Vulnerabilidades ICS Termómetro CCI 2021- 9
←
→
Transcripción del contenido de la página
Si su navegador no muestra la página correctamente, lea el contenido de la página a continuación
Vulnerabilidades
ICS Termómetro CCI
2021- 9
Tabla de contenido Introducción .................................................................................................................................... 5 Novedades 2021 .............................................................................................................................. 5 Fabricantes y debilidades ICS ........................................................................................................... 6 Nuevos fabricantes .......................................................................................................................... 6 Nuevas debilidades.......................................................................................................................... 7 Nuevas alertas................................................................................................................................. 8 Mapa de riesgo .............................................................................................................................. 13 Cambios en el riesgo de fabricante ................................................................................................ 14 ANEXO – I: Cálculo del mapa de riesgo ........................................................................................... 15 ANEXO II – Vulnerabilidades publicadas por elNIST desde el último termómetro CCI ................ 16
Profesional de la Ciberseguridad industrial desde hace más de diez años en distintas empresas como Schneider Electric, S21sec, EY, SecurityMatters, Forescout, Telefónica y actualmente en TITANIUM Industrial Security. Miembro activo del ecosistema del Centro de Ciberseguridad Industrial (CCI) desde 2013, profesional Nivel Negro y participando como autor y revisor de distintos estudios y documentos realizados por este.
4
Introducción
Desde la publicación del cuaderno “Una década de vulnerabilidades ICS” el 4 de
mayo de 2020, se hanseguido publicando nuevas vulnerabilidades sobre sistemas
ICS, lo que ha hecho variar la exposición alriesgo de los fabricantes recogidos en dicho
cuaderno.
Desde el CCI queremos mantener actualizada esta información para
proporcionar una visión de la evolución de estas vulnerabilidades para que el
ecosistema pueda utilizarlas cómo precise en una publicación que
denominaremos Termómetro de vulnerabilidades ICS del CCI.
En cada actualización publicaremos:
• Evolución del número de fabricantes de sistemas de control incluidos en el
termómetro para elperiodo en curso
• Evolución de vulnerabilidades y alertas de los fabricantes de control incluidos en el
termómetro
• El mapa de calor de exposición al riesgo de los fabricantes, actualizado a fecha de
publicación.
• Comentarios acerca de la evolución del mapa de riesgo.
Novedades 2021
Para adaptarnos a la creciente casuística de vulnerabilidades públicas que afectan a
varios fabricantes, enel año 2021 se aplicará un nuevo criterio, publicando cada uno de
los fabricantes afectados por esta únicavulnerabilidad (CVE). Para ser coherentes con
este nuevo acercamiento, en 2021 hablaremos de “Debilidades ICS” (ICS Weaknesses)
para dar cabida a estas vulnerabilidades multifabricante.
5
Fabricantes y debilidades ICS
Nuevos fabricantes
En esta edición del termómetro CCI, se incluyen 3 nuevos fabricantes y su número pasa a 49
en 2021.
Riesgo Bajo Riesgo Medio Riesgo Alto Riesgo Muy Alto
National Instruments Philips N/A N/A
B. Braun Medical
Dos de estos fabricantes se encuentran en el conjunto original contemplado por el ICS-
CERT, en su categoría de dispositivos médicos, y cuyos avisos se publican con el prefijo
“ICSMA”.(A diferencia del prefijo “ICSA”, reservado para dispositivos de control Industrial
puro).
En el caso de Philips, las debilidades se asocian a su producto de gestión de historiales
médicos Philips Healthcare Tasy, en el caso de B. Braun Medical, con su producto
SpaceCom2.
En este último caso, una de las debilidades publicadas es considerada como Alerta en el
termómetro y se verá en un punto posterior.
.National Instruments ingresa en el mapa de riesgo al publicarse una debilidad relacionada
con la validación defectuosa de pará metros de entrada en su producto NI-PAL driver.
6
Nuevas debilidades
El número de vulnerabilidades ICS publicadas y totalmente caracterizadas por el NIST
desde la última actualización es de 70 .
Una vez más, un único fabricante, Siemens, acumula casi el 43% de este número con 30
CVEs publicados en Septirmbre, siendo 1 de ellas considerada Alerta por el termómetro
del CCI. En 2021 acumula ya 199 CVEs, lo que supone más del doble que en 2020 (95).
Entre estas 30 debilidades, 3 de ellas publicadas el 14/09/2021, se asocian también a
Ruggedcom, ya que a pesar de haber sido adquirida por Siemens en 2012, estas
debilidades afectan a todas las versiones de sus productos ROX y obliga a la actualización
a la versión 2.14.1, según informa Siemens en su Web.
Delta Electronics, supone el 14% de este número con 10 CVEs publicados en Septirmbre,
siendo 5 de ellas consideradas Alertas por el termómetro del CCI.
Le sigue Schneider Electric con otras 7 debilidades, muchas de ellas relacionadas con sus
autómatas MODICON.Ninguna de ellas ha sido considerada como alerta.
B. Braun Medical acumula 5 debilidades (1 de ellas considerada alerta) sobre uno de sus
productos médicos. Otro producto médico de Philips (Healthcare Tasy Electronic Medical
Record) también ha visto publicadas otras 2 debilidades, por lo que este tipo de
dispositivos médicos, sigue siendo objeto de investigación por parte de empresas de
ciberseguridad e investigadores independientes,
ABB, Moxa y Wago suman otras 2 debilidades cada uno publicadas en Septiembre (En el
caso de Moxa y Wago 1 de ellas han sido consideradas alertas) y cambian su posición en el
mapa de exposición al riesgo.
El resto de debilidades se pueden encontrar en el ANEXO II.
