in SCALANCE S, SCALANCE X-300, X-200IRT, X-200RNA and X-200 Switch Families - TXT Version",
"url": "https://cert-portal.siemens.com/productcert/txt/ssa-951513.txt"
},
{
"category": "self",
"summary": "SSA-951513: Clickjacking Vulnerability in SCALANCE S, SCALANCE X-300, X-200IRT, X-200RNA and X-200 Switch Families - PDF Version",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-951513.pdf"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-20-042-07 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2020/icsa-20-042-07.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-20-042-07 - Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-20-042-07"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/topics/industrial-control-systems"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
}
],
"title": "Siemens SCALANCE X Switches (Update B)",
"tracking": {
"current_release_date": "2022-12-13T00:00:00.000000Z",
"generator": {
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSA-20-042-07",
"initial_release_date": "2020-02-11T00:00:00.000000Z",
"revision_history": [
{
"date": "2020-02-11T00:00:00.000000Z",
"legacy_version": "1.0",
"number": "1",
"summary": "Publication Date"
},
{
"date": "2021-02-09T00:00:00.000000Z",
"legacy_version": "1.1",
"number": "2",
"summary": "Added solution for SCALANCE X-200IRT switch family"
},
{
"date": "2021-04-13T00:00:00.000000Z",
"legacy_version": "1.2",
"number": "3",
"summary": "Added affected products SCALANCE S602, SCALANCE S612, SCALANCE S623, and SCALANCE S627-2M"
},
{
"date": "2022-12-13T00:00:00.000000Z",
"legacy_version": "1.3",
"number": "4",
"summary": "Added SCALANCE X-200RNA switch family"
}
],
"status": "final",
"version": "4"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cV4.1",
"product": {
"name": "SCALANCE S602",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "SCALANCE S602"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cV4.1",
"product": {
"name": "SCALANCE S612",
"product_id": "CSAFPID-0002"
}
}
],
"category": "product_name",
"name": "SCALANCE S612"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cV4.1",
"product": {
"name": "SCALANCE S623",
"product_id": "CSAFPID-0003"
}
}
],
"category": "product_name",
"name": "SCALANCE S623"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cV4.1",
"product": {
"name": "SCALANCE S627-2M",
"product_id": "CSAFPID-0004"
}
}
],
"category": "product_name",
"name": "SCALANCE S627-2M"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c5.2.4",
"product": {
"name": "SCALANCE X-200 switch family (incl. SIPLUS NET variants)",
"product_id": "CSAFPID-0005"
}
}
],
"category": "product_name",
"name": "SCALANCE X-200 switch family (incl. SIPLUS NET variants)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cV5.5.0",
"product": {
"name": "SCALANCE X-200IRT switch family (incl. SIPLUS NET variants)",
"product_id": "CSAFPID-0006"
}
}
],
"category": "product_name",
"name": "SCALANCE X-200IRT switch family (incl. SIPLUS NET variants)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cV3.2.7",
"product": {
"name": "SCALANCE X-200RNA switch family",
"product_id": "CSAFPID-0007"
}
}
],
"category": "product_name",
"name": "SCALANCE X-200RNA switch family"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.1.3",
"product": {
"name": "SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants)",
"product_id": "CSAFPID-0008"
}
}
],
"category": "product_name",
"name": "SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants)"
}
],
"category": "vendor",
"name": "Siemens"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-13924",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"notes": [
{
"category": "summary",
"text": "The device does not send the X-Frame-Option Header in the administrative web\ninterface, which makes it vulnerable to Clickjacking attacks. \n\nThe security vulnerability could be exploited by an attacker that is able\nto trick an administrative user with a valid session on the target device into\nclicking on a website controlled by the attacker. The vulnerability could\nallow an attacker to perform administrative actions via the web interface.\n",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Only access links from trusted sources in the browser you use to configure the SCALANCE X switches.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008"
]
},
{
"category": "mitigation",
"details": "Upgrade hardware to successor product from SCALANCE SC-600 family (\nhttps://support.industry.siemens.com/cs/document/109756957) and apply patches when available, or follow recommendations from section Workarounds and Mitigations",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "Update to V4.1.3 or later version",
"product_ids": [
"CSAFPID-0008"
],
"url": "https://support.industry.siemens.com/cs/document/109773547/"
},
{
"category": "vendor_fix",
"details": "Update to V5.2.4 or later version",
"product_ids": [
"CSAFPID-0005"
],
"url": "https://support.industry.siemens.com/cs/document/109767965/"
},
{
"category": "vendor_fix",
"details": "Update to V5.5.0 or later version",
"product_ids": [
"CSAFPID-0006"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109792534/"
},
{
"category": "vendor_fix",
"details": "Update to V4.1 or later version\nUpdate is only available via Siemens Support contact",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "Update to V3.2.7 or later version",
"product_ids": [
"CSAFPID-0007"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109814809/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L/E:P/RL:U/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008"
]
}
],
"title": "CVE-2019-13924"
}
]
}
cnvd-2020-23037
Vulnerability from cnvd
Title
多款Siemens产品输入验证错误漏洞(CNVD-2020-23037)
Description
Siemens Scalance X-200等都是德国西门子(Siemens)公司的一款工业级以太网交换机。
多款Siemens产品中存在输入验证错误漏洞,攻击者可利用该漏洞劫持其他用户的点击操作。
Severity
中
VLAI Severity ?
Patch Name
多款Siemens产品输入验证错误漏洞(CNVD-2020-23037)的补丁
Patch Description
Siemens Scalance X-200等都是德国西门子(Siemens)公司的一款工业级以太网交换机。
多款Siemens产品中存在输入验证错误漏洞,攻击者可利用该漏洞劫持其他用户的点击操作。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
厂商已发布了漏洞修复程序,请及时关注更新: https://cert-portal.siemens.com/productcert/pdf/ssa-951513.pdf
Reference
https://www.us-cert.gov/ics/advisories/icsa-20-042-07
Impacted products
| Name | ['Siemens SCALANCE X-200IRT', 'Siemens SCALANCE X-200 <5.2.4', 'Siemens SCALANCE X-300 <4.1.3'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2019-13924"
}
},
"description": "Siemens Scalance X-200\u7b49\u90fd\u662f\u5fb7\u56fd\u897f\u95e8\u5b50\uff08Siemens\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u5de5\u4e1a\u7ea7\u4ee5\u592a\u7f51\u4ea4\u6362\u673a\u3002\n\n\u591a\u6b3eSiemens\u4ea7\u54c1\u4e2d\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u52ab\u6301\u5176\u4ed6\u7528\u6237\u7684\u70b9\u51fb\u64cd\u4f5c\u3002",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://cert-portal.siemens.com/productcert/pdf/ssa-951513.pdf",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2020-23037",
"openTime": "2020-04-16",
"patchDescription": "Siemens Scalance X-200\u7b49\u90fd\u662f\u5fb7\u56fd\u897f\u95e8\u5b50\uff08Siemens\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u5de5\u4e1a\u7ea7\u4ee5\u592a\u7f51\u4ea4\u6362\u673a\u3002\r\n\r\n\u591a\u6b3eSiemens\u4ea7\u54c1\u4e2d\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u52ab\u6301\u5176\u4ed6\u7528\u6237\u7684\u70b9\u51fb\u64cd\u4f5c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "\u591a\u6b3eSiemens\u4ea7\u54c1\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff08CNVD-2020-23037\uff09\u7684\u8865\u4e01",
"products": {
"product": [
"Siemens SCALANCE X-200IRT",
"Siemens SCALANCE X-200 \u003c5.2.4",
"Siemens SCALANCE X-300 \u003c4.1.3"
]
},
"referenceLink": "https://www.us-cert.gov/ics/advisories/icsa-20-042-07",
"serverity": "\u4e2d",
"submitTime": "2020-02-12",
"title": "\u591a\u6b3eSiemens\u4ea7\u54c1\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff08CNVD-2020-23037\uff09"
}
fkie_cve-2019-13924
Vulnerability from fkie_nvd
Published
2020-02-11 16:15
Modified
2024-11-21 04:25
Severity ?
Summary
A vulnerability has been identified in SCALANCE S602 (All versions < V4.1), SCALANCE S612 (All versions < V4.1), SCALANCE S623 (All versions < V4.1), SCALANCE S627-2M (All versions < V4.1), SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions < 5.2.4), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5.5.0), SCALANCE X-200RNA switch family (All versions < V3.2.7), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions < 4.1.3). The device does not send the X-Frame-Option Header in the administrative web interface, which makes it vulnerable to Clickjacking attacks. The security vulnerability could be exploited by an attacker that is able to trick an administrative user with a valid session on the target device into clicking on a website controlled by the attacker. The vulnerability could allow an attacker to perform administrative actions via the web interface.
