var-202102-0161
Vulnerability from variot

A vulnerability has been identified in SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions < V16 Update 3a), SIMATIC HMI KTP Mobile Panels (All versions < V16 Update 3a), SINAMICS GH150 (All versions), SINAMICS GL150 (with option X30) (All versions), SINAMICS GM150 (with option X30) (All versions), SINAMICS SH150 (All versions), SINAMICS SL150 (All versions), SINAMICS SM120 (All versions), SINAMICS SM150 (All versions), SINAMICS SM150i (All versions). Affected devices with enabled telnet service do not require authentication for this service. This could allow a remote attacker to gain full access to the device. (ZDI-CAN-12046). This vulnerability allows remote attackers to execute arbitrary code on affected installations of Siemens Comfort Panel. Authentication is not required to exploit this vulnerability.The specific flaw exists within the telnet service, which listens on TCP port 22 by default. The issue results from the lack of authentication prior to allowing remote connections. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Siemens Simatic Hmi is a device of Germany's Siemens (Siemens) that provides human-computer interaction functions for industrial automation equipment

Show details on source website


{
  "affected_products": {
    "_id": null,
    "data": [
      {
        "_id": null,
        "model": "simatic hmi ktp mobile panels",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "siemens",
        "version": "16.0"
      },
      {
        "_id": null,
        "model": "sinamics gl150",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "siemens",
        "version": null
      },
      {
        "_id": null,
        "model": "simatic hmi comfort panels",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "siemens",
        "version": "16.0"
      },
      {
        "_id": null,
        "model": "simatic hmi ktp mobile panels",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "siemens",
        "version": "16.0"
      },
      {
        "_id": null,
        "model": "sinamics sl150",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "siemens",
        "version": null
      },
      {
        "_id": null,
        "model": "sinamics sm150",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "siemens",
        "version": null
      },
      {
        "_id": null,
        "model": "sinamics sh150",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "siemens",
        "version": null
      },
      {
        "_id": null,
        "model": "sinamics sm150i",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "siemens",
        "version": null
      },
      {
        "_id": null,
        "model": "sinamics sm120",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "siemens",
        "version": null
      },
      {
        "_id": null,
        "model": "sinamics gh150",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "siemens",
        "version": null
      },
      {
        "_id": null,
        "model": "sinamics gm150",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "siemens",
        "version": null
      },
      {
        "_id": null,
        "model": "simatic hmi comfort panels",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "siemens",
        "version": "16.0"
      },
      {
        "_id": null,
        "model": "simatic hmi comfort panels",
        "scope": null,
        "trust": 0.8,
        "vendor": "\u30b7\u30fc\u30e1\u30f3\u30b9",
        "version": null
      },
      {
        "_id": null,
        "model": "simatic hmi ktp mobile panels",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "\u30b7\u30fc\u30e1\u30f3\u30b9",
        "version": "v16 update 3a  earlier versions"
      },
      {
        "_id": null,
        "model": "comfort panel",
        "scope": null,
        "trust": 0.7,
        "vendor": "siemens",
        "version": null
      },
      {
        "_id": null,
        "model": "simatic hmi",
        "scope": null,
        "trust": 0.6,
        "vendor": "siemens",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-21-129"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-07537"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-001015"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-15798"
      }
    ]
  },
  "credits": {
    "_id": null,
    "data": "Ta-Lun Yen of TXOne IoT/ICS Security Research Labs (Trend Micro)",
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-21-129"
      }
    ],
    "trust": 0.7
  },
  "cve": "CVE-2020-15798",
  "cvss": {
    "_id": null,
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.3,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 8.6,
            "id": "CVE-2020-15798",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 1.1,
            "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "id": "CNVD-2021-07537",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "id": "CVE-2020-15798",
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "High",
            "attackVector": "Network",
            "author": "IPA",
            "availabilityImpact": "High",
            "baseScore": 8.1,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "JVNDB-2021-001015",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "ZDI",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "id": "CVE-2020-15798",
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 0.7,
            "userInteraction": "NONE",