Encarando el final de 2021, podemos constatar que la tendencia en la investigación de
debilidades en los sistemas de control utilizados en múltiples sectores, sigue creciendo
de manera sostenida.
7Nuevas alertas
Este mes, el NIST ha publicado (completamente caracterizadas) 12 nuevas alertas de
fabricante.
Recordamos que se clasifican cómo alertas dado que la explotación de la vulnerabilidad
presenta una complejidad baja, tiene cómo vector de acceso la red y puede causar una
total pérdida de servicio. (Según la clasificación CVSS V2, para permitir la clasificación
histórica de debilidades en productos más antiguos).
Delta Electronic ha visto publicadas 5 alertas sobre su producto DIAEnergie:
Delta Electronics DIAEnergie
Cuatro de estas debilidades están relacionadas con la posibilidad de ejecución remota
de código mediante inyección Blind SQL, mientras que la otra debilidad permite crear
usuarios administradores sin autenticación ni autorización previa.
Date
CVE CVSS Warning Description
published
CVE-2021-32967 2021-08-30 10.0 Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to add a
new administrative user without being authenticated or authorized, which may
allow the attacker to log in and use the device with administrative privileges.
CVE-2021-32983 2021-08-30 10.0 A Blind SQL injection vulnerability exists in the /DataHandler/Handler_CFG.ashx
endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application
does not properly validate the user-controlled value supplied through the parameter
keyword before using it as part of an SQL query. A remote, unauthenticated attacker
can exploit this issue to execute arbitrary code in the context of NT
SERVICE\MSSQLSERVER.
CVE-2021-38390 2021-08-30 10.0 A Blind SQL injection vulnerability exists in the
/DataHandler/HandlerEnergyType.ashx endpoint of Delta Electronics DIAEnergie
Version 1.7.5 and prior. The application does not properly validate the user-
controlled value supplied through the parameter egyid before using it as part of an
SQL query. A remote, unauthenticated attacker can exploit this issue to execute
arbitrary code in the context of NT SERVICE\MSSQLSERVER.
CVE-2021-38393 2021-08-30 10.0 A Blind SQL injection vulnerability exists in the
/DataHandler/HandlerAlarmGroup.ashx endpoint of Delta Electronics DIAEnergie
Version 1.7.5 and prior. The application does not properly validate the user-
controlled value supplied through the parameter agid before using it as part of an
SQL query. A remote, unauthenticated attacker can exploit this issue to execute
arbitrary code in the context of NT SERVICE\MSSQLSERVER.
8Date
CVE CVSS Warning Description
published
CVE-2021-38391 2021-08-30 10.0 A Blind SQL injection vulnerability exists in the /DataHandler/AM/AM_Handler.ashx
endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application
does not properly validate the user-controlled value supplied through the parameter
type before using it as part of an SQL query. A remote, unauthenticated attacker can
exploit this issue to execute arbitrary code in the context of NT
SERVICE\MSSQLSERVER.
En el caso de Moxa, 1 nueva alerta ha sido publicada por el NIST este mes sobre una
amplia serie de sus productos:
Date
CVE CVSS Warning Description
published
CVE-2021-39279 2021-09-07 9.0 Certain MOXA devices allow Authenticated Command Injection via
/forms/web_importTFTP. This affects WAC-2004 1.7, WAC-1001 2.1, WAC-1001-T
2.1, OnCell G3470A-LTE-EU 1.7, OnCell G3470A-LTE-EU-T 1.7, TAP-323-EU-CT-T 1.3,
TAP-323-US-CT-T 1.3, TAP-323-JP-CT-T 1.3, WDR-3124A-EU 2.3, WDR-3124A-EU-T
2.3, WDR-3124A-US 2.3, and WDR-3124A-US-T 2.3.
El problema está relacionado con la inyección de comandos no autenticados a través de
su interfaz Web..
No parece que las recomendaciones sobre evaluaciones de seguridad de los productos
en la fase de diseño, adquisición y pruebas de aceptación, esté prosperando mucho.
9Siemens también ve publicada otra debilidad sobre una amplia serie de routers y
switches de nivel 3 industriales de su familia RuggedCom ROX:
Adicionalmente, otra vulnerabilidad sobre sus PLCs SIMATIC CP 343-1, se cataloga cómo
alerta al ser posible su inutilización con el envio de paquetes maliciosos al puerto TCP/102,
que causan su indisponibilidad y obligan a su reinicio manual.
Date
CVE CVSS Warning Description
published
CVE-2021-37174 2021-09-14 9.0 A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions <
V2.14.1), RUGGEDCOM ROX RX1400 (All versions < V2.14.1), RUGGEDCOM ROX
RX1500 (All versions < V2.14.1), RUGGEDCOM ROX RX1501 (All versions < V2.14.1),
RUGGEDCOM ROX RX1510 (All versions < V2.14.1), RUGGEDCOM ROX RX1511 (All
versions < V2.14.1), RUGGEDCOM ROX RX1512 (All versions < V2.14.1),
RUGGEDCOM ROX RX1524 (All versions < V2.14.1), RUGGEDCOM ROX RX1536 (All
versions < V2.14.1), RUGGEDCOM ROX RX5000 (All versions < V2.14.1). The affected
devices have a privilege escalation vulnerability, if exploited, an attacker could gain
root user access.
CVE-2021-33737 2021-09-14 7.8 A vulnerability has been identified in SIMATIC CP 343-1 (incl. SIPLUS variants) (All
versions), SIMATIC CP 343-1 Advanced (incl. SIPLUS variants) (All versions), SIMATIC
CP 343-1 ERPC (All versions), SIMATIC CP 343-1 Lean (incl. SIPLUS variants) (All
versions), SIMATIC CP 443-1 (incl. SIPLUS variants) (All versions), SIMATIC CP 443-1
Advanced (incl. SIPLUS variants) (All versions). Sending a specially crafted packet to
port 102/tcp of an affected device could cause a Denial-of-Service condition. A
restart is needed to restore normal operations.
