CVE-2021-37186Use of Insufficiently Random Values in Siemens Logo ! Cmr2020 Firmware

CWE-330Use of Insufficiently Random Values4 documents4 sources
Severity
5.4MEDIUMNVD
EPSS
0.2%
top 62.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
12
Siemens Logo ! Cmr2020 FirmwareSiemens Logo ! Cmr2040 FirmwareSiemens Simatic Rtu3010c Firmware+9 more
Timeline
PublishedSep 14
Latest updateMay 24

Description

A vulnerability has been identified in LOGO! CMR2020 (All versions < V2.2), LOGO! CMR2040 (All versions < V2.2), SIMATIC RTU3010C (All versions < V4.0.9), SIMATIC RTU3030C (All versions < V4.0.9), SIMATIC RTU3031C (All versions < V4.0.9), SIMATIC RTU3041C (All versions < V4.0.9). The underlying TCP/IP stack does not properly calculate the random numbers used as ISN (Initial Sequence Numbers). An adjacent attacker with network access to the LAN interface could interfere with traffic, spoof the co

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages12 packages

CVEListV5siemens/simatic_rtu3010cAll versions < V4.0.9

Patches

Patch: cert-portal.siemens.comPatch: cert-portal.siemens.com

🔴Vulnerability Details

2
GHSA
GHSA-5g5j-x767-23r3: A vulnerability has been identified in LOGO! CMR2020 (All versions < V22022-05-24
CVEList
CVE-2021-37186: A vulnerability has been identified in LOGO! CMR2020 (All versions < V22021-09-14

📋Vendor Advisories

1
CISA ICS
Siemens LOGO! CMR and SIMATIC RTU 3000 (Update A)2021-09-14
CVE-2021-37186 — Use of Insufficiently Random Values | cvebase