CVE-2021-40358

09.11.2021, 12:15

A vulnerability has been identified in SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions < V9.0 SP3 UC04), SIMATIC PCS 7 V9.1 (All versions < V9.1 SP1), SIMATIC WinCC V15 and earlier (All versions < V15 SP1 Update 7), SIMATIC WinCC V16 (All versions < V16 Update 5), SIMATIC WinCC V17 (All versions < V17 Update 2), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 19), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 5). Legitimate file operations on the web server of the affected systems do not properly neutralize special elements within the pathname. An attacker could then cause the pathname to resolve to a location outside of the restricted directory on the server and read, write or delete unexpected critical files.

Path Traversal

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.9 CRITICAL	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
siemens	CNA	9.9 CRITICAL				CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 67%

Vendor	Product	Version
siemens	simatic_pcs_7	8.2
siemens	simatic_pcs_7	9.0
siemens	simatic_pcs_7	9.1
siemens	simatic_wincc	7.4
siemens	simatic_wincc	7.4
siemens	simatic_wincc	7.4:sp1
siemens	simatic_wincc	7.4:sp1_update1
siemens	simatic_wincc	7.4:sp1_update10
siemens	simatic_wincc	7.4:sp1_update11
siemens	simatic_wincc	7.4:sp1_update12
siemens	simatic_wincc	7.4:sp1_update13
siemens	simatic_wincc	7.4:sp1_update14
siemens	simatic_wincc	7.4:sp1_update15
siemens	simatic_wincc	7.4:sp1_update16
siemens	simatic_wincc	7.4:sp1_update17
siemens	simatic_wincc	7.4:sp1_update18
siemens	simatic_wincc	7.4:sp1_update2
siemens	simatic_wincc	7.4:sp1_update3
siemens	simatic_wincc	7.4:sp1_update4
siemens	simatic_wincc	7.4:sp1_update5
siemens	simatic_wincc	7.4:sp1_update6
siemens	simatic_wincc	7.4:sp1_update7
siemens	simatic_wincc	7.4:sp1_update8
siemens	simatic_wincc	7.4:sp1_update9
siemens	simatic_wincc	7.4:update_1
siemens	simatic_wincc	7.5
siemens	simatic_wincc	7.5:sp1
siemens	simatic_wincc	7.5:sp1_update1
siemens	simatic_wincc	7.5:sp1_update2
siemens	simatic_wincc	7.5:sp2
siemens	simatic_wincc	7.5:sp2_update1
siemens	simatic_wincc	7.5:sp2_update2
siemens	simatic_wincc	7.5:sp2_update3
siemens	simatic_wincc	7.5:sp2_update4
siemens	simatic_wincc	15.1
siemens	simatic_wincc	15.1:update_1
siemens	simatic_wincc	15.1:update_2
siemens	simatic_wincc	15.1:update_3
siemens	simatic_wincc	15.1:update_4
siemens	simatic_wincc	15.1:update_5
siemens	simatic_wincc	15.1:update_6

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

https://cert-portal.siemens.com/productcert/pdf/ssa-840188.pdf