10También se han publicado alertas sobre varios productos Siemens utilizados en la
automatización de edificios. En concreto sobre su familia APOGEE y sus familias Desigo
CC y Siveillance Control. En ambos caso los servidores HTTP embebidos en sus soluciones
permiten a un usuario no autenticado ejecutar comandos en el sistema con los máximos
privilegios.
Date
CVE CVSS Warning Description
published
CVE-2021-27391 2021-09-14 10.0 A vulnerability has been identified in APOGEE MBC (PPC) (P2 Ethernet) (All versions
>= V2.6.3), APOGEE MEC (PPC) (P2 Ethernet) (All versions >= V2.6.3), APOGEE PXC
Compact (BACnet) (All versions V3.5.3), APOGEE PXC Compact (P2 Ethernet) (All
versions >= V2.8), APOGEE PXC Modular (BACnet) (All versions < V3.5.3), APOGEE
PXC Modular (P2 Ethernet) (All versions >= V2.8), TALON TC Compact (BACnet) (All
versions < V3.5.3), TALON TC Modular (BACnet) (All versions < V3.5.3). The web
server of affected devices lacks proper bounds checking when parsing the Host
parameter in HTTP requests, which could lead to a buffer overflow. An
unauthenticated remote attacker could exploit this vulnerability to execute arbitrary
code on the device with root privileges.
CVE-2021-31891 2021-09-14 10.0 A vulnerability has been identified in Desigo CC (All versions with OIS Extension
Module), GMA-Manager (All versions with OIS running on Debian 9 or earlier),
Operation Scheduler (All versions with OIS running on Debian 9 or earlier),
Siveillance Control (All versions with OIS running on Debian 9 or earlier), Siveillance
Control Pro (All versions). The affected application incorrectly neutralizes special
elements in a specific HTTP GET request which could lead to command injection. An
unauthenticated remote attacker could exploit this vulnerability to execute arbitrary
code on the system with root privileges.
11Wago ha visto publicada otra vulnerabilidad sobre sus PLCs de la serie 750:
Date
CVE CVSS Warning Description
published
CVE-2021-34581 2021-08-31 7.8 Missing Release of Resource after Effective Lifetime vulnerability in OpenSSL
implementation of WAGO 750-831/xxx-xxx, 750-880/xxx-xxx, 750-881, 750-889 in
versions FW4 up to FW15 allows an unauthenticated attacker to cause DoS on the
device.
Esta debilidad permitiría la parada del dispositivo de manera remota.
La última alerta, afecta al fabricante B. Braun Medical y a su producto SpaceCom2:
Date
CVE CVSS Warning Description
published
CVE-2021-33885 2021-08-25 10.0 An Insufficient Verification of Data Authenticity vulnerability in B. Braun SpaceCom2
prior to 012U000062 allows a remote unauthenticated attacker to send the device
malicious data that will be used in place of the correct data. This results in full
system command access and execution because of the lack of cryptographic
signatures on critical data sets.
Al estar desplegado en un entorno sanitario, esta debilidad supone un riesgo importante
para sus usuarios.
12Mapa de riesgo
30 de Septiembre de 2021
Circutor
Delta Electronics
Advantech
B. Braun Medical
Digitek Bosch
Johnson Controls Hilscher Siemens
Motorola Solutions Miitsubishi Electric
Pro-face Morpho
Zebra Industrial Moxa
Panasonic
Phoenix Contact
Schneider Electric
Wago
ABB
Beckhoff
Belden
CODESYS
Digi
Eaton
eWON
Fatek
Emerson
Fuji Electric
Hirschmann GE
Honeywell Mikrotik
Kepware
Omron
PTC (ThingWorx)
QNX
Rockwell
Software Toolbox
Wibu Systems
Wind River
National Instruments
Philips
ProSoft
RuggedCom
SafeNet
SearchBlox
Tesla
Aveva
13Cambios en el riesgo de fabricante
Delta Electronics aumenta su exposición en el Mapa de riesgo con un valor Alto,
debido a la publicación de 10 debilidades, de las cuales 5 son alertas con un CVSS
versión 2 de “10.0”. Este fabricante ha visto publicados 20 CVEs en 2021 y su CVSS V2
medio de los últimos 10 años es de 6.4.
B. Braun Medical entra en el mapa de riesgos con un valor Medio, ya que en
Septiembre se publicaron 5 CVEs y uno de ellos es una alerta que afecta a su producto
SpaceCom2. Su CVSS medio de los últimos 10 años es de 6.0.
Johnson Controls también inctementa su riesgo de Bajo+ a Medio al publicarse un
CVE sobre sus productos de seguridad física CEM Systems AC2000 con un CVSS V2
de 9.3. Acumula un CVSS medio de 7.0 en los últimos 10 años.
Wago también incrementa su riesgo de Bajo a Medio, al publicarse 2 CVEs (Siendo 1
de ellos una alerta) sobre sus PLCs. Su CVSS medio de los últimos 10 años es de 6.1.
ABB también incrementa su riesgo de Bajo a Bajo+ por la publicación de un CVE
sobre sus productos Hitachi ABB Power Grids System Data Manager, y que permite
acceso a información sensible en ficheros de Backup. Su CVSS medio de los últimos
10 años es de 5.2.
El resto de los fabricantes mantienen su nivel en el mapa de calor cualitativo de
exposición al riesgo.
