Details of VAR-202111-0671

ID

VAR-202111-0671

CVE

CVE-2021-40366

TITLE

Climatix POL909 Vulnerability in plaintext transmission of important information in

Trust: 0.8

sources: JVNDB: JVNDB-2021-014894

DESCRIPTION

A vulnerability has been identified in Climatix POL909 (AWB module) (All versions < V11.42), Climatix POL909 (AWM module) (All versions < V11.34). The web server of affected devices transmits data without TLS encryption. This could allow an unauthenticated remote attacker in a man-in-the-middle position to read sensitive data, such as administrator credentials, or modify data in transit. Climatix POL909 Contains a vulnerability in the transmission of important information in clear text.Information may be obtained and information may be tampered with. Siemens Climatix Pol909 is an intelligent network module of Siemens (Siemens) in Germany

Trust: 2.16

sources: NVD: CVE-2021-40366 // JVNDB: JVNDB-2021-014894 // CNVD: CNVD-2021-89433

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-89433

AFFECTED PRODUCTS

vendor:	siemens	model:	climatix pol909	scope:	lt	version:	11.34	Trust: 1.0
vendor:	siemens	model:	climatix pol909	scope:	lt	version:	11.42	Trust: 1.0
vendor:	シーメンス	model:	climatix pol909	scope:	eq	version:	climatix pol909 firmware (awm module ) 11.34	Trust: 0.8
vendor:	シーメンス	model:	climatix pol909	scope:	eq	version:	-	Trust: 0.8
vendor:	シーメンス	model:	climatix pol909	scope:	eq	version:	climatix pol909 firmware (awb module ) 11.42	Trust: 0.8
vendor:	siemens	model:	climatix pol909	scope:	lt	version:	v11.34	Trust: 0.6

sources: CNVD: CNVD-2021-89433 // JVNDB: JVNDB-2021-014894 // NVD: CVE-2021-40366

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2021-40366
value:	HIGH
Trust: 1.8
CNVD:	CNVD-2021-89433
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202111-868
value:	HIGH
Trust: 0.6

NVD:
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	FALSE
version:	2.0
Trust: 1.0
NVD:	CVE-2021-40366
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2021-89433
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

NVD:
baseSeverity:	HIGH
baseScore:	7.4
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.2
impactScore:	5.2
version:	3.1
Trust: 1.0
NVD:	CVE-2021-40366
baseSeverity:	HIGH
baseScore:	7.4
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-89433 // JVNDB: JVNDB-2021-014894 // NVD: CVE-2021-40366 // CNNVD: CNNVD-202111-868

PROBLEMTYPE DATA

problemtype:	CWE-319	Trust: 1.0
problemtype:	Sending important