References
| URL | Tags | ||
|---|---|---|---|
| productcert@siemens.com | https://cert-portal.siemens.com/productcert/pdf/ssa-951513.pdf | Vendor Advisory | |
| productcert@siemens.com | https://www.us-cert.gov/ics/advisories/icsa-20-042-07 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://cert-portal.siemens.com/productcert/pdf/ssa-951513.pdf | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.us-cert.gov/ics/advisories/icsa-20-042-07 |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| siemens | scalance_xc-200_firmware | * | |
| siemens | scalance_xc-200 | - | |
| siemens | scalance_xf-200_firmware | * | |
| siemens | scalance_xf-200 | - | |
| siemens | scalance_xp-200_firmware | * | |
| siemens | scalance_xp-200 | - | |
| siemens | scalance_x-200irt_firmware | * | |
| siemens | scalance_x-200irt | - | |
| siemens | scalance_xb-200_firmware | * | |
| siemens | scalance_xb-200 | - | |
| siemens | scalance_xr-300wg_firmware | * | |
| siemens | scalance_xr-300wg | - | |
| siemens | scalance_x-300_firmware | * | |
| siemens | scalance_x-300 | - | |
| siemens | scalance_xr-300_firmware | * | |
| siemens | scalance_xr-300 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:siemens:scalance_xc-200_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C4E946F8-C80D-4765-AB71-5A69C4B167E9",
"versionEndExcluding": "5.2.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:siemens:scalance_xc-200:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7719E194-EE3D-4CE8-8C85-CF0D82A553AA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:siemens:scalance_xf-200_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72EABB5D-56FE-4AF7-BDE4-B920566AB9A3",
"versionEndExcluding": "5.2.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:siemens:scalance_xf-200:-:*:*:*:*:*:*:*",
"matchCriteriaId": "BB503096-C528-478C-BD07-019C2CC882E4",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:siemens:scalance_xp-200_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3E0EEF4A-CC34-4F10-9BED-0EB1BE23811F",
"versionEndExcluding": "5.2.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:siemens:scalance_xp-200:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8F962FC7-0616-467F-8CCA-ADEA224B5F7B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:siemens:scalance_x-200irt_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "602CAF2E-2276-455C-82E5-A05BBFC198C5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:siemens:scalance_x-200irt:-:*:*:*:*:*:*:*",
"matchCriteriaId": "94C7BE35-D3A6-488C-BB3D-D17D65DF4B80",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:siemens:scalance_xb-200_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6C09B7A1-FC9C-4FF7-BA75-8AD8CE933C5C",
"versionEndExcluding": "5.2.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:siemens:scalance_xb-200:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6CB3CC2D-CBF0-4F53-A412-01BBC39E34C2",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:siemens:scalance_xr-300wg_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "02B398C3-3EDD-4FD4-977A-8461DB27CC49",
"versionEndExcluding": "4.1.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:siemens:scalance_xr-300wg:-:*:*:*:*:*:*:*",
"matchCriteriaId": "434BC9BE-C5DB-4DAF-8E07-DFE4EEA0D7FE",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:siemens:scalance_x-300_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "076F3DDE-2B70-4F53-9B12-7CE3D9641E7E",
"versionEndExcluding": "4.1.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:siemens:scalance_x-300:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B2D0AB50-6F0B-4232-8C8E-1647410D362D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:siemens:scalance_xr-300_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "129E733C-0BF1-4DF0-9772-66009BA3C64D",
"versionEndExcluding": "4.1.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:siemens:scalance_xr-300:-:*:*:*:*:*:*:*",
"matchCriteriaId": "889CF2C0-EE6C-447F-85F1-005730EAD232",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in SCALANCE S602 (All versions \u003c V4.1), SCALANCE S612 (All versions \u003c V4.1), SCALANCE S623 (All versions \u003c V4.1), SCALANCE S627-2M (All versions \u003c V4.1), SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions \u003c 5.2.4), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions \u003c V5.5.0), SCALANCE X-200RNA switch family (All versions \u003c V3.2.7), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions \u003c 4.1.3). The device does not send the X-Frame-Option Header in the administrative web interface, which makes it vulnerable to Clickjacking attacks. The security vulnerability could be exploited by an attacker that is able to trick an administrative user with a valid session on the target device into clicking on a website controlled by the attacker. The vulnerability could allow an attacker to perform administrative actions via the web interface."
},
{
"lang": "es",
"value": "Se ha identificado una vulnerabilidad en la SCALANCE S602 (Todas las versiones anteriores a V4.1), SCALANCE S612 (Todas las versiones anteriores a V4.1), SCALANCE S623 (Todas las versiones anteriores a V4.1), SCALANCE S627-2M (Todas las versiones anteriores a V4.1), familia de switches SCALANCE X-200 (incluidas las variantes SIPLUS NET) (Todas las versiones anteriores a 5.2.4), familia de switches SCALANCE X-200IRT (incluidas las variantes SIPLUS NET) (Todas las versiones anteriores a V5.5.0), familia de switches SCALANCE X-300 (incluidas las variantes X408 y SIPLUS NET) (Todas las versiones anteriores a 4.1.3). El dispositivo no env\u00eda el encabezado X-Frame-Option en la interfaz web administrativa, lo que lo hace vulnerable a los ataques de Clickjacking. La vulnerabilidad de seguridad podr\u00eda ser explotada por un atacante que es capaz de enga\u00f1ar a un usuario administrativo con una sesi\u00f3n v\u00e1lida en el dispositivo de destino para que haga clic en un sitio web controlado por el atacante. La vulnerabilidad podr\u00eda permitir a un atacante realizar acciones administrativas a trav\u00e9s de la interfaz web"
}
],
"id": "CVE-2019-13924",
"lastModified": "2024-11-21T04:25:42.543",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-11T16:15:14.430",
"references": [
{
"source": "productcert@siemens.com",
"tags": [
"Vendor Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-951513.pdf"
},
{
"source": "productcert@siemens.com",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-042-07"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-951513.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-042-07"
}
],
"sourceIdentifier": "productcert@siemens.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-693"
}
],
"source": "productcert@siemens.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1021"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
ghsa-9v8p-c94c-q287
Vulnerability from github
Published
2022-05-24 17:08
Modified
2022-12-13 18:30
Severity ?
VLAI Severity ?
Details
A vulnerability has been identified in SCALANCE X-200 switch family (incl. SIPLUS NET variants) (all versions < 5.2.4), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (all versions < 4.1.3). The device does not send the X-Frame-Option Header in the administrative web interface, which makes it vulnerable to Clickjacking attacks. The security vulnerability could be exploited by an attacker that is able to trick an administrative user with a valid session on the target device into clicking on a website controlled by the attacker. The vulnerability could allow an attacker to perform administrative actions via the web interface. At the time of advisory publication no public exploitation of this security vulnerability was known.
