CVE-2022-24408 — Improper Privilege Management in Siemens Sinumerik MC Firmware

CWE-269 — Improper Privilege Management3 documents3 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 91.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Siemens Sinumerik MC Firmware Siemens Sinumerik ONE Firmware Siemens Sinumerik MC +1 more

Timeline

PublishedMar 8

Latest updateMar 9

Description

A vulnerability has been identified in SINUMERIK MC (All versions < V1.15 SP1), SINUMERIK ONE (All versions < V6.15 SP1). The sc SUID binary on affected devices provides several commands that are used to execute system commands or modify system files. A specific set of operations using sc could allow local attackers to escalate their privileges to root.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

▶NVDsiemens/sinumerik_mc_firmware< 1.15+1

▶NVDsiemens/sinumerik_one_firmware< 6.15+1

▶CVEListV5siemens/sinumerik_mcAll versions < V1.15 SP1

▶CVEListV5siemens/sinumerik_oneAll versions < V6.15 SP1

🔴Vulnerability Details

GHSA

GHSA-c7jg-mh9j-jjqx: A vulnerability has been identified in SINUMERIK MC (All versions < V1↗2022-03-09

▶

CVEList

CVE-2022-24408: A vulnerability has been identified in SINUMERIK MC (All versions < V1↗2022-03-08

▶