14ANEXO – I: Cálculo del mapa de
riesgo
Con objeto de mostrar de una manera gráfica y rápida la postura de cada fabricante en
lo que se refiere alriesgo asociado a las vulnerabilidades publicadas, he seleccionado un
formato gráfico muy común en la gestión de Riesgos: el mapa de calor.
Este diagrama presenta distintos colores para representar el riesgo asociado de
manera cualitativa y encuatro rangos: Bajo, Medio, Alto y Muy Alto.
MUY ALTO
ALTO
MEDIO
BAJO
La posición de cada fabricante dentro del mapa depende de los valores obtenidos en
dos parámetros asociados con la probabilidad (Número de CVEs publicados) y el
impacto de dichos CVEs (Valor medio deCVSS).
Para cada año, se ha calculado cada uno de estos valores entre 1 y 5.
• En el eje horizontal, se ha calculado el valor proporcional al número de CVEs
publicados para esefabricante en un año concreto en comparación con el
fabricante con mayor número de CVEs.
• En el eje vertical se ha calculado el valor medio de CVSS de los CVEs
publicados ese año y se hadividido entre 2.
Para intentar dar una idea más cualitativa en lo que se refiere a la postura de cada
fabricante, se hanintroducido dos correcciones en el cálculo:
• Si el fabricante tiene algún CVE ese año considerado cómo Alerta (Acceso por la
red, complejidadbaja e impacto completo en disponibilidad), se incrementa en
una unidad el impacto (Eje vertical)y en una unidad la probabilidad (Eje
horizontal). Esto se realiza para diferenciar a este fabricante de otros sin este
tipo de CVEs y posicionarlo en una zona de mayor riesgo.
• De la misma manera, si un fabricante tiene algún CVE ese año con un valor
CVSS de 10.0, se incrementa en una unidad la probabilidad (Eje horizontal).
Esto se realiza para diferenciar a estefabricante de otros sin este tipo de CVEs
y posicionarlo en una zona de mayor riesgo.
Se ha estudiado mediante distintas simulaciones que estas correcciones no suponen
grandes alteracionesen la postura global del riesgo de ese fabricante y, sin embargo,
presentan un diagnóstico cualitativo más ajustado.
15ANEXO II – Vulnerabilidades
publicadas por el NIST desde el último
termómetro CCI
CVE Date CVSS Warning Description
published V2
CVE-2021-37174 2021-09-14 A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.14.1),
9.0 RUGGEDCOM ROX RX1400 (All versions < V2.14.1), RUGGEDCOM ROX RX1500 (All
versions < V2.14.1), RUGGEDCOM ROX RX1501 (All versions < V2.14.1), RUGGEDCOM ROX
RX1510 (All versions < V2.14.1), RUGGEDCOM ROX RX1511 (All versions < V2.14.1),
RUGGEDCOM ROX RX1512 (All versions < V2.14.1), RUGGEDCOM ROX RX1524 (All
versions < V2.14.1), RUGGEDCOM ROX RX1536 (All versions < V2.14.1), RUGGEDCOM ROX
RX5000 (All versions < V2.14.1). The affected devices have a privilege escalation
vulnerability, if exploited, an attacker could gain root user access.
CVE-2021-33737 2021-09-14
A vulnerability has been identified in SIMATIC CP 343-1 (incl. SIPLUS variants) (All
7.8 versions), SIMATIC CP 343-1 Advanced (incl. SIPLUS variants) (All versions), SIMATIC CP
343-1 ERPC (All versions), SIMATIC CP 343-1 Lean (incl. SIPLUS variants) (All versions),
SIMATIC CP 443-1 (incl. SIPLUS variants) (All versions), SIMATIC CP 443-1 Advanced (incl.
SIPLUS variants) (All versions). Sending a specially crafted packet to port 102/tcp of an
affected device could cause a Denial-of-Service condition. A restart is needed to restore
normal operations.
CVE-2021-27391 2021-09-14 A vulnerability has been identified in APOGEE MBC (PPC) (P2 Ethernet) (All versions >=
10.0 V2.6.3), APOGEE MEC (PPC) (P2 Ethernet) (All versions >= V2.6.3), APOGEE PXC Compact
(BACnet) (All versions V3.5.3), APOGEE PXC Compact (P2 Ethernet) (All versions >= V2.8),
APOGEE PXC Modular (BACnet) (All versions < V3.5.3), APOGEE PXC Modular (P2
Ethernet) (All versions >= V2.8), TALON TC Compact (BACnet) (All versions < V3.5.3),
TALON TC Modular (BACnet) (All versions < V3.5.3). The web server of affected devices
lacks proper bounds checking when parsing the Host parameter in HTTP requests, which
could lead to a buffer overflow. An unauthenticated remote attacker could exploit this
vulnerability to execute arbitrary code on the device with root privileges.
CVE-2021-31891 2021-09-14 A vulnerability has been identified in Desigo CC (All versions with OIS Extension Module),
10.0 GMA-Manager (All versions with OIS running on Debian 9 or earlier), Operation Scheduler
(All versions with OIS running on Debian 9 or earlier), Siveillance Control (All versions with
OIS running on Debian 9 or earlier), Siveillance Control Pro (All versions). The affected
application incorrectly neutralizes special elements in a specific HTTP GET request which
could lead to command injection. An unauthenticated remote attacker could exploit this
vulnerability to execute arbitrary code on the system with root privileges.