{
"affected": [],
"aliases": [
"CVE-2019-13924"
],
"database_specific": {
"cwe_ids": [
"CWE-1021",
"CWE-693"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-11T16:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in SCALANCE X-200 switch family (incl. SIPLUS NET variants) (all versions \u003c 5.2.4), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (all versions \u003c 4.1.3). The device does not send the X-Frame-Option Header in the administrative web interface, which makes it vulnerable to Clickjacking attacks. The security vulnerability could be exploited by an attacker that is able to trick an administrative user with a valid session on the target device into clicking on a website controlled by the attacker. The vulnerability could allow an attacker to perform administrative actions via the web interface. At the time of advisory publication no public exploitation of this security vulnerability was known.",
"id": "GHSA-9v8p-c94c-q287",
"modified": "2022-12-13T18:30:27Z",
"published": "2022-05-24T17:08:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13924"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-951513.pdf"
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-042-07"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
CERTFR-2021-AVI-256
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits Siemens SCALANCE. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Siemens | N/A | SCALANCE X202-2P IRT (incl. SIPLUS NET vari-ant) versions antérieures à 5.5.1 | ||
| Siemens | N/A | SCALANCE X204-2LD TS toutes versions | ||
| Siemens | N/A | SCALANCE X-200 switch family (incl. SIPLUSNET variants) versions antérieures à 5.2.4 | ||
| Siemens | N/A | SCALANCE X204-2TS toutes versions | ||
| Siemens | N/A | SCALANCE XF202-2P IRT versions antérieures à 5.5.1 | ||
| Siemens | N/A | SCALANCE XF206-1 toutes versions | ||
| Siemens | N/A | SCALANCE X206-1 toutes versions | ||
| Siemens | N/A | SCALANCE XF204 IRT versions antérieures à 5.5.1 | ||
| Siemens | N/A | SCALANCE X-300 switch family (incl. X408 andSIPLUS NET variants) versions antérieures à 4.1.3 | ||
| Siemens | N/A | SCALANCE X224 toutes versions | ||
| Siemens | N/A | SCALANCE X204 IRT versions antérieures à 5.5.1 | ||
| Siemens | N/A | SCALANCE X204 IRT PRO versions antérieures à 5.5.1 | ||
| Siemens | N/A | SCALANCE X216 toutes versions | ||
| Siemens | N/A | SCALANCE XF204 toutes versions | ||
| Siemens | N/A | SCALANCE XF204-2BA IRT versions antérieures à 5.5.1 | ||
| Siemens | N/A | SCALANCE X-200IRT switch family (incl. SIPLUSNET variants) versions antérieures à 5.5.0 | ||
| Siemens | N/A | SCALANCE X200-4P IRT versions antérieures à 5.5.1 | ||
| Siemens | N/A | SCALANCE X202-2P IRT PRO versions antérieures à 5.5.1 | ||
| Siemens | N/A | SCALANCE XF204-2 (incl. SIPLUS NET vari-ant) toutes versions | ||
| Siemens | N/A | SCALANCE X204-2LD (incl. SIPLUS NET vari-ant) toutes versions | ||
| Siemens | N/A | SCALANCE S627-2M versions antérieures à 4.1 | ||
| Siemens | N/A | SCALANCE X202-2 IRT versions antérieures à 5.5.1 | ||
| Siemens | N/A | SCALANCE X201-3P IRT versions antérieures à 5.5.1 | ||
| Siemens | N/A | SCALANCE X208PRO toutes versions | ||
| Siemens | N/A | SCALANCE S602 versions antérieures à 4.1 | ||
| Siemens | N/A | SCALANCE S623 versions antérieures à 4.1 | ||
| Siemens | N/A | SCALANCE X206-1LD toutes versions | ||
| Siemens | N/A | SCALANCE X204-2FM toutes versions | ||
| Siemens | N/A | SCALANCE XF208 toutes versions | ||
| Siemens | N/A | SCALANCE XF201-3P IRT versions antérieures à 5.5.1 | ||
| Siemens | N/A | SCALANCE X208 (incl. SIPLUS NET variant) toutes versions | ||
| Siemens | N/A | SCALANCE X212-2LD toutes versions | ||
| Siemens | N/A | SCALANCE X204-2 (incl. SIPLUS NET variant) toutes versions | ||
| Siemens | N/A | SCALANCE S612 versions antérieures à 4.1 | ||
| Siemens | N/A | SCALANCE X212-2 (incl. SIPLUS NET variant) toutes versions | ||
| Siemens | N/A | SCALANCE X201-3P IRT PRO versions antérieures à 5.5.1 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "SCALANCE X202-2P IRT (incl. SIPLUS NET vari-ant) versions ant\u00e9rieures \u00e0 5.5.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X204-2LD TS toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X-200 switch family (incl. SIPLUSNET variants) versions ant\u00e9rieures \u00e0 5.2.4",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X204-2TS toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE XF202-2P IRT versions ant\u00e9rieures \u00e0 5.5.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE XF206-1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X206-1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE XF204 IRT versions ant\u00e9rieures \u00e0 5.5.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X-300 switch family (incl. X408 andSIPLUS NET variants) versions ant\u00e9rieures \u00e0 4.1.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X224 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X204 IRT versions ant\u00e9rieures \u00e0 5.5.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X204 IRT PRO versions ant\u00e9rieures \u00e0 5.5.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X216 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE XF204 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE XF204-2BA IRT versions ant\u00e9rieures \u00e0 5.5.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X-200IRT switch family (incl. SIPLUSNET variants) versions ant\u00e9rieures \u00e0 5.5.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X200-4P IRT versions ant\u00e9rieures \u00e0 5.5.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X202-2P IRT PRO versions ant\u00e9rieures \u00e0 5.5.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE XF204-2 (incl. SIPLUS NET vari-ant) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X204-2LD (incl. SIPLUS NET vari-ant) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE S627-2M versions ant\u00e9rieures \u00e0 4.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X202-2 IRT versions ant\u00e9rieures \u00e0 5.5.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X201-3P IRT versions ant\u00e9rieures \u00e0 5.5.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X208PRO toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE S602 versions ant\u00e9rieures \u00e0 4.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE S623 versions ant\u00e9rieures \u00e0 4.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X206-1LD toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X204-2FM toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE XF208 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE XF201-3P IRT versions ant\u00e9rieures \u00e0 5.5.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X208 (incl. SIPLUS NET variant) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X212-2LD toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X204-2 (incl. SIPLUS NET variant) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE S612 versions ant\u00e9rieures \u00e0 4.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X212-2 (incl. SIPLUS NET variant) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X201-3P IRT PRO versions ant\u00e9rieures \u00e0 5.5.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2021-25669",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25669"
},
{
"name": "CVE-2019-13924",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-13924"
},
{
"name": "CVE-2021-25668",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25668"
}
],
"initial_release_date": "2021-04-14T00:00:00",
"last_revision_date": "2021-04-14T00:00:00",
"links": [],
"reference": "CERTFR-2021-AVI-256",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-04-14T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSiemens SCALANCE. Elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance et un contournement de la\npolitique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Siemens SCALANCE",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-187092 du 13 avril 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-187092.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-951513 du 13 avril 2021",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-951513.pdf"
}
]
}
CERTFR-2022-AVI-1094
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits Siemens. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Siemens | N/A | SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants) versions antérieures à V3.0.1 | ||
| Siemens | N/A | SIPROTEC 5, pour plus d'informations, veuillez-vous référer aux avis éditeur : https://cert-portal.siemens.com/productcert/html/ssa-552874.html et https://cert-portal.siemens.com/productcert/html/ssa-223771.html | ||
| Siemens | N/A | Teamcenter Visualization V13.2.x antérieures à V13.2.0.12 | ||
| Siemens | N/A | TALON TC Series (BACnet) versions antérieures à V3.5.5 | ||
| Siemens | N/A | SICAM PAS/PQS versions 8.x antérieures à 8.06 | ||
| Siemens | N/A | Parasolid versions V35.0.x antérieures à V35.0.170 | ||
| Siemens | N/A | SIMATIC WinCC Runtime Professional V15 versions antérieures à V15.1 Update 5 | ||
| Siemens | N/A | PLM Help Server V4.2 toutes versions | ||
| Siemens | N/A | SICAM PAS/PQS versions antérieures à 7.0 | ||
| Siemens | N/A | SIMATIC NET PC Software V15 toutes versions | ||
| Siemens | N/A | SINUMERIK Operate versions antérieures à V6.14 | ||
| Siemens | N/A | SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0) toutes versions | ||
| Siemens | N/A | Polarion ALM toutes versions | ||
| Siemens | N/A | APOGEE PXC Series (P2 Ethernet) versions antérieures à V2.8.20 | ||
| Siemens | N/A | SIMATIC STEP 7 (TIA Portal) V13 versions antérieures à V13 SP2 Update 4 | ||
| Siemens | N/A | Mendix Email Connector versions antérieures à 2.0.0 | ||
| Siemens | N/A | SIMATIC WinCC Runtime Professional V16 versions antérieures à V16 Update 2 | ||
| Siemens | N/A | JT2Go toutes versions | ||
| Siemens | N/A | SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) toutes versions | ||
| Siemens | N/A | SIMATIC NET PC Software V14 versions antérieures à V14 SP1 Update 14 | ||
| Siemens | N/A | APOGEE PXC Series (BACnet) versions antérieures à V3.5.5 | ||
| Siemens | N/A | SCALANCE X-200RNA toutes versions | ||
| Siemens | N/A | SINAMICS STARTER versions antérieures à V5.4 HF2 | ||
| Siemens | N/A | Simcenter STAR-CCM+ toutes versions | ||
| Siemens | N/A | SIMATIC Automation Tool versions antérieures à V4 SP2 | ||
| Siemens | N/A | SIMATIC PCS neo versions antérieures à V3.0 SP1 | ||
| Siemens | N/A | Parasolid versions V33.1.x antérieures à V33.1.264 | ||
| Siemens | N/A | SIMATIC STEP 7 V5 versions antérieures à V5.6 SP2 HF3 | ||
