CVE-2021-31891
published 2021-09-14CVE-2021-31891: A vulnerability has been identified in Desigo CC (All versions with OIS Extension Module), GMA-Manager (All versions with OIS running on Debian 9 or earlier)…
PriorityP274critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
3.84%
88.8th percentile
A vulnerability has been identified in Desigo CC (All versions with OIS Extension Module), GMA-Manager (All versions with OIS running on Debian 9 or earlier), Operation Scheduler (All versions with OIS running on Debian 9 or earlier), Siveillance Control (All versions with OIS running on Debian 9 or earlier), Siveillance Control Pro (All versions). The affected application incorrectly neutralizes special elements in a specific HTTP GET request which could lead to command injection. An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code on the system with root privileges.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| siemens | desigo_cc | — | — |
| siemens | gma-manager | — | — |
| siemens | operation_scheduler | — | — |
| siemens | siveillance_control | — | — |
| siemens | siveillance_control_pro | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered via a specific HTTP GET request containing improperly neutralized special elements — monitor for anomalous or shell-metacharacter-laden GET requests to the OIS web interface on Port 443/TCP. ↗
- →Restrict and monitor inbound traffic to Port 443/TCP on systems running Siveillance OIS; unauthenticated exploitation arrives over this port. ↗
- →Alert on any process spawned with root privileges from the OIS web service process, as successful exploitation results in arbitrary code execution as root. ↗
- ·No known public exploits specifically target this vulnerability at time of advisory publication. ↗
- ·Affected scope is limited to products running the OIS Extension Module/service; GMA-Manager, Operation Scheduler, and Siveillance Control are only affected when OIS runs on Debian 9 or earlier, while Siveillance Control Pro is affected on all versions. ↗
- ·The CVSS v3 base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), reflecting network-reachable, unauthenticated, zero-interaction exploitation with full impact across scope. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Siemens Siveillance OIS
cisa_ics·2021-09-14·CVSS 10.0
[CRITICAL] Siemens Siveillance OIS
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens Siveillance OIS
Last RevisedSeptember 14, 2021
Alert CodeICSA-21-257-18
## 1. EXECUTIVE SUMMARY
- CVSS v3 10.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: Siveillance OIS
- Vulnerability: OS Command Injection
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to execute code on the affected system with root privileges.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
Siemens reports the vulnerability affects the following Siveillance OIS Building Management
GHSA
GHSA-ch26-285q-m7w2: A vulnerability has been identified in Desigo CC (All versions with OIS Extension Module), GMA-Manager (All versions with OIS running on Debian 9 or e
ghsa_unreviewed·2022-05-24
CVE-2021-31891 [CRITICAL] CWE-78 GHSA-ch26-285q-m7w2: A vulnerability has been identified in Desigo CC (All versions with OIS Extension Module), GMA-Manager (All versions with OIS running on Debian 9 or e
A vulnerability has been identified in Desigo CC (All versions with OIS Extension Module), GMA-Manager (All versions with OIS running on Debian 9 or earlier), Operation Scheduler (All versions with OIS running on Debian 9 or earlier), Siveillance Control (All versions with OIS running on Debian 9 or earlier), Siveillance Control Pro (All versions). The affected application incorrectly neutralizes special elements in a specific HTTP GET request which could lead to command injection. An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code on the system with root privileges.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-09-14
Published