            "vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2020-15798",
            "trust": 1.0,
            "value": "CRITICAL"
          },
          {
            "author": "IPA",
            "id": "JVNDB-2021-001015",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "ZDI",
            "id": "CVE-2020-15798",
            "trust": 0.7,
            "value": "CRITICAL"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2021-07537",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202101-2499",
            "trust": 0.6,
            "value": "CRITICAL"
          },
          {
            "author": "VULMON",
            "id": "CVE-2020-15798",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-21-129"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-07537"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-15798"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-001015"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202101-2499"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-15798"
      }
    ]
  },
  "description": {
    "_id": null,
    "data": "A vulnerability has been identified in SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions \u003c V16 Update 3a), SIMATIC HMI KTP Mobile Panels (All versions \u003c V16 Update 3a), SINAMICS GH150 (All versions), SINAMICS GL150 (with option X30) (All versions), SINAMICS GM150 (with option X30) (All versions), SINAMICS SH150 (All versions), SINAMICS SL150 (All versions), SINAMICS SM120 (All versions), SINAMICS SM150 (All versions), SINAMICS SM150i (All versions). Affected devices with enabled telnet service do not require authentication for this service. This could allow a remote attacker to gain full access to the device. (ZDI-CAN-12046). This vulnerability allows remote attackers to execute arbitrary code on affected installations of Siemens Comfort Panel. Authentication is not required to exploit this vulnerability.The specific flaw exists within the telnet service, which listens on TCP port 22 by default. The issue results from the lack of authentication prior to allowing remote connections. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Siemens Simatic Hmi is a device of Germany\u0027s Siemens (Siemens) that provides human-computer interaction functions for industrial automation equipment",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-15798"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-001015"
      },
      {
        "db": "ZDI",
        "id": "ZDI-21-129"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-07537"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-15798"
      }
    ],
    "trust": 2.88
  },
  "external_ids": {
    "_id": null,
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2020-15798",
        "trust": 3.8
      },
      {
        "db": "ICS CERT",
        "id": "ICSA-21-033-02",
        "trust": 2.5
      },
      {
        "db": "SIEMENS",
        "id": "SSA-520004",
        "trust": 1.7
      },
      {
        "db": "SIEMENS",
        "id": "SSA-752103",
        "trust": 1.7
      },
      {
        "db": "ZDI",
        "id": "ZDI-21-129",
        "trust": 0.8
      },
      {
        "db": "JVN",
        "id": "JVNVU92618342",
        "trust": 0.8
      },
      {
        "db": "JVN",
        "id": "JVNVU91051134",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-001015",
        "trust": 0.8
      },
      {
        "db": "ZDI_CAN",
        "id": "ZDI-CAN-12046",
        "trust": 0.7
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-07537",
        "trust": 0.6
      },
      {
        "db": "ICS CERT",
        "id": "ICSA-21-131-13",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2021.0384",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202101-2499",
        "trust": 0.6
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-15798",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-21-129"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-07537"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-15798"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-001015"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202101-2499"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-15798"
      }
    ]
  },
  "id": "VAR-202102-0161",
  "iot": {
    "_id": null,
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-07537"
      }
    ],
    "trust": 1.17291723125
  },
  "iot_taxonomy": {
    "_id": null,
    "data": [
      {
        "category": [
          "ICS"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-07537"
      }
    ]
  },
  "last_update_date": "2024-11-23T19:29:19.148000Z",
  "patch": {
    "_id": null,
    "data": [
      {
        "title": "SSA-520004",
        "trust": 0.8,
        "url": "https://support.industry.siemens.com/cs/document/109746530/image-downloads-for-hmi-operator-panels?dti=0\u0026lc=en-WW"
      },
      {
        "title": "Siemens has issued an update to correct this vulnerability.",
        "trust": 0.7,
        "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-033-02"
      },
      {
        "title": "Patch for Siemens Simatic Hmi authorization issue vulnerability",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchInfo/show/246031"
      },
      {
        "title": "Siemens Simatic Hmi Remediation measures for authorization problem vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=140096"
      },
      {
        "title": "Siemens Security Advisories: Siemens Security Advisory",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories\u0026qid=727a7bb82c467c1176e726c944e1c560"
