CVE-2021-41769

11.01.2022, 12:15

A vulnerability has been identified in SIPROTEC 5 6MD85 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 6MD86 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 6MD89 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 6MU85 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7KE85 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7SA82 devices (CPU variant CP100) (All versions < V8.83), SIPROTEC 5 7SA86 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7SA87 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7SD82 devices (CPU variant CP100) (All versions < V8.83), SIPROTEC 5 7SD86 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7SD87 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7SJ81 devices (CPU variant CP100) (All versions < V8.83), SIPROTEC 5 7SJ82 devices (CPU variant CP100) (All versions < V8.83), SIPROTEC 5 7SJ85 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7SJ86 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7SK82 devices (CPU variant CP100) (All versions < V8.83), SIPROTEC 5 7SK85 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7SL82 devices (CPU variant CP100) (All versions < V8.83), SIPROTEC 5 7SL86 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7SL87 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7SS85 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7ST85 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7SX85 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7UM85 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7UT82 devices (CPU variant CP100) (All versions < V8.83), SIPROTEC 5 7UT85 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7UT86 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7UT87 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7VE85 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7VK87 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 Compact 7SX800 devices (CPU variant CP050) (All versions < V8.83). An improper input validation vulnerability in the web server could allow an unauthenticated user to access device information.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
siemens	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 63%

Vendor	Product	Version
siemens	6md85_firmware	𝑥 < 8.83
siemens	6md86_firmware	𝑥 < 8.83
siemens	6md89_firmware	𝑥 < 8.83
siemens	6mu85_firmware	𝑥 < 8.83
siemens	7ke85_firmware	𝑥 < 8.83
siemens	7sa82_firmware	𝑥 < 8.83
siemens	7sa86_firmware	𝑥 < 8.83
siemens	7sa87_firmware	𝑥 < 8.83
siemens	7sd82_firmware	𝑥 < 8.83
siemens	7sd86_firmware	𝑥 < 8.83
siemens	7sd87_firmware	𝑥 < 8.83
siemens	7sj81_firmware	𝑥 < 8.83
siemens	7sj82_firmware	𝑥 < 8.83
siemens	7sj85_firmware	𝑥 < 8.83
siemens	7sj86_firmware	𝑥 < 8.83
siemens	7sk82_firmware	𝑥 < 8.83
siemens	7sk85_firmware	𝑥 < 8.83
siemens	7sl82_firmware	𝑥 < 8.83
siemens	7sl86_firmware	𝑥 < 8.83
siemens	7sl87_firmware	𝑥 < 8.83
siemens	7ss85_firmware	𝑥 < 8.83
siemens	7st85_firmware	𝑥 < 8.83
siemens	7sx800_firmware	𝑥 < 8.83
siemens	7sx85_firmware	𝑥 < 8.83
siemens	7um85_firmware	𝑥 < 8.83
siemens	7ut82_firmware	𝑥 < 8.83
siemens	7ut85_firmware	𝑥 < 8.83
siemens	7ut86_firmware	𝑥 < 8.83
siemens	7ut87_firmware	𝑥 < 8.83
siemens	7ve85_firmware	𝑥 < 8.83
siemens	7vk87_firmware	𝑥 < 8.83

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://cert-portal.siemens.com/productcert/pdf/ssa-439673.pdf