CVE-2021-45033

11.01.2022, 12:15

A vulnerability has been identified in CP-8000 MASTER MODULE WITH I/O -25/+70C (All versions < V16.20), CP-8000 MASTER MODULE WITH I/O -40/+70C (All versions < V16.20), CP-8021 MASTER MODULE (All versions < V16.20), CP-8022 MASTER MODULE WITH GPRS (All versions < V16.20). An undocumented debug port uses hard-coded default credentials. If this port is enabled by a privileged user, an attacker aware of the credentials could access an administrative debug shell on the affected device.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
siemens	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 51%

Vendor	Product	Version
siemens	cp-8000_master_module_with_i\/o_-25\/\+70_firmware	𝑥 < 16.20
siemens	cp-8000_master_module_with_i\/o_-40\/\+70_firmware	𝑥 < 16.20
siemens	cp-8021_master_module_firmware	𝑥 < 16.20
siemens	cp-8022_master_module_with_gprs_firmware	𝑥 < 16.20

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-798 - Use of Hard-coded Credentials
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

References

https://cert-portal.siemens.com/productcert/pdf/ssa-324998.pdf