CVE-2021-37181 2021-09-14 A vulnerability has been identified in Cerberus DMS V4.0 (All versions), Cerberus DMS
7.5 V4.1 (All versions), Cerberus DMS V4.2 (All versions), Cerberus DMS V5.0 (All versions <
v5.0 QU1), Desigo CC Compact V4.0 (All versions), Desigo CC Compact V4.1 (All versions),
Desigo CC Compact V4.2 (All versions), Desigo CC Compact V5.0 (All versions < V5.0 QU1),
Desigo CC V4.0 (All versions), Desigo CC V4.1 (All versions), Desigo CC V4.2 (All versions),
Desigo CC V5.0 (All versions < V5.0 QU1). The application deserialises untrusted data
without sufficient validations, that could result in an arbitrary deserialization. This could
allow an unauthenticated attacker to execute code in the affected system. The CCOM
communication component used for Windows App / Click-Once and IE Web / XBAP client
connectivity are affected by the vulnerability.
CVE-2021-37201 2021-09-14 A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP1). The web
6.8 interface of affected devices is vulnerable to a Cross-Site Request Forgery (CSRF) attack.
This could allow an attacker to manipulate the SINEC NMS configuration by tricking an
unsuspecting user with administrative privileges to click on a malicious link.
CVE-2021-25665 2021-09-14 A vulnerability has been identified in Simcenter STAR-CCM+ Viewer (All versions <
6.8 V2021.2.1). The starview+.exe application lacks proper validation of user-supplied data
when parsing scene files. This could result in an out of bounds write past the end of an
allocated structure. An attacker could leverage this vulnerability to execute code in the
context of the current process. (ZDI-CAN-13700)
CVE-2021-37202 2021-09-14 A vulnerability has been identified in NX 1980 Series (All versions < V1984). The IFC
6.8 adapter in affected application contains a use-after-free vulnerability that could be
16CVE Date CVSS Warning Description
published V2
triggered while parsing user-supplied IFC files. An attacker could leverage this
vulnerability to execute code in the context of the current process.
CVE-2021-38304 2021-09-17 Improper input validation in the National Instruments NI-PAL driver in versions 20.0.0 and
4.6 prior may allow a privileged user to potentially enable escalation of privilege via local
access.
CVE-2021-27662 2021-09-15 The KT-1 door controller is susceptible to replay or man-in-the-middle attacks where an
6.8 attacker can record and replay TCP packets. This issue affects Johnson Controls KT-1 all
versions up to and including 3.01
CVE-2021-33719 2021-09-14 A vulnerability has been identified in SIPROTEC 5 relays with CPU variants CP050 (All
7.5 versions < V8.80), SIPROTEC 5 relays with CPU variants CP100 (All versions < V8.80),
SIPROTEC 5 relays with CPU variants CP200 (All versions), SIPROTEC 5 relays with CPU
variants CP300 (All versions < V8.80). Specially crafted packets sent to port 4443/tcp could
cause a Denial-of-Service condition or potential remote code execution.
CVE-2021-37181 2021-09-14 A vulnerability has been identified in Cerberus DMS V4.0 (All versions), Cerberus DMS
7.5 V4.1 (All versions), Cerberus DMS V4.2 (All versions), Cerberus DMS V5.0 (All versions <
v5.0 QU1), Desigo CC Compact V4.0 (All versions), Desigo CC Compact V4.1 (All versions),
Desigo CC Compact V4.2 (All versions), Desigo CC Compact V5.0 (All versions < V5.0 QU1),
Desigo CC V4.0 (All versions), Desigo CC V4.1 (All versions), Desigo CC V4.2 (All versions),
Desigo CC V5.0 (All versions < V5.0 QU1). The application deserialises untrusted data
without sufficient validations, that could result in an arbitrary deserialization. This could
allow an unauthenticated attacker to execute code in the affected system. The CCOM
communication component used for Windows App / Click-Once and IE Web / XBAP client
connectivity are affected by the vulnerability.
CVE-2021-37201 2021-09-14 A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP1). The web
6.8 interface of affected devices is vulnerable to a Cross-Site Request Forgery (CSRF) attack.
This could allow an attacker to manipulate the SINEC NMS configuration by tricking an
unsuspecting user with administrative privileges to click on a malicious link.
CVE-2021-25665 2021-09-14 A vulnerability has been identified in Simcenter STAR-CCM+ Viewer (All versions <
6.8 V2021.2.1). The starview+.exe application lacks proper validation of user-supplied data
when parsing scene files. This could result in an out of bounds write past the end of an
allocated structure. An attacker could leverage this vulnerability to execute code in the
context of the current process. (ZDI-CAN-13700)
CVE-2021-37202 2021-09-14 A vulnerability has been identified in NX 1980 Series (All versions < V1984), Solid Edge
6.8 SE2021 (All versions < SE2021MP8). The IFC adapter in affected application contains a
use-after-free vulnerability that could be triggered while parsing user-supplied IFC files.
An attacker could leverage this vulnerability to execute code in the context of the current
process.
CVE-2021-37184 2021-09-14 A vulnerability has been identified in Industrial Edge Management (All versions < V1.3). An
6.8 unauthenticated attacker could change the the password of any user in the system under
certain circumstances. With this an attacker could impersonate any valid user on an
affected system.
CVE-2021-40355 2021-09-14 A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.8),
6.5 Teamcenter V13.0 (All versions < V13.0.0.7), Teamcenter V13.1 (All versions < V13.1.0.5),
Teamcenter V13.2 (All versions < 13.2.0.2). The affected application contains Insecure
Direct Object Reference (IDOR) vulnerability that allows an attacker to use user-supplied
input to access objects directly.
CVE-2021-37184 2021-09-14 A vulnerability has been identified in Industrial Edge Management (All versions < V1.3). An
6.8 unauthenticated attacker could change the the password of any user in the system under
certain circumstances. With this an attacker could impersonate any valid user on an
affected system.
