CVE-2021-31894Incorrect Permission Assignment in Siemens Simatic Step 7 Firmware

CWE-732Incorrect Permission Assignment3 documents3 sources
Severity
8.8HIGHNVD
EPSS
0.0%
top 91.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
8
Siemens Simatic Step 7 FirmwareSiemens Sinamics Starter FirmwareSiemens Simatic PCS 7 Firmware+5 more
Timeline
PublishedJul 13
Latest updateMay 24

Description

A vulnerability has been identified in SIMATIC PCS 7 V8.2 and earlier (All versions), SIMATIC PCS 7 V9.X (All versions < V9.1 SP2), SIMATIC PDM (All versions < V9.2 SP2), SIMATIC STEP 7 V5.X (All versions < V5.7), SINAMICS STARTER (containing STEP 7 OEM version) (All versions < V5.4 SP2 HF1). A directory containing metafiles relevant to devices' configurations has write permissions. An attacker could leverage this vulnerability by changing the content of certain metafiles and subsequently manipu

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 2.0 | Impact: 6.0

Affected Packages8 packages

CVEListV5siemens/simatic_step_7_v5.xAll versions < V5.7
CVEListV5siemens/simatic_pdmAll versions < V9.2 SP2

Patches

Patch: cert-portal.siemens.comPatch: cert-portal.siemens.com

🔴Vulnerability Details

2
GHSA
GHSA-rq6h-r956-9p9r: A vulnerability has been identified in SIMATIC PCS 7 V82022-05-24
CVEList
CVE-2021-31894: A vulnerability has been identified in SIMATIC PCS 7 V82021-07-13
CVE-2021-31894 — Incorrect Permission Assignment | cvebase