CVE-2021-40363

A vulnerability has been identified in SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions), SIMATIC PCS 7 V9.1 (All versions < V9.1 SP1), SIMATIC WinCC V15 and earlier (All versions < V15 SP1 Update 7), SIMATIC WinCC V16 (All versions < V16 Update 5), SIMATIC WinCC V17 (All versions < V17 Update 2), SIMATIC WinCC V17 (All versions <= V17 Update 4), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 19), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 6). The affected component stores the credentials of a local system account in a potentially publicly accessible project file using an outdated cipher algorithm. An attacker may use this to brute force the credentials and take over the system.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
siemensCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
VendorProductVersion
siemenssimatic_pcs_7
𝑥
≤ 8.2
siemenssimatic_pcs_7
9.0
siemenssimatic_pcs_7
9.1
siemenssimatic_wincc
𝑥
< 7.4
siemenssimatic_wincc
7.4
siemenssimatic_wincc
7.4:sp1
siemenssimatic_wincc
7.4:sp1_update1
siemenssimatic_wincc
7.4:sp1_update10
siemenssimatic_wincc
7.4:sp1_update11
siemenssimatic_wincc
7.4:sp1_update12
siemenssimatic_wincc
7.4:sp1_update13
siemenssimatic_wincc
7.4:sp1_update14
siemenssimatic_wincc
7.4:sp1_update15
siemenssimatic_wincc
7.4:sp1_update16
siemenssimatic_wincc
7.4:sp1_update17
siemenssimatic_wincc
7.4:sp1_update18
siemenssimatic_wincc
7.4:sp1_update2
siemenssimatic_wincc
7.4:sp1_update3
siemenssimatic_wincc
7.4:sp1_update4
siemenssimatic_wincc
7.4:sp1_update5
siemenssimatic_wincc
7.4:sp1_update6
siemenssimatic_wincc
7.4:sp1_update7
siemenssimatic_wincc
7.4:sp1_update8
siemenssimatic_wincc
7.4:sp1_update9
siemenssimatic_wincc
7.4:update_1
siemenssimatic_wincc
7.5
siemenssimatic_wincc
7.5:sp1
siemenssimatic_wincc
7.5:sp1_update1
siemenssimatic_wincc
7.5:sp1_update2
siemenssimatic_wincc
7.5:sp2
siemenssimatic_wincc
7.5:sp2_update1
siemenssimatic_wincc
7.5:sp2_update2
siemenssimatic_wincc
7.5:sp2_update3
siemenssimatic_wincc
7.5:sp2_update4
siemenssimatic_wincc
7.5:sp2_update5
siemenssimatic_wincc
14.0.1
siemenssimatic_wincc
15.1
siemenssimatic_wincc
15.1:update_1
siemenssimatic_wincc
15.1:update_2
siemenssimatic_wincc
15.1:update_3
siemenssimatic_wincc
15.1:update_4
siemenssimatic_wincc
15.1:update_5
siemenssimatic_wincc
15.1:update_6
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://cert-portal.siemens.com/productcert/pdf/ssa-914168.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-914168.pdf