CVE-2023-37482 — Observable Discrepancy in Siemens Simatic Drive Controller CPU 1504d TF

CWE-203 — Observable Discrepancy3 documents3 sources

Severity

6.9MEDIUMNVD

EPSS

0.1%

top 67.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Siemens Simatic Drive Controller CPU 1504d TF Siemens Simatic Drive Controller CPU 1507d TF Siemens Simatic ET 200sp CPU 1510sp-1 PN +89 more

Timeline

PublishedFeb 11

Description

The login functionality of the web server in affected devices does not normalize the response times of login attempts. An unauthenticated remote attacker could exploit this side-channel information to distinguish between valid and invalid usernames.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages92 packages

▶CVEListV5siemens/simatic_s7-plcsim_advancedV6.0 — V7.0

▶CVEListV5siemens/simatic_s7-1500_cpu_1511-1_pnV3.1.0 — V3.1.2

▶CVEListV5siemens/simatic_s7-1500_cpu_1513-1_pnV3.1.0 — V3.1.2

▶CVEListV5siemens/simatic_s7-1500_cpu_1515-2_pnV3.1.0 — V3.1.2

▶CVEListV5siemens/siplus_s7-1500_cpu_1517h-3_pnV3.1.0 — V3.1.2

🔴Vulnerability Details

GHSA

GHSA-p6r5-883m-2c48: The login functionality of the web server in affected devices does not normalize the response times of login attempts↗2025-02-11

▶

CVEList

CVE-2023-37482: The login functionality of the web server in affected devices does not normalize the response times of login attempts↗2025-02-11

▶