CVE-2021-37172

Published: Aug 10, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

A vulnerability has been identified in SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (V4.5.0). Affected devices fail to authenticate against configured passwords when provisioned using TIA Portal V13. This could allow an attacker using TIA Portal V13 or later versions to bypass authentication and download arbitrary programs to the PLC. The vulnerability does not occur when TIA Portal V13 SP1 or any later version was used to provision the device.

Affected (2)

Products: Siemens: Simatic S7 1200 Cpu Firmware, Simatic Step 7 (tia Portal)

Siemens

2 products

Simatic S7 1200 Cpu Firmware

Simatic Step 7 (tia Portal)

Configuration A

1 vulnerable · 8 platform

Vulnerable Software	Affected Versions
Siemens Simatic S7 1200 Cpu Firmware	Version 4.5.0

Running on/with	Platform Versions
Siemens Cpu 1211c	All versions
Siemens Cpu 1212c	All versions
Siemens Cpu 1212fc	All versions
Siemens Cpu 1214c	All versions
Siemens Cpu 1214fc	All versions
Siemens Cpu 1215c	All versions
Siemens Cpu 1215fc	All versions
Siemens Cpu 1217c	All versions

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Siemens Simatic Step 7 (tia Portal)	Up to 13.0

Related CWEs

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (2)

https://cert-portal.siemens.com/productcert/pdf/ssa-830194.pdf

Source: productcert@siemens.com

PatchVendor Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-830194.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.