| Siemens | N/A | SIMATIC WinCC OA versions V3.18.x antérieures à V3.18 P014 | ||
| Siemens | N/A | SIMATIC WinCC OA V3.17 versions antérieures à V3.17 P003 | ||
| Siemens | N/A | SIMATIC WinCC V7.5 versions antérieures à V7.5 SP1 Update 3 | ||
| Siemens | N/A | SIMATIC STEP 7 (TIA Portal) V14 versions antérieures à V14 SP1 Update 10 | ||
| Siemens | N/A | SIMATIC WinCC Runtime Professional V14 versions antérieures à V14 SP1 Update 10 | ||
| Siemens | N/A | SINEC NMS versions antérieures à V1.0 SP2 | ||
| Siemens | N/A | Parasolid versions V34.1.x antérieures à V34.1.242 | ||
| Siemens | N/A | SIMATIC Drive Controller family versions antérieures à V3.0.1 | ||
| Siemens | N/A | Teamcenter Visualization V13.3.x | ||
| Siemens | N/A | Parasolid versions V34.0.x antérieures à V34.0.252 | ||
| Siemens | N/A | SCALANCE, pour plus d'informations, veuillez-vous référer aux avis éditeur : https://cert-portal.siemens.com/productcert/html/ssa-413565.html, https://cert-portal.siemens.com/productcert/html/ssa-333517.html, https://cert-portal.siemens.com/productcert/html/ssa-363821.html et https://cert-portal.siemens.com/productcert/html/ssa-412672.html | ||
| Siemens | N/A | Teamcenter Visualization V14.1.x antérieures à V14.1.0.6 | ||
| Siemens | N/A | Mcenter versions supérieures ou égales à V5.2.1.0 | ||
| Siemens | N/A | SINEMA Server versions antérieures à V14 SP3 | ||
| Siemens | N/A | SIMATIC WinCC OA versions V3.17.x antérieures à V3.17 P024 | ||
| Siemens | N/A | SIMATIC WinCC OA versions V3.15.x | ||
| Siemens | N/A | TIM 1531 IRC (6GK7543-1MX00-0XE0) toutes versions | ||
| Siemens | N/A | SIMATIC S7-PLCSIM Advanced versions antérieures à V5.0 | ||
| Siemens | N/A | SIMATIC RTLS Locating Manager (6GT2780-0DA00) versions supérieures ou égales à V2.13 | ||
| Siemens | N/A | RUGGEDCOM, pour plus d'informations, veuillez-vous référer à l'avis éditeur : https://cert-portal.siemens.com/productcert/html/ssa-413565.html | ||
| Siemens | N/A | SICAM GridPass (6MD7711-2AA00-1EA0) versions supérieures ou égales à V1.80 | ||
| Siemens | N/A | SIMATIC STEP 7 (TIA Portal) V15 versions antérieures à V15.1 Update 5 | ||
| Siemens | N/A | Teamcenter Visualization V14.0.x | ||
| Siemens | N/A | SIMATIC WinCC OA versions V3.16.x antérieures à V3.16 P035 | ||
| Siemens | N/A | SIMATIC WinCC Runtime Advanced versions antérieures à V16 Update 2 | ||
| Siemens | N/A | SIMATIC WinCC V7.4 versions antérieures à V7.4 SP1 Update 14 | ||
| Siemens | N/A | SIMATIC WinCC Runtime Professional V13 versions antérieures à V13 SP2 Update 4 | ||
| Siemens | N/A | SIMATIC NET PC Software V16 versions antérieures à V16 Upd3 | ||
| Siemens | N/A | SIMATIC ProSave versions antérieures à V17 | ||
| Siemens | N/A | SIMATIC S7-1500 Software Controller versions antérieures à V21.8 | ||
| Siemens | N/A | Mendix Workflow Commons versions antérieures à 2.4.0 | ||
| Siemens | N/A | SINAMICS Startdrive versions antérieures à V16 Update 3 | ||
| Siemens | N/A | SIMATIC STEP 7 (TIA Portal) V16 versions antérieures à V16 Update 2 | ||
| Siemens | N/A | SIMATIC S7-1200 CPU family (incl. SIPLUS variants) versions antérieures à V4.6.0 | ||
| Siemens | N/A | SIMATIC S7-1500 Software Controller toutes versions | ||
| Siemens | N/A | SIMATIC WinCC OA V3.16 versions antérieures à V3.16 P018 | ||
| Siemens | N/A | Calibre ICE versions supérieures ou égales à V2022.4 | ||
| Siemens | N/A | SINUMERIK ONE virtual versions antérieures à V6.14 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants) versions ant\u00e9rieures \u00e0 V3.0.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIPROTEC 5, pour plus d\u0027informations, veuillez-vous r\u00e9f\u00e9rer aux avis \u00e9diteur : https://cert-portal.siemens.com/productcert/html/ssa-552874.html et https://cert-portal.siemens.com/productcert/html/ssa-223771.html",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Teamcenter Visualization V13.2.x ant\u00e9rieures \u00e0 V13.2.0.12",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "TALON TC Series (BACnet) versions ant\u00e9rieures \u00e0 V3.5.5",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SICAM PAS/PQS versions 8.x ant\u00e9rieures \u00e0 8.06",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Parasolid versions V35.0.x ant\u00e9rieures \u00e0 V35.0.170",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC Runtime Professional V15 versions ant\u00e9rieures \u00e0 V15.1 Update 5",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "PLM Help Server V4.2 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SICAM PAS/PQS versions ant\u00e9rieures \u00e0 7.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC NET PC Software V15 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINUMERIK Operate versions ant\u00e9rieures \u00e0 V6.14",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Polarion ALM toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "APOGEE PXC Series (P2 Ethernet) versions ant\u00e9rieures \u00e0 V2.8.20",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC STEP 7 (TIA Portal) V13 versions ant\u00e9rieures \u00e0 V13 SP2 Update 4",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Mendix Email Connector versions ant\u00e9rieures \u00e0 2.0.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC Runtime Professional V16 versions ant\u00e9rieures \u00e0 V16 Update 2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "JT2Go toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC NET PC Software V14 versions ant\u00e9rieures \u00e0 V14 SP1 Update 14",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "APOGEE PXC Series (BACnet) versions ant\u00e9rieures \u00e0 V3.5.5",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X-200RNA toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS STARTER versions ant\u00e9rieures \u00e0 V5.4 HF2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Simcenter STAR-CCM+ toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC Automation Tool versions ant\u00e9rieures \u00e0 V4 SP2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC PCS neo versions ant\u00e9rieures \u00e0 V3.0 SP1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Parasolid versions V33.1.x ant\u00e9rieures \u00e0 V33.1.264",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC STEP 7 V5 versions ant\u00e9rieures \u00e0 V5.6 SP2 HF3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC OA versions V3.18.x ant\u00e9rieures \u00e0 V3.18 P014",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC OA V3.17 versions ant\u00e9rieures \u00e0 V3.17 P003",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC V7.5 versions ant\u00e9rieures \u00e0 V7.5 SP1 Update 3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC STEP 7 (TIA Portal) V14 versions ant\u00e9rieures \u00e0 V14 SP1 Update 10",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC Runtime Professional V14 versions ant\u00e9rieures \u00e0 V14 SP1 Update 10",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINEC NMS versions ant\u00e9rieures \u00e0 V1.0 SP2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Parasolid versions V34.1.x ant\u00e9rieures \u00e0 V34.1.242",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC Drive Controller family versions ant\u00e9rieures \u00e0 V3.0.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Teamcenter Visualization V13.3.x",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Parasolid versions V34.0.x ant\u00e9rieures \u00e0 V34.0.252",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE, pour plus d\u0027informations, veuillez-vous r\u00e9f\u00e9rer aux avis \u00e9diteur : https://cert-portal.siemens.com/productcert/html/ssa-413565.html, https://cert-portal.siemens.com/productcert/html/ssa-333517.html, https://cert-portal.siemens.com/productcert/html/ssa-363821.html et https://cert-portal.siemens.com/productcert/html/ssa-412672.html",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Teamcenter Visualization V14.1.x ant\u00e9rieures \u00e0 V14.1.0.6",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Mcenter versions sup\u00e9rieures ou \u00e9gales \u00e0 V5.2.1.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINEMA Server versions ant\u00e9rieures \u00e0 V14 SP3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC OA versions V3.17.x ant\u00e9rieures \u00e0 V3.17 P024",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC OA versions V3.15.x",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "TIM 1531 IRC (6GK7543-1MX00-0XE0) toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-PLCSIM Advanced versions ant\u00e9rieures \u00e0 V5.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC RTLS Locating Manager (6GT2780-0DA00) versions sup\u00e9rieures ou \u00e9gales \u00e0 V2.13",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "RUGGEDCOM, pour plus d\u0027informations, veuillez-vous r\u00e9f\u00e9rer \u00e0 l\u0027avis \u00e9diteur : https://cert-portal.siemens.com/productcert/html/ssa-413565.html",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SICAM GridPass (6MD7711-2AA00-1EA0) versions sup\u00e9rieures ou \u00e9gales \u00e0 V1.80",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC STEP 7 (TIA Portal) V15 versions ant\u00e9rieures \u00e0 V15.1 Update 5",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Teamcenter Visualization V14.0.x",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC OA versions V3.16.x ant\u00e9rieures \u00e0 V3.16 P035",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC Runtime Advanced versions ant\u00e9rieures \u00e0 V16 Update 2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC V7.4 versions ant\u00e9rieures \u00e0 V7.4 SP1 Update 14",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC Runtime Professional V13 versions ant\u00e9rieures \u00e0 V13 SP2 Update 4",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC NET PC Software V16 versions ant\u00e9rieures \u00e0 V16 Upd3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ProSave versions ant\u00e9rieures \u00e0 V17",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-1500 Software Controller versions ant\u00e9rieures \u00e0 V21.8",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Mendix Workflow Commons versions ant\u00e9rieures \u00e0 2.4.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS Startdrive versions ant\u00e9rieures \u00e0 V16 Update 3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC STEP 7 (TIA Portal) V16 versions ant\u00e9rieures \u00e0 V16 Update 2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-1200 CPU family (incl. SIPLUS variants) versions ant\u00e9rieures \u00e0 V4.6.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-1500 Software Controller toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC OA V3.16 versions ant\u00e9rieures \u00e0 V3.16 P018",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Calibre ICE versions sup\u00e9rieures ou \u00e9gales \u00e0 V2022.4",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINUMERIK ONE virtual versions ant\u00e9rieures \u00e0 V6.14",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