CVE-2021-37203 2021-09-14 A vulnerability has been identified in NX 1980 Series (All versions < V1984). The
5.8 plmxmlAdapterIFC.dll contains an out-of-bounds read while parsing user supplied IFC files
which could result in a read past the end of an allocated buffer. This could allow an
attacker to cause a denial-of-service condition or read sensitive information from memory
locations.
CVE-2021-37175 2021-09-14 A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.14.1),
5.0 RUGGEDCOM ROX RX1400 (All versions < V2.14.1), RUGGEDCOM ROX RX1500 (All
versions < V2.14.1), RUGGEDCOM ROX RX1501 (All versions < V2.14.1), RUGGEDCOM ROX
RX1510 (All versions < V2.14.1), RUGGEDCOM ROX RX1511 (All versions < V2.14.1),
RUGGEDCOM ROX RX1512 (All versions < V2.14.1), RUGGEDCOM ROX RX1524 (All
versions < V2.14.1), RUGGEDCOM ROX RX1536 (All versions < V2.14.1), RUGGEDCOM ROX
RX5000 (All versions < V2.14.1). The affected devices do not properly handle permissions
to traverse the file system. If exploited, an attacker could gain access to an overview of
the complete file system on the affected devices.
CVE-2019-10941 2021-09-14 A vulnerability has been identified in SINEMA Server (All versions < V14 SP3). Missing
5.0 authentication for functionality that requires administrative user identity could allow an
17CVE Date CVSS Warning Description
published V2
attacker to obtain encoded system configuration backup files. This is only possible
through network access to the affected system, and successful exploitation requires no
system privileges.
CVE-2021-37186 2021-09-14 A vulnerability has been identified in LOGO! CMR2020 (All versions < V2.2), LOGO!
4.8 CMR2040 (All versions < V2.2), SIMATIC RTU 3000 family (All versions). The underlying
TCP/IP stack does not properly calculate the random numbers used as ISN (Initial
Sequence Numbers). An adjacent attacker with network access to the LAN interface could
interfere with traffic, spoof the connection and gain access to sensitive information.
CVE-2021-37176 2021-09-14 A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter
4.3 Femap V2021.1 (All versions). The femap.exe application lacks proper validation of user-
supplied data when parsing modfem files. This could result in an out of bounds read past
the end of an allocated buffer. An attacker could leverage this vulnerability to leak
information in the context of the current process. (ZDI-CAN-14260)
CVE-2021-37173 2021-09-14 A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.14.1),
4.0 RUGGEDCOM ROX RX1400 (All versions < V2.14.1), RUGGEDCOM ROX RX1500 (All
versions < V2.14.1), RUGGEDCOM ROX RX1501 (All versions < V2.14.1), RUGGEDCOM ROX
RX1510 (All versions < V2.14.1), RUGGEDCOM ROX RX1511 (All versions < V2.14.1),
RUGGEDCOM ROX RX1512 (All versions < V2.14.1), RUGGEDCOM ROX RX1524 (All
versions < V2.14.1), RUGGEDCOM ROX RX1536 (All versions < V2.14.1), RUGGEDCOM ROX
RX5000 (All versions < V2.14.1). The affected devices have an exposure of sensitive
information vulnerability, if exploited, it could allow an authenticated attacker to extract
data via Secure Shell (SSH).
CVE-2021-37200 2021-09-14 A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP1). An attacker
4.0 with access to the webserver of an affected system could download arbitrary files from
the underlying filesystem by sending a specially crafted HTTP request.
CVE-2021-33716 2021-09-14 A vulnerability has been identified in SIMATIC CP 1543-1 (incl. SIPLUS variants) (All
3.3 versions < V3.0), SIMATIC CP 1545-1 (All versions). An attacker with access to the subnet
of the affected device could retrieve sensitive information stored in cleartext.
CVE-2021-37177 2021-09-14 A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0
3.3 SP2). The status provided by the syslog clients managed by the affected software can be
manipulated by an unauthenticated attacker in the same network of the affected system.
CVE-2021-37192 2021-09-14 A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0
3.3 SP2). The affected software has an information disclosure vulnerability that could allow an
attacker to retrieve a list of network devices a known user can manage.
CVE-2021-37190 2021-09-14 A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0
3.3 SP2). The affected software has an information disclosure vulnerability that could allow an
attacker to retrieve VPN connection for a known user.
CVE-2021-37183 2021-09-14 A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0
3.3 SP2). The affected software allows sending send-to-sleep notifications to the managed
devices. An unauthenticated attacker in the same network of the affected system can
abuse these notifications to cause a Denial-of-Service condition in the managed devices.
CVE-2021-37193 2021-09-14 A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0
3.3 SP2). An unauthenticated attacker in the same network of the affected system could
manipulate certain parameters and set a valid user of the affected software as invalid (or
vice-versa).
CVE-2021-37191 2021-09-14 A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0
3.3 SP2). An unauthenticated attacker in the same network of the affected system could
brute force the usernames from the affected software.
CVE-2021-39279 2021-09-07 Certain MOXA devices allow Authenticated Command Injection via
9.0 /forms/web_importTFTP. This affects WAC-2004 1.7, WAC-1001 2.1, WAC-1001-T 2.1,
OnCell G3470A-LTE-EU 1.7, OnCell G3470A-LTE-EU-T 1.7, TAP-323-EU-CT-T 1.3, TAP-323-
US-CT-T 1.3, TAP-323-JP-CT-T 1.3, WDR-3124A-EU 2.3, WDR-3124A-EU-T 2.3, WDR-3124A-
US 2.3, and WDR-3124A-US-T 2.3.
