CVE-2021-31892

A vulnerability has been identified in SINUMERIK Analyse MyCondition (All versions), SINUMERIK Analyze MyPerformance (All versions), SINUMERIK Analyze MyPerformance /OEE-Monitor (All versions), SINUMERIK Analyze MyPerformance /OEE-Tuning (All versions), SINUMERIK Integrate Client 02 (All versions >= V02.00.12 < 02.00.18), SINUMERIK Integrate Client 03 (All versions >= V03.00.12 < 03.00.18), SINUMERIK Integrate Client 04 (V04.00.02 and all versions >= V04.00.15 < 04.00.18), SINUMERIK Integrate for Production 4.1 (All versions < V4.1 SP10 HF3), SINUMERIK Integrate for Production 5.1 (V5.1), SINUMERIK Manage MyMachines (All versions), SINUMERIK Manage MyMachines /Remote (All versions), SINUMERIK Manage MyMachines /Spindel Monitor (All versions), SINUMERIK Manage MyPrograms (All versions), SINUMERIK Manage MyResources /Programs (All versions), SINUMERIK Manage MyResources /Tools (All versions), SINUMERIK Manage MyTools (All versions), SINUMERIK Operate V4.8 (All versions < V4.8 SP8), SINUMERIK Operate V4.93 (All versions < V4.93 HF7), SINUMERIK Operate V4.94 (All versions < V4.94 HF5), SINUMERIK Optimize MyProgramming /NX-Cam Editor (All versions). Due to an error in a third-party dependency the ssl flags used for setting up a TLS connection to a server are overwitten with wrong settings. This results in a missing validation of the server certificate and thus in a possible TLS MITM szenario.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.4 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
siemensCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 29%
VendorProductVersion
siemenssinumerik_analyse_mycondition_firmware
-
siemenssinumerik_analyze_myperformance_firmware
-
siemenssinumerik_integrate_client_firmware
2.00.12 ≤
𝑥
< 2.00.18
siemenssinumerik_integrate_client_firmware
3.00.12 ≤
𝑥
< 3.00.18
siemenssinumerik_integrate_client_firmware
4.00.15 ≤
𝑥
< 4.00.18
siemenssinumerik_integrate_for_production_firmware
𝑥
≤ 4.1
siemenssinumerik_integrate_for_production_firmware
5.1
siemenssinumerik_manage_mymachines_firmware
-
siemenssinumerik_manage_myprograms_firmware
-
siemenssinumerik_manage_myresources_firmware
-
siemenssinumerik_manage_mytools_firmware
-
siemenssinumerik_operate_firmware
𝑥
< 4.8
siemenssinumerik_operate_firmware
4.8
siemenssinumerik_operate_firmware
4.8:sp1
siemenssinumerik_operate_firmware
4.8:sp2
siemenssinumerik_operate_firmware
4.8:sp3
siemenssinumerik_operate_firmware
4.8:sp4
siemenssinumerik_operate_firmware
4.8:sp5
siemenssinumerik_operate_firmware
4.8:sp6
siemenssinumerik_operate_firmware
4.8:sp7
siemenssinumerik_operate_firmware
4.93
siemenssinumerik_operate_firmware
4.93:hotfix_1
siemenssinumerik_operate_firmware
4.93:hotfix_2
siemenssinumerik_operate_firmware
4.93:hotfix_3
siemenssinumerik_operate_firmware
4.93:hotfix_4
siemenssinumerik_operate_firmware
4.93:hotfix_5
siemenssinumerik_operate_firmware
4.93:hotfix_6
siemenssinumerik_operate_firmware
4.94
siemenssinumerik_operate_firmware
4.94:hotfix_1
siemenssinumerik_operate_firmware
4.94:hotfix_2
siemenssinumerik_operate_firmware
4.94:hotfix_3
siemenssinumerik_operate_firmware
4.94:hotfix_4
siemenssinumerik_optimize_myprogramming_firmware
-
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://cert-portal.siemens.com/productcert/pdf/ssa-729965.pdf
https://us-cert.cisa.gov/ics/advisories/icsa-21-194-04
https://cert-portal.siemens.com/productcert/pdf/ssa-729965.pdf
https://us-cert.cisa.gov/ics/advisories/icsa-21-194-04