CVE-2021-27388 - OpenCVE

SINAMICS medium voltage routable products are affected by a vulnerability in the Sm@rtServer component for remote access that could allow an unauthenticated attacker to cause a denial-of-service condition, and/or execution of limited configuration modifications and/or execution of limited control commands on the SINAMICS Medium Voltage Products, Remote Access (SINAMICS SL150: All versions, SINAMICS SM150: All versions, SINAMICS SM150i: All versions).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Siemens	Sinamics Sl150 Sinamics Sl150 Firmware Sinamics Sm150 Sinamics Sm150 Firmware Sinamics Sm150i Sinamics Sm150i Firmware

Configuration 1 [-]

AND

cpe:2.3:o:siemens:sinamics_sl150_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:sinamics_sl150:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:siemens:sinamics_sm150_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:sinamics_sm150:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:siemens:sinamics_sm150i_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:sinamics_sm150i:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://us-cert.cisa.gov/ics/advisories/icsa-21-131-04

History

No history.

MITRE

Status: PUBLISHED

Assigner: siemens

Published: 2021-06-15T19:40:24

Updated: 2024-08-03T20:48:16.713Z

Reserved: 2021-02-18T00:00:00

Link: CVE-2021-27388

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-06-15T20:15:11.770

Modified: 2021-06-23T20:57:28.830

Link: CVE-2021-27388

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "SINAMICS Medium Voltage Products, Remote Access", "vendor": "n/a", "versions": [{"status": "affected", "version": "SINAMICS SL150: All versions, SINAMICS SM150: All versions, SINAMICS SM150i: All versions"}]}], "descriptions": [{"lang": "en", "value": "SINAMICS medium voltage routable products are affected by a vulnerability in the Sm@rtServer component for remote access that could allow an unauthenticated attacker to cause a denial-of-service condition, and/or execution of limited configuration modifications and/or execution of limited control commands on the SINAMICS Medium Voltage Products, Remote Access (SINAMICS SL150: All versions, SINAMICS SM150: All versions, SINAMICS SM150i: All versions)."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "IMPROPER INPUT VALIDATION CWE-20", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-15T19:40:24", "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-131-04"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "productcert@siemens.com", "ID": "CVE-2021-27388", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SINAMICS Medium Voltage Products, Remote Access", "version": {"version_data": [{"version_value": "SINAMICS SL150: All versions, SINAMICS SM150: All versions, SINAMICS SM150i: All versions"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SINAMICS medium voltage routable products are affected by a vulnerability in the Sm@rtServer component for remote access that could allow an unauthenticated attacker to cause a denial-of-service condition, and/or execution of limited configuration modifications and/or execution of limited control commands on the SINAMICS Medium Voltage Products, Remote Access (SINAMICS SL150: All versions, SINAMICS SM150: All versions, SINAMICS SM150i: All versions)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "IMPROPER INPUT VALIDATION CWE-20"}]}]}, "references": {"reference_data": [{"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-131-04", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-131-04"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:48:16.713Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-131-04"}]}]}, "cveMetadata": {"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "assignerShortName": "siemens", "cveId": "CVE-2021-27388", "datePublished": "2021-06-15T19:40:24", "dateReserved": "2021-02-18T00:00:00", "dateUpdated": "2024-08-03T20:48:16.713Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:sinamics_sl150_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "E032554B-7F51-4482-AF55-743FFB5AC352", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:sinamics_sl150:-:*:*:*:*:*:*:*", "matchCriteriaId": "C6619B0F-7CDC-40A6-89B2-C6067AF45214", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:sinamics_sm150_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "33B7E1DE-61B5-4CFC-8640-EB8029CD79D6", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:sinamics_sm150:-:*:*:*:*:*:*:*", "matchCriteriaId": "2AE231E2-2B2B-407A-BF7A-9EA35F394229", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:sinamics_sm150i_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6067521-A21D-4B2A-AFB2-2E033F66B63E", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:sinamics_sm150i:-:*:*:*:*:*:*:*", "matchCriteriaId": "A44DEAD8-8DB8-41CC-9495-B842BE76EA8F", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SINAMICS medium voltage routable products are affected by a vulnerability in the Sm@rtServer component for remote access that could allow an unauthenticated attacker to cause a denial-of-service condition, and/or execution of limited configuration modifications and/or execution of limited control commands on the SINAMICS Medium Voltage Products, Remote Access (SINAMICS SL150: All versions, SINAMICS SM150: All versions, SINAMICS SM150i: All versions)."}, {"lang": "es", "value": "Los productos enrutables de tensi\u00f3n media SINAMICS est\u00e1n afectados por una vulnerabilidad en el componente Sm@rtServer para el acceso remoto que podr\u00eda permitir a un atacante no autenticado causar una condici\u00f3n de denegaci\u00f3n de servicio, y/o una ejecuci\u00f3n de modificaciones de configuraci\u00f3n limitadas y/o la ejecuci\u00f3n de comandos de control limitados en los productos de media tensi\u00f3n SINAMICS, acceso remoto (SINAMICS SL150: Todas las versiones, SINAMICS SM150: Todas las versiones, SINAMICS SM150i: Todas las versiones)"}], "id": "CVE-2021-27388", "lastModified": "2021-06-23T20:57:28.830", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-15T20:15:11.770", "references": [{"source": "productcert@siemens.com", "tags": ["Not Applicable"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-131-04"}], "sourceIdentifier": "productcert@siemens.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "productcert@siemens.com", "type": "Primary"}]}