CVE-2021-42029Improper Access Control in Siemens Simatic Step 7

CWE-284Improper Access ControlCWE-269Improper Privilege Management3 documents3 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 88.72%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Siemens Simatic Step 7Siemens Simatic Step 7 V15Siemens Simatic Step 7 V16+1 more
Timeline
PublishedApr 12
Latest updateApr 13

Description

A vulnerability has been identified in SIMATIC STEP 7 (TIA Portal) V15 (All versions), SIMATIC STEP 7 (TIA Portal) V16 (All versions < V16 Update 5), SIMATIC STEP 7 (TIA Portal) V17 (All versions < V17 Update 2). An attacker could achieve privilege escalation on the web server of certain devices due to improper access control vulnerability in the engineering system software. The attacker needs to have direct access to the impacted web server.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

NVDsiemens/simatic_step_71516+2
CVEListV5siemens/simatic_step_7_v15All versions
CVEListV5siemens/simatic_step_7_v16All versions < V16 Update 5
CVEListV5siemens/simatic_step_7_v17All versions < V17 Update 2

Patches

Patch: cert-portal.siemens.comPatch: cert-portal.siemens.com

🔴Vulnerability Details

2
GHSA
GHSA-vp88-r9qc-vwrw: A vulnerability has been identified in SIMATIC STEP 7 (TIA Portal) V15 (All versions), SIMATIC STEP 7 (TIA Portal) V16 (All versions < V16 Update 5),2022-04-13
CVEList
CVE-2021-42029: A vulnerability has been identified in SIMATIC STEP 7 (TIA Portal) V15 (All versions), SIMATIC STEP 7 (TIA Portal) V16 (All versions < V16 Update 5),2022-04-12
CVE-2021-42029 — Improper Access Control in Siemens | cvebase