CVE-2021-34581 2021-08-31 Missing Release of Resource after Effective Lifetime vulnerability in OpenSSL
7.8 implementation of WAGO 750-831/xxx-xxx, 750-880/xxx-xxx, 750-881, 750-889 in
versions FW4 up to FW15 allows an unauthenticated attacker to cause DoS on the device.
CVE-2021-32967 2021-08-30 Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to add a new
10.0 administrative user without being authenticated or authorized, which may allow the
attacker to log in and use the device with administrative privileges.
CVE-2021-32983 2021-08-30 A Blind SQL injection vulnerability exists in the /DataHandler/Handler_CFG.ashx endpoint
10.0 of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly
validate the user-controlled value supplied through the parameter keyword before using
it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to
execute arbitrary code in the context of NT SERVICE\MSSQLSERVER.
CVE-2021-38390 2021-08-30 A Blind SQL injection vulnerability exists in the /DataHandler/HandlerEnergyType.ashx
10.0 endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not
18CVE Date CVSS Warning Description
published V2
properly validate the user-controlled value supplied through the parameter egyid before
using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue
to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER.
CVE-2021-38393 2021-08-30 A Blind SQL injection vulnerability exists in the /DataHandler/HandlerAlarmGroup.ashx
10.0 endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not
properly validate the user-controlled value supplied through the parameter agid before
using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue
to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER.
CVE-2021-38391 2021-08-30 A Blind SQL injection vulnerability exists in the /DataHandler/AM/AM_Handler.ashx
10.0 endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not
properly validate the user-controlled value supplied through the parameter type before
using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue
to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER.
CVE-2021-33885 2021-08-25 An Insufficient Verification of Data Authenticity vulnerability in B. Braun SpaceCom2 prior
10.0 to 012U000062 allows a remote unauthenticated attacker to send the device malicious
data that will be used in place of the correct data. This results in full system command
access and execution because of the lack of cryptographic signatures on critical data sets.
CVE-2021-35526 2021-09-08 Backup file without encryption vulnerability is found in Hitachi ABB Power Grids System
7.2 Data Manager – SDM600 allows attacker to gain access to sensitive information. This
issue affects: Hitachi ABB Power Grids System Data Manager – SDM600 1.2 versions prior
to FP2 HF6 (Build Nr. 1.2.14002.257).
CVE-2020-24672 2021-09-08 A vulnerability in Base Software for SoftControl allows an attacker to insert and run
6.8 arbitrary code in a computer running the affected product. This issue affects: .
CVE-2021-39278 2021-09-07 Certain MOXA devices allow reflected XSS via the Config Import menu. This affects WAC-
4.3 2004 1.7, WAC-1001 2.1, WAC-1001-T 2.1, OnCell G3470A-LTE-EU 1.7, OnCell G3470A-
LTE-EU-T 1.7, TAP-323-EU-CT-T 1.3, TAP-323-US-CT-T 1.3, TAP-323-JP-CT-T 1.3, WDR-
3124A-EU 2.3, WDR-3124A-EU-T 2.3, WDR-3124A-US 2.3, and WDR-3124A-US-T 2.3.
CVE-2021-22793 2021-09-02 A CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exist
6.5 in AccuSine PCS+ / PFV+ (Versions prior to V1.6.7) and AccuSine PCSn (Versions prior to
V2.2.4) that could allow an authenticated attacker to access the device via FTP protocol.
CVE-2021-22792 2021-09-02 A CWE-476: NULL Pointer Dereference vulnerability that could cause a Denial of Service
5.0 on the Modicon PLC controller / simulator when updating the controller application with a
specially crafted project file exists in Modicon M580 CPU (part numbers BMEP* and
BMEH*, all versions), Modicon M340 CPU (part numbers BMXP34*, all versions), Modicon
MC80 (part numbers BMKC80*, all versions), Modicon Momentum Ethernet CPU (part
numbers 171CBU*, all versions), PLC Simulator for EcoStruxureª Control Expert, including
all Unity Pro versions (former name of EcoStruxureª Control Expert, all versions), PLC
Simulator for EcoStruxureª Process Expert including all HDCS versions (former name of
EcoStruxureª Process Expert, all versions), Modicon Quantum CPU (part numbers
140CPU*, all versions), Modicon Premium CPU (part numbers TSXP5*, all versions).
CVE-2021-22775 2021-09-02 A CWE-427: Uncontrolled Search Path Element vulnerability exists in GP-Pro EX,V4.09.250
4.4 and prior, that could cause local code execution with elevated privileges when installing
the software.
CVE-2021-22791 2021-09-02 A CWE-787: Out-of-bounds Write vulnerability that could cause a Denial of Service on the
4.0 Modicon PLC controller / simulator when updating the controller application with a
specially crafted project file exists in Modicon M580 CPU (part numbers BMEP* and
BMEH*, all versions), Modicon M340 CPU (part numbers BMXP34*, all versions), Modicon
MC80 (part numbers BMKC80*, all versions), Modicon Momentum Ethernet CPU (part
numbers 171CBU*, all versions), PLC Simulator for EcoStruxureª Control Expert, including
all Unity Pro versions (former name of EcoStruxureª Control Expert, all versions), PLC
Simulator for EcoStruxureª Process Expert including all HDCS versions (former name of
EcoStruxureª Process Expert, all versions), Modicon Quantum CPU (part numbers
140CPU*, all versions), Modicon Premium CPU (part numbers TSXP5*, all versions).