      },
      {
        "title": "Siemens Security Advisories: Siemens Security Advisory",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories\u0026qid=a4e80f78fa87968e8881f762b328bbfa"
      },
      {
        "title": "",
        "trust": 0.1,
        "url": "https://github.com/Live-Hack-CVE/CVE-2020-15798 "
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-21-129"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-07537"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-15798"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-001015"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202101-2499"
      }
    ]
  },
  "problemtype_data": {
    "_id": null,
    "data": [
      {
        "problemtype": "CWE-306",
        "trust": 1.0
      },
      {
        "problemtype": "Lack of authentication for important features (CWE-306) [IPA Evaluation ]",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-001015"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-15798"
      }
    ]
  },
  "references": {
    "_id": null,
    "data": [
      {
        "trust": 3.8,
        "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-033-02"
      },
      {
        "trust": 1.7,
        "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-520004.pdf"
      },
      {
        "trust": 1.7,
        "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-752103.pdf"
      },
      {
        "trust": 1.2,
        "url": "https://vigilance.fr/vulnerability/simatic-hmi-code-execution-via-unauthenticated-telnet-34430"
      },
      {
        "trust": 0.8,
        "url": "http://jvn.jp/cert/jvnvu92618342"
      },
      {
        "trust": 0.8,
        "url": "https://jvn.jp/vu/jvnvu91051134/index.html"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2021.0384/"
      },
      {
        "trust": 0.6,
        "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-131-13"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/306.html"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/live-hack-cve/cve-2020-15798"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://www.zerodayinitiative.com/advisories/zdi-21-129/"
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-21-129"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-07537"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-15798"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-001015"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202101-2499"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-15798"
      }
    ]
  },
  "sources": {
    "_id": null,
    "data": [
      {
        "db": "ZDI",
        "id": "ZDI-21-129",
        "ident": null
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-07537",
        "ident": null
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-15798",
        "ident": null
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-001015",
        "ident": null
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202101-2499",
        "ident": null
      },
      {
        "db": "NVD",
        "id": "CVE-2020-15798",
        "ident": null
      }
    ]
  },
  "sources_release_date": {
    "_id": null,
    "data": [
      {
        "date": "2021-02-04T00:00:00",
        "db": "ZDI",
        "id": "ZDI-21-129",
        "ident": null
      },
      {
        "date": "2021-01-31T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2021-07537",
        "ident": null
      },
      {
        "date": "2021-02-09T00:00:00",
        "db": "VULMON",
        "id": "CVE-2020-15798",
        "ident": null
      },
      {
        "date": "2021-02-01T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2021-001015",
        "ident": null
      },
      {
        "date": "2021-01-28T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202101-2499",
        "ident": null
      },
      {
        "date": "2021-02-09T17:15:13.437000",
        "db": "NVD",
        "id": "CVE-2020-15798",
        "ident": null
      }
    ]
  },
  "sources_update_date": {
    "_id": null,
    "data": [
      {
        "date": "2021-02-04T00:00:00",
        "db": "ZDI",
        "id": "ZDI-21-129",
        "ident": null
      },
      {
        "date": "2021-02-03T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2021-07537",
        "ident": null
      },
      {
        "date": "2022-10-19T00:00:00",
        "db": "VULMON",
        "id": "CVE-2020-15798",
        "ident": null
      },
      {
        "date": "2021-05-19T07:05:00",
        "db": "JVNDB",
        "id": "JVNDB-2021-001015",
        "ident": null
      },
      {
        "date": "2021-08-11T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202101-2499",
        "ident": null
      },
      {
        "date": "2024-11-21T05:06:12.120000",
        "db": "NVD",
        "id": "CVE-2020-15798",
        "ident": null
      }
    ]
  },
  "threat_type": {
    "_id": null,
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202101-2499"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "_id": null,
    "data": "Siemens\u00a0 Made \u00a0HMI\u00a0 Lack of authentication vulnerability for product critical features",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-001015"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "_id": null,
    "data": "access control error",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202101-2499"
      }
    ],
    "trust": 0.6
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.