}
],
"affected_systems_content": "",
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-46345",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46345"
},
{
"name": "CVE-2020-28388",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28388"
},
{
"name": "CVE-2015-0208",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0208"
},
{
"name": "CVE-2016-0703",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-0703"
},
{
"name": "CVE-2021-40365",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-40365"
},
{
"name": "CVE-2022-41279",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41279"
},
{
"name": "CVE-2022-46353",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46353"
},
{
"name": "CVE-2016-0701",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-0701"
},
{
"name": "CVE-2019-6110",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6110"
},
{
"name": "CVE-2022-46352",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46352"
},
{
"name": "CVE-2015-5600",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5600"
},
{
"name": "CVE-2022-46347",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46347"
},
{
"name": "CVE-2022-46349",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46349"
},
{
"name": "CVE-2015-0292",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0292"
},
{
"name": "CVE-2015-6563",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-6563"
},
{
"name": "CVE-2015-0286",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0286"
},
{
"name": "CVE-2015-1791",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-1791"
},
{
"name": "CVE-2022-46351",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46351"
},
{
"name": "CVE-2015-6564",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-6564"
},
{
"name": "CVE-2015-3195",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-3195"
},
{
"name": "CVE-2016-0777",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-0777"
},
{
"name": "CVE-2003-1562",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-1562"
},
{
"name": "CVE-2016-0800",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-0800"
},
{
"name": "CVE-2016-2105",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2105"
},
{
"name": "CVE-2016-2177",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2177"
},
{
"name": "CVE-2022-41280",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41280"
},
{
"name": "CVE-2016-2176",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2176"
},
{
"name": "CVE-2019-6109",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6109"
},
{
"name": "CVE-2022-46346",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46346"
},
{
"name": "CVE-2022-41283",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41283"
},
{
"name": "CVE-2022-46144",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46144"
},
{
"name": "CVE-2016-6302",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6302"
},
{
"name": "CVE-2022-45044",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45044"
},
{
"name": "CVE-2018-4842",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4842"
},
{
"name": "CVE-2022-44731",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44731"
},
{
"name": "CVE-2022-46355",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46355"
},
{
"name": "CVE-2016-6303",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6303"
},
{
"name": "CVE-2015-0288",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0288"
},
{
"name": "CVE-2022-41288",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41288"
},
{
"name": "CVE-2019-1552",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-1552"
},
{
"name": "CVE-2016-1907",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1907"
},
{
"name": "CVE-2016-2178",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2178"
},
{
"name": "CVE-2022-43517",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43517"
},
{
"name": "CVE-2016-10011",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-10011"
},
{
"name": "CVE-2015-6565",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-6565"
},
{
"name": "CVE-2022-3160",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3160"
},
{
"name": "CVE-2016-6307",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6307"
},
{
"name": "CVE-2016-2179",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2179"
},
{
"name": "CVE-2022-3786",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3786"
},
{
"name": "CVE-2015-4000",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-4000"
},
{
"name": "CVE-2022-41282",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41282"
},
{
"name": "CVE-2015-3194",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-3194"
},
{
"name": "CVE-2015-1789",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-1789"
},
{
"name": "CVE-2022-46350",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46350"
},
{
"name": "CVE-2022-46142",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46142"
},
{
"name": "CVE-2015-0290",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0290"
},
{
"name": "CVE-2016-6304",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6304"
},
{
"name": "CVE-2022-46348",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46348"
},
{
"name": "CVE-2022-46140",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46140"
},
{
"name": "CVE-2016-1908",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1908"
},
{
"name": "CVE-2016-2107",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2107"
},
{
"name": "CVE-2019-16905",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16905"
},
{
"name": "CVE-2016-10009",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-10009"
},
{
"name": "CVE-2016-2181",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2181"
},
{
"name": "CVE-2019-6111",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6111"
},
{
"name": "CVE-2016-8858",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-8858"
},
{
"name": "CVE-2016-6515",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6515"
},
{
"name": "CVE-2015-3197",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-3197"
},
{
"name": "CVE-2022-41281",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41281"
},
{
"name": "CVE-2018-25032",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-25032"
},
{
"name": "CVE-2013-0169",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0169"
},
{
"name": "CVE-2015-1788",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-1788"
},
{
"name": "CVE-2016-2106",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2106"
},
{
"name": "CVE-2015-0207",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0207"
},
{
"name": "CVE-2015-1792",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-1792"
},
{
"name": "CVE-2020-7580",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7580"
},
{
"name": "CVE-2015-0285",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0285"
},
{
"name": "CVE-2016-0799",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-0799"
},
{
"name": "CVE-2015-1794",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-1794"
},
{
"name": "CVE-2022-34821",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34821"
},
{
"name": "CVE-2016-6308",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6308"
},
{
"name": "CVE-2021-44694",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44694"
},
{
"name": "CVE-2016-6306",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6306"
},
{
"name": "CVE-2017-15906",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-15906"
},
{
"name": "CVE-2021-44695",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44695"
},
{
"name": "CVE-2022-3161",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3161"
},
{
"name": "CVE-2016-10010",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-10010"
},
{
"name": "CVE-2022-45936",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45936"
},
{
"name": "CVE-2022-46265",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46265"
},
{
"name": "CVE-2016-0704",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-0704"
},
{
"name": "CVE-2016-0702",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-0702"
},
{
"name": "CVE-2017-3735",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-3735"
},
{
"name": "CVE-2022-32205",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32205"
},
{
"name": "CVE-2014-8176",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-8176"
},
{
"name": "CVE-2016-2183",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2183"
},
{
"name": "CVE-2015-3193",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-3193"
},
{
"name": "CVE-2022-43723",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43723"
},
{
"name": "CVE-2018-15473",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-15473"
},
{
"name": "CVE-2015-0293",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0293"
},
{
"name": "CVE-2022-45484",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45484"
},
{
"name": "CVE-2015-5352",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5352"
},
{
"name": "CVE-2015-0287",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0287"
},
{
"name": "CVE-2003-0190",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0190"
},
{
"name": "CVE-2018-20685",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-20685"
},
{
"name": "CVE-2016-6305",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6305"
},
{
"name": "CVE-2015-1787",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-1787"
},
{
"name": "CVE-2016-0798",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-0798"
},
{
"name": "CVE-2022-46143",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46143"
},
{
"name": "CVE-2022-41286",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41286"
},
{
"name": "CVE-2016-10012",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-10012"
},
{
"name": "CVE-2022-41278",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41278"
},
{
"name": "CVE-2022-32206",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32206"
},
{
"name": "CVE-2015-8325",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8325"
},
{
"name": "CVE-2022-41287",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41287"
},
{
"name": "CVE-2022-45937",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45937"
},
{