CVE-2021-22790 2021-09-02 A CWE-125: Out-of-bounds Read vulnerability that could cause a Denial of Service on the
4.0 Modicon PLC controller / simulator when updating the controller application with a
specially crafted project file exists in Modicon M580 CPU (part numbers BMEP* and
BMEH*, all versions), Modicon M340 CPU (part numbers BMXP34*, all versions), Modicon
MC80 (part numbers BMKC80*, all versions), Modicon Momentum Ethernet CPU (part
numbers 171CBU*, all versions), PLC Simulator for EcoStruxureª Control Expert, including
all Unity Pro versions (former name of EcoStruxureª Control Expert, all versions), PLC
Simulator for EcoStruxureª Process Expert including all HDCS versions (former name of
EcoStruxureª Process Expert, all versions), Modicon Quantum CPU (part numbers
140CPU*, all versions), Modicon Premium CPU (part numbers TSXP5*, all versions).
CVE-2021-22789 2021-09-02 A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
4.0 vulnerability that could cause a Denial of Service on the Modicon PLC controller /
simulator when updating the controller application with a specially crafted project file
19CVE Date CVSS Warning Description
published V2
exists in Modicon M580 CPU (part numbers BMEP* and BMEH*, all versions), Modicon
M340 CPU (part numbers BMXP34*, all versions), Modicon MC80 (part numbers
BMKC80*, all versions), Modicon Momentum Ethernet CPU (part numbers 171CBU*, all
versions), PLC Simulator for EcoStruxureª Control Expert, including all Unity Pro versions
(former name of EcoStruxureª Control Expert, all versions), PLC Simulator for
EcoStruxureª Process Expert including all HDCS versions (former name of EcoStruxureª
Process Expert, all versions), Modicon Quantum CPU (part numbers 140CPU*, all
versions), Modicon Premium CPU (part numbers TSXP5*, all versions).
CVE-2021-34578 2021-08-31 This vulnerability allows an attacker who has access to the WBM to read and write
6.8 settings-parameters of the device by sending specifically constructed requests without
authentication on multiple WAGO PLCs in firmware versions up to FW07.
CVE-2021-27663 2021-08-30 A vulnerability in versions 10.1 through 10.5 of Johnson Controls CEM Systems AC2000
9.3 allows a remote attacker to access to the system without adequate authorization. This
issue affects: Johnson Controls CEM Systems AC2000 10.1; 10.2; 10.3; 10.4; 10.5.
CVE-2021-32955 2021-08-30 Delta Electronics DIAEnergie Version 1.7.5 and prior allows unrestricted file uploads,
7.5 which may allow an attacker to remotely execute code.
CVE-2021-33007 2021-08-30 A heap-based buffer overflow in Delta Electronics TPEditor: v1.98.06 and prior may be
6.8 exploited by processing a specially crafted project file. Successful exploitation of this
vulnerability may allow an attacker to execute arbitrary code.
CVE-2021-33019 2021-08-30 A stack-based buffer overflow vulnerability in Delta Electronics DOPSoft Version 4.00.11
6.8 and prior may be exploited by processing a specially crafted project file, which may allow
an attacker to execute arbitrary code.
CVE-2021-32991 2021-08-30 Delta Electronics DIAEnergie Version 1.7.5 and prior is vulnerable to cross-site request
4.3 forgery, which may allow an attacker to cause a user to carry out an action
unintentionally.
CVE-2021-33003 2021-08-30 Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to retrieve
2.1 passwords in cleartext due to a weak hashing algorithm.
CVE-2021-21869 2021-08-25 An unsafe deserialization vulnerability exists in the Engine.plugin ProfileInformation
6.8 ProfileData functionality of CODESYS GmbH CODESYS Development System 3.5.16 and
3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can
provide a malicious file to trigger this vulnerability.
CVE-2021-33886 2021-08-25 An improper sanitization of input vulnerability in B. Braun SpaceCom2 prior to
5.8 012U000062 allows a remote unauthenticated attacker to gain user-level command-line
access by passing a raw external string straight through to printf statements. The attacker
is required to be on the same network as the device.
CVE-2021-33884 2021-08-25 An Unrestricted Upload of File with Dangerous Type vulnerability in B. Braun SpaceCom2
5.0 prior to 012U000062 allows remote attackers to upload any files to the /tmp directory of
the device through the webpage API. This can result in critical files being overwritten.
CVE-2021-33882 2021-08-25 A Missing Authentication for Critical Function vulnerability in B. Braun SpaceCom2 prior to
5.0 012U000062 allows a remote attacker to reconfigure the device from an unknown source
because of lack of authentication on proprietary networking commands.
CVE-2021-33883 2021-08-25 A Cleartext Transmission of Sensitive Information vulnerability in B. Braun SpaceCom2
5.0 prior to 012U000062 allows a remote attacker to obtain sensitive information by
snooping on the network traffic. The exposed data includes critical values for a pump's
internal configuration.
CVE-2021-39375 2021-08-24 Philips Healthcare Tasy Electronic Medical Record (EMR) 3.06 allows SQL injection via the
6.5 WAdvancedFilter/getDimensionItemsByCode FilterValue parameter.
CVE-2021-39376 2021-08-24 Philips Healthcare Tasy Electronic Medical Record (EMR) 3.06 allows SQL injection via the
6.5 CorCad_F2/executaConsultaEspecifico IE_CORPO_ASSIST or CD_USUARIO_CONVENIO
parameter.
CVE-2021-35529 2021-08-20 Insufficiently Protected Credentials vulnerability in client environment of Hitachi ABB
6.5 Power Grids Retail Operations and Counterparty Settlement Billing (CSB) allows an
attacker or unauthorized user to access database credentials, shut down the product and
access or alter. This issue affects: Hitachi ABB Power Grids Retail Operations version 5.7.2
and prior versions. Hitachi ABB Power Grids Counterparty Settlement Billing (CSB) version
5.7.2 and prior versions.
20También puede leer