"name": "CVE-2022-46354",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46354"
},
{
"name": "CVE-2022-43724",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43724"
},
{
"name": "CVE-2022-43722",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43722"
},
{
"name": "CVE-2016-6210",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6210"
},
{
"name": "CVE-2015-3196",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-3196"
},
{
"name": "CVE-2015-0209",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0209"
},
{
"name": "CVE-2022-41284",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41284"
},
{
"name": "CVE-2016-2842",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2842"
},
{
"name": "CVE-2015-0291",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0291"
},
{
"name": "CVE-2016-2180",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2180"
},
{
"name": "CVE-2021-44693",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44693"
},
{
"name": "CVE-2022-3602",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3602"
},
{
"name": "CVE-2016-2182",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2182"
},
{
"name": "CVE-2016-0797",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-0797"
},
{
"name": "CVE-2015-6574",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-6574"
},
{
"name": "CVE-2015-0289",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0289"
},
{
"name": "CVE-2016-0705",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-0705"
},
{
"name": "CVE-2019-13924",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-13924"
},
{
"name": "CVE-2016-2109",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2109"
},
{
"name": "CVE-2016-2108",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2108"
},
{
"name": "CVE-2022-44575",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44575"
},
{
"name": "CVE-2022-41285",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41285"
},
{
"name": "CVE-2022-46664",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46664"
},
{
"name": "CVE-2022-30065",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30065"
},
{
"name": "CVE-2022-3159",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3159"
},
{
"name": "CVE-2015-1790",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-1790"
},
{
"name": "CVE-2016-0778",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-0778"
},
{
"name": "CVE-2018-4848",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4848"
}
],
"initial_release_date": "2022-12-13T00:00:00",
"last_revision_date": "2022-12-13T00:00:00",
"links": [],
"reference": "CERTFR-2022-AVI-1094",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-12-13T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSiemens. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0\ndistance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Siemens",
"vendor_advisories": [
{
"published_at": "2022-12-13",
"title": "Bulletin de s\u00e9curit\u00e9 Siemens",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-180579.html"
}
]
}
CERTFR-2020-AVI-090
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits Siemens . Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Siemens | N/A | SIMATIC IPC427D, IPC427E (incl. variante SIPLUS) | ||
| Siemens | N/A | SIMATIC Route Control V8.1 | ||
| Siemens | N/A | SCALANCE M-800 / S615 versions antérieures à V6.1.2 | ||
| Siemens | N/A | SIMATIC WinCC (TIA Portal) V16 | ||
| Siemens | N/A | SIMATIC S7-1200 CPU (incl. variante SIPLUS) | ||
| Siemens | N/A | SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. variante SIPLUS) | ||
| Siemens | N/A | OpenPCS 7 V9.0 | ||
| Siemens | N/A | SIMATIC S7-1500 Software Controller versions antérieures à 20.8 | ||
| Siemens | N/A | SIMATIC ET200MP IM155-5 PN ST (incl. variante SIPLUS) versions antérieures à V4.1.0 | ||
| Siemens | N/A | SIMATIC ET200SP IM155-6 PN ST (incl. variante SIPLUS) versions antérieures à V4.1.0 | ||
| Siemens | N/A | SIMATIC Field PG M4, Field PG M5, Field PG M6 | ||
| Siemens | N/A | SIMATIC S7-400 PN/DP CPU V7 (incl. variante SIPLUS) | ||
| Siemens | N/A | SIPROTEC 4 et SIPROTEC Compact relays equipped with EN100 Ethernet communication modules | ||
| Siemens | N/A | SIMATIC Route Control V8.2 | ||
| Siemens | N/A | SIPORT MP versions antérieures à V3.1.4 | ||
| Siemens | N/A | SCALANCE X-200IRT switch (incl. variante SIPLUS NET) versions antérieures à V5.4.2 | ||
| Siemens | N/A | OZW672 versions antérieures à V10.00 | ||
| Siemens | N/A | SIMATIC CP 1626 | ||
| Siemens | N/A | SCALANCE X-200 switch (incl. variante SIPLUS NET) versions antérieures à V5.2.4 | ||
| Siemens | N/A | SIMATIC CP 1543-1 (incl. variante SIPLUS NET) versions antérieures V2.2 | ||
| Siemens | N/A | SIMATIC NET PC Software | ||
| Siemens | N/A | RUGGEDCOM RM1224 versions antérieures à V6.1.2 | ||
| Siemens | N/A | SIMATIC WinCC V7.3 | ||
| Siemens | N/A | SIMATIC PCS 7 V8.1 | ||
| Siemens | N/A | SCALANCE X-300 switch (incl. X408 et variante SIPLUS NET) versions antérieures à V4.1.3 | ||
| Siemens | N/A | SIMATIC PCS 7 V9.0 | ||
| Siemens | N/A | SCALANCE S602, S612, S623, S627-2M, S627-2M | ||
| Siemens | N/A | Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200P versions antérieures à V4.6 | ||
| Siemens | N/A | SIMATIC BATCH V8.1 | ||
| Siemens | N/A | SIMATIC BATCH V9.0 | ||
| Siemens | N/A | SIMATIC RF182C | ||
| Siemens | N/A | SCALANCE XR-500 switch versions antérieures à V6.2.3 | ||
| Siemens | N/A | SIMATIC WinCC (TIA Portal) V13 versions antérieures à V13 SP2 | ||
| Siemens | N/A | SCALANCE W700 IEEE 802.11n versions antérieures à V6.4 | ||
| Siemens | N/A | SIMOTION P320-4S | ||
| Siemens | N/A | SIMATIC PN/PN Coupler 6ES7158-3AD01-0XA0 (incl. variante SIPLUS NET) | ||
| Siemens | N/A | IE/PB LINK PN IO (incl. variante SIPLUS NET) | ||
| Siemens | N/A | Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200 versions antérieures à V4.5 Patch 01 | ||
| Siemens | N/A | SIMATIC ET200SP IM155-6 PN HF (incl. variante SIPLUS) versions antérieures à V4.2.2 | ||
| Siemens | N/A | SIMATIC S7-300 PN/DP CPU (incl. les CPUS ET200 associées et variantes SIPLUS) | ||
| Siemens | N/A | SIMATIC RF180C | ||
| Siemens | N/A | SIMATIC CP 343-1 Advanced, CP 343-1, CP 343-1 LEAN, CP 443-1 Advanced, CP 443-1 (incl. variante SIPLUS NET) | ||
| Siemens | N/A | SCALANCE XB-200, XC-200, XP-200, XF-200BA and XR-300WG versions antérieures à V4.1 | ||
| Siemens | N/A | SIMATIC PCS 7 V8.2 | ||
| Siemens | N/A | TIM 1531 IRC (incl. variante SIPLUS NET) versions antérieures à V2.0 | ||
| Siemens | N/A | SIMATIC CP 343-1 ERPC, CP 443-1 OPC UA | ||
| Siemens | N/A | SIMATIC MV400 | ||
| Siemens | N/A | OZW772 versions antérieures à V10.00 | ||
| Siemens | N/A | SIMATIC IPC Support, Package for VxWorks | ||
| Siemens | N/A | SIMATIC WinCC (TIA Portal) V15.1 | ||
| Siemens | N/A | SINAMICS DCP versions antérieures à V1.3 | ||
| Siemens | N/A | SIMATIC CP 1616 et CP 1604 versions antérieures à V2.8.1 | ||
| Siemens | N/A | SIMATIC ET200pro, IM 154-3 PN HF et ET200pro, IM 154-4 PN HF | ||
| Siemens | N/A | SIMATIC WinCC (TIA Portal) V14.0.1 | ||
| Siemens | N/A | SIMATIC IPC127E, IPC427C, IPC477C, IPC477D, IPC477E, IPC477E Pro, IPC527G, IPC547E, IPC547G, IPC627C, IPC627D, IPC627E, IPC647C, IPC647D, IPC647E, IPC677C, IPC677D, IPC677E, IPC827C, IPC827D, IPC827E, IPC847C, IPC847D, IPC847E | ||
| Siemens | N/A | SIMATIC RF600 versions antérieures à V3.2.1 | ||
| Siemens | N/A | SIMATIC ET200AL IM 157-1 PN, ET200ecoPN (excepté 6ES7148-6JD00-0AB0 et 6ES7146-6FF00-0AB0), ET200M IM153-4 PN IO HF (incl. variante SIPLUS), ET200M IM153-4 PN IO ST (incl. variante SIPLUS) | ||
| Siemens | N/A | SIMATIC ET200MP IM155-5 PN HF (incl. variante SIPLUS) versions antérieures à V4.2.0 | ||
| Siemens | N/A | SIMATIC S7-1500 CPU (incl. les CPUS ET200 associées et variantes SIPLUS) versions antérieures à 2.8 | ||
| Siemens | N/A | OpenPCS 7 V8.2 | ||
| Siemens | N/A | SIMATIC CP 1628 versions antérieures à V14.00.15.00_51.25.00.01 | ||
| Siemens | N/A | SIMATIC WinCC V7.5 versions antérieures à 7.5.1 Upd1 | ||
| Siemens | N/A | SIMATIC CP 1623 versions antérieures à V14.00.15.00_51.25.00.01 | ||
| Siemens | N/A | SIMATIC ITP1000 | ||
| Siemens | N/A | SIMATIC Route Control V9.0 | ||
| Siemens | N/A | SIMATIC ET200S, ET200SP IM155-6 PN Basic (incl. variante SIPLUS) | ||
| Siemens | N/A | Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet Controller | ||
| Siemens | N/A | OpenPCS 7 V8.1 | ||
| Siemens | N/A | SIMATIC S7-400 PN/DP CPU V6 et antérieures (incl. variante SIPLUS) | ||
| Siemens | N/A | SIMATIC WinCC V7.4 | ||
| Siemens | N/A | SCALANCE XM-400 switch versions antérieures à V6.2.3 | ||
| Siemens | N/A | PROFINET Driver for Controller versions antérieures à V2.1 Patch 03 | ||
| Siemens | N/A | SIMOTION P320-4E | ||
| Siemens | N/A | SIMATIC BATCH V8.2 |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "SIMATIC IPC427D, IPC427E (incl. variante SIPLUS)",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC Route Control V8.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE M-800 / S615 versions ant\u00e9rieures \u00e0 V6.1.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC (TIA Portal) V16",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-1200 CPU (incl. variante SIPLUS)",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. variante SIPLUS)",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "OpenPCS 7 V9.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-1500 Software Controller versions ant\u00e9rieures \u00e0 20.8",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ET200MP IM155-5 PN ST (incl. variante SIPLUS) versions ant\u00e9rieures \u00e0 V4.1.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ET200SP IM155-6 PN ST (incl. variante SIPLUS) versions ant\u00e9rieures \u00e0 V4.1.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC Field PG M4, Field PG M5, Field PG M6",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-400 PN/DP CPU V7 (incl. variante SIPLUS)",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIPROTEC 4 et SIPROTEC Compact relays equipped with EN100 Ethernet communication modules",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC Route Control V8.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIPORT MP versions ant\u00e9rieures \u00e0 V3.1.4",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X-200IRT switch (incl. variante SIPLUS NET) versions ant\u00e9rieures \u00e0 V5.4.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "OZW672 versions ant\u00e9rieures \u00e0 V10.00",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC CP 1626",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X-200 switch (incl. variante SIPLUS NET) versions ant\u00e9rieures \u00e0 V5.2.4",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC CP 1543-1 (incl. variante SIPLUS NET) versions ant\u00e9rieures V2.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC NET PC Software",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "RUGGEDCOM RM1224 versions ant\u00e9rieures \u00e0 V6.1.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC V7.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC PCS 7 V8.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X-300 switch (incl. X408 et variante SIPLUS NET) versions ant\u00e9rieures \u00e0 V4.1.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC PCS 7 V9.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE S602, S612, S623, S627-2M, S627-2M",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200P versions ant\u00e9rieures \u00e0 V4.6",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC BATCH V8.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC BATCH V9.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC RF182C",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE XR-500 switch versions ant\u00e9rieures \u00e0 V6.2.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC (TIA Portal) V13 versions ant\u00e9rieures \u00e0 V13 SP2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE W700 IEEE 802.11n versions ant\u00e9rieures \u00e0 V6.4",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMOTION P320-4S",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC PN/PN Coupler 6ES7158-3AD01-0XA0 (incl. variante SIPLUS NET)",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "IE/PB LINK PN IO (incl. variante SIPLUS NET)",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200 versions ant\u00e9rieures \u00e0 V4.5 Patch 01",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ET200SP IM155-6 PN HF (incl. variante SIPLUS) versions ant\u00e9rieures \u00e0 V4.2.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-300 PN/DP CPU (incl. les CPUS ET200 associ\u00e9es et variantes SIPLUS)",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC RF180C",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC CP 343-1 Advanced, CP 343-1, CP 343-1 LEAN, CP 443-1 Advanced, CP 443-1 (incl. variante SIPLUS NET)",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE XB-200, XC-200, XP-200, XF-200BA and XR-300WG versions ant\u00e9rieures \u00e0 V4.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC PCS 7 V8.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "TIM 1531 IRC (incl. variante SIPLUS NET) versions ant\u00e9rieures \u00e0 V2.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC CP 343-1 ERPC, CP 443-1 OPC UA",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC MV400",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "OZW772 versions ant\u00e9rieures \u00e0 V10.00",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC IPC Support, Package for VxWorks",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC (TIA Portal) V15.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SINAMICS DCP versions ant\u00e9rieures \u00e0 V1.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC CP 1616 et CP 1604 versions ant\u00e9rieures \u00e0 V2.8.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ET200pro, IM 154-3 PN HF et ET200pro, IM 154-4 PN HF",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC (TIA Portal) V14.0.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC IPC127E, IPC427C, IPC477C, IPC477D, IPC477E, IPC477E Pro, IPC527G, IPC547E, IPC547G, IPC627C, IPC627D, IPC627E, IPC647C, IPC647D, IPC647E, IPC677C, IPC677D, IPC677E, IPC827C, IPC827D, IPC827E, IPC847C, IPC847D, IPC847E",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC RF600 versions ant\u00e9rieures \u00e0 V3.2.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ET200AL IM 157-1 PN, ET200ecoPN (except\u00e9 6ES7148-6JD00-0AB0 et 6ES7146-6FF00-0AB0), ET200M IM153-4 PN IO HF (incl. variante SIPLUS), ET200M IM153-4 PN IO ST (incl. variante SIPLUS)",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ET200MP IM155-5 PN HF (incl. variante SIPLUS) versions ant\u00e9rieures \u00e0 V4.2.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-1500 CPU (incl. les CPUS ET200 associ\u00e9es et variantes SIPLUS) versions ant\u00e9rieures \u00e0 2.8",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "OpenPCS 7 V8.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC CP 1628 versions ant\u00e9rieures \u00e0 V14.00.15.00_51.25.00.01",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC V7.5 versions ant\u00e9rieures \u00e0 7.5.1 Upd1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC CP 1623 versions ant\u00e9rieures \u00e0 V14.00.15.00_51.25.00.01",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ITP1000",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC Route Control V9.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ET200S, ET200SP IM155-6 PN Basic (incl. variante SIPLUS)",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet Controller",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "OpenPCS 7 V8.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-400 PN/DP CPU V6 et ant\u00e9rieures (incl. variante SIPLUS)",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC WinCC V7.4",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE XM-400 switch versions ant\u00e9rieures \u00e0 V6.2.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "PROFINET Driver for Controller versions ant\u00e9rieures \u00e0 V2.1 Patch 03",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMOTION P320-4E",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC BATCH V8.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2019-19282",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19282"
},
{
"name": "CVE-2019-19277",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19277"
},
{
"name": "CVE-2019-13926",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-13926"
},
{
"name": "CVE-2019-0152",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-0152"
},
{
"name": "CVE-2019-0169",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-0169"
},
{
"name": "CVE-2019-19281",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19281"
},
{
"name": "CVE-2019-13941",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-13941"
},
{
"name": "CVE-2015-5621",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5621"
},
{
"name": "CVE-2019-18217",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-18217"
},
{
"name": "CVE-2019-12815",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-12815"
},
{
"name": "CVE-2019-13940",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-13940"
},
{
"name": "CVE-2019-19279",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19279"
},
{
"name": "CVE-2019-13925",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-13925"
},
{
"name": "CVE-2019-0151",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-0151"
},
{
"name": "CVE-2019-13946",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-13946"
},
{
"name": "CVE-2019-6585",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6585"
},
{
"name": "CVE-2020-19282",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-19282"
},
{
"name": "CVE-2019-13924",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-13924"
},
{
"name": "CVE-2018-18065",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-18065"
}
],
"initial_release_date": "2020-02-13T00:00:00",
"last_revision_date": "2020-02-13T00:00:00",
"links": [],
"reference": "CERTFR-2020-AVI-090",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2020-02-13T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSiemens . Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0\ndistance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Siemens",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-398519 du 11 f\u00e9vrier 2020",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-398519.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-940889 du 11 f\u00e9vrier 2020",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-940889.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-974843 du 11 f\u00e9vrier 2020",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-974843.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-270778 du 11 f\u00e9vrier 2020",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-270778.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-780073 du 11 f\u00e9vrier 2020",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-780073.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-986695 du 11 f\u00e9vrier 2020",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-986695.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-750824 du 11 f\u00e9vrier 2020",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-750824.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-951513 du 11 f\u00e9vrier 2020",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-951513.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-431678 du 11 f\u00e9vrier 2020",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-431678.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-591405 du 11 f\u00e9vrier 2020",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-591405.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-978558 du 11 f\u00e9vrier 2020",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-978558.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-978220 du 11 f\u00e9vrier 2020",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-978220.pdf"
}
]
}
var-202002-0450
Vulnerability from variot
A vulnerability has been identified in SCALANCE S602 (All versions < V4.1), SCALANCE S612 (All versions < V4.1), SCALANCE S623 (All versions < V4.1), SCALANCE S627-2M (All versions < V4.1), SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions < 5.2.4), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5.5.0), SCALANCE X-200RNA switch family (All versions < V3.2.7), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions < 4.1.3). The device does not send the X-Frame-Option Header in the administrative web interface, which makes it vulnerable to Clickjacking attacks. The security vulnerability could be exploited by an attacker that is able to trick an administrative user with a valid session on the target device into clicking on a website controlled by the attacker. The vulnerability could allow an attacker to perform administrative actions via the web interface. plural SCALANCE The product contains a vulnerability regarding improper restrictions on rendered user interface layers or frames.Information may be obtained and tampered with. Siemens Scalance X-200, etc. are all industrial-grade Ethernet switches from the German company Siemens.
Input validation error vulnerabilities exist in many Siemens products, and attackers can use this vulnerability to hijack the click operations of other users
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202002-0450",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "scalance x-200irt",
"scope": null,
"trust": 1.4,
"vendor": "siemens",
"version": null
},
{
"model": "scalance xp-200",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "5.2.4"
},
{
"model": "scalance x-200irt",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "scalance xb-200",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "5.2.4"
},
{
"model": "scalance x-300",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "4.1.3"
},
{
"model": "scalance xf-200",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "5.2.4"
},
{
"model": "scalance xr-300wg",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "4.1.3"
},
{
"model": "scalance xr-300",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "4.1.3"
},
{
"model": "scalance xc-200",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "5.2.4"
},
{
"model": "scalance x-300",
"scope": null,
"trust": 0.8,
"vendor": "siemens",
"version": null
},
{
"model": "scalance xb-200",
"scope": null,
"trust": 0.8,
"vendor": "siemens",
"version": null
},
{
"model": "scalance xc-200",
"scope": null,
"trust": 0.8,
"vendor": "siemens",
"version": null
},
{
"model": "scalance xf-200",
"scope": null,
"trust": 0.8,
"vendor": "siemens",
"version": null
},
{
"model": "scalance xp-200",
"scope": null,
"trust": 0.8,
"vendor": "siemens",
"version": null
},
{
"model": "scalance xr-300",
"scope": null,
"trust": 0.8,
"vendor": "siemens",
"version": null
},
{
"model": "scalance xr-300wg",
"scope": null,
"trust": 0.8,
"vendor": "siemens",
"version": null
},
{
"model": "scalance",
"scope": "eq",
"trust": 0.6,
"vendor": "siemens",
"version": "x-200\u003c5.2.4"
},
{
"model": "scalance",
"scope": "eq",
"trust": 0.6,
"vendor": "siemens",
"version": "x-300\u003c4.1.3"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-23037"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014544"
},
{
"db": "NVD",
"id": "CVE-2019-13924"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:siemens:scalance_x-200irt_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:siemens:scalance_x-300_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:siemens:scalance_xb-200_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:siemens:scalance_xc-200_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:siemens:scalance_xf-200_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:siemens:scalance_xp-200_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:siemens:scalance_xr-300_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:siemens:scalance_xr-300wg_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-014544"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Siemens reported this vulnerability to CISA.",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202002-448"
}
],
"trust": 0.6
},
"cve": "CVE-2019-13924",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2019-13924",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.1,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2019-014544",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CNVD-2020-23037",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"id": "CVE-2019-13924",
"impactScore": 2.5,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.4,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "JVNDB-2019-014544",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2019-13924",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "JVNDB-2019-014544",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2020-23037",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202002-448",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2019-13924",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-23037"
},
{
"db": "VULMON",
"id": "CVE-2019-13924"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014544"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-448"
},
{
"db": "NVD",
"id": "CVE-2019-13924"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A vulnerability has been identified in SCALANCE S602 (All versions \u003c V4.1), SCALANCE S612 (All versions \u003c V4.1), SCALANCE S623 (All versions \u003c V4.1), SCALANCE S627-2M (All versions \u003c V4.1), SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions \u003c 5.2.4), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions \u003c V5.5.0), SCALANCE X-200RNA switch family (All versions \u003c V3.2.7), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions \u003c 4.1.3). The device does not send the X-Frame-Option Header in the administrative web interface, which makes it vulnerable to Clickjacking attacks. The security vulnerability could be exploited by an attacker that is able to trick an administrative user with a valid session on the target device into clicking on a website controlled by the attacker. The vulnerability could allow an attacker to perform administrative actions via the web interface. plural SCALANCE The product contains a vulnerability regarding improper restrictions on rendered user interface layers or frames.Information may be obtained and tampered with. Siemens Scalance X-200, etc. are all industrial-grade Ethernet switches from the German company Siemens. \n\r\n\r\nInput validation error vulnerabilities exist in many Siemens products, and attackers can use this vulnerability to hijack the click operations of other users",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-13924"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014544"
},
{
"db": "CNVD",
"id": "CNVD-2020-23037"
},
{
"db": "VULMON",
"id": "CVE-2019-13924"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "ICS CERT",
"id": "ICSA-20-042-07",
"trust": 3.1
},
{
"db": "NVD",
"id": "CVE-2019-13924",
"trust": 3.1
},
{
"db": "SIEMENS",
"id": "SSA-951513",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014544",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2020-23037",
"trust": 0.6
},
{
"db": "ICS CERT",
"id": "ICSA-20-042-06",
"trust": 0.6
},
{
"db": "ICS CERT",
"id": "ICSA-20-042-08",
"trust": 0.6
},
{
"db": "ICS CERT",
"id": "ICSA-20-042-10",
"trust": 0.6
},
{
"db": "ICS CERT",
"id": "ICSA-20-042-02",
"trust": 0.6
},
{
"db": "ICS CERT",
"id": "ICSA-20-042-01",
"trust": 0.6
},
{
"db": "ICS CERT",
"id": "ICSA-20-042-05",
"trust": 0.6
},
{
"db": "ICS CERT",
"id": "ICSA-20-042-03",
"trust": 0.6
},
{
"db": "ICS CERT",
"id": "ICSA-20-042-09",
"trust": 0.6
},
{
"db": "ICS CERT",
"id": "ICSA-20-042-04",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.0486.3",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.0486.2",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.0486",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202002-448",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2019-13924",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-23037"
},
{
"db": "VULMON",
"id": "CVE-2019-13924"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014544"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-448"
},
{
"db": "NVD",
"id": "CVE-2019-13924"
}
]
},
"id": "VAR-202002-0450",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-23037"
}
],
"trust": 1.197337685
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-23037"
}
]
},
"last_update_date": "2024-11-23T20:59:59.922000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SSA-951513",
"trust": 0.8,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-951513.pdf"
},
{
"title": "Patch for Multiple Siemens product input verification error vulnerabilities (CNVD-2020-23037)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/214035"
},
{
"title": "Siemens Security Advisories: Siemens Security Advisory",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories\u0026qid=5642b576f8acf92e9e203f2ccf52e87d"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-23037"
},
{
"db": "VULMON",
"id": "CVE-2019-13924"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014544"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-1021",
"trust": 1.8
},
{
"problemtype": "CWE-693",
"trust": 1.0
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-014544"
},
{
"db": "NVD",
"id": "CVE-2019-13924"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.7,
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-042-07"
},
{
"trust": 1.7,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-951513.pdf"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-13924"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-13924"
},
{
"trust": 0.6,
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-042-10"
},
{
"trust": 0.6,
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-042-09"
},
{
"trust": 0.6,
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-042-08"
},
{
"trust": 0.6,
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-042-06"
},
{
"trust": 0.6,
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-042-05"
},
{
"trust": 0.6,
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-042-04"
},
{
"trust": 0.6,
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-042-03"
},
{
"trust": 0.6,
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-042-02"
},
{
"trust": 0.6,
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-042-01"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.0486/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.0486.2/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.0486.3/"
},
{
"trust": 0.6,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-042-07"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/693.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-042-07"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-23037"
},
{
"db": "VULMON",
"id": "CVE-2019-13924"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014544"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-448"
},
{
"db": "NVD",
"id": "CVE-2019-13924"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2020-23037"
},
{
"db": "VULMON",
"id": "CVE-2019-13924"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014544"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-448"
},
{
"db": "NVD",
"id": "CVE-2019-13924"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-04-16T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-23037"
},
{
"date": "2020-02-11T00:00:00",
"db": "VULMON",
"id": "CVE-2019-13924"
},
{
"date": "2020-02-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-014544"
},
{
"date": "2020-02-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202002-448"
},
{
"date": "2020-02-11T16:15:14.430000",
"db": "NVD",
"id": "CVE-2019-13924"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-04-16T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-23037"
},
{
"date": "2022-12-13T00:00:00",
"db": "VULMON",
"id": "CVE-2019-13924"
},
{
"date": "2020-03-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-014544"
},
{
"date": "2022-12-16T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202002-448"
},
{
"date": "2024-11-21T04:25:42.543000",
"db": "NVD",
"id": "CVE-2019-13924"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202002-448"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural SCALANCE Vulnerability in improper restrictions on rendered user interface layers or frames in the product",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-014544"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "input validation error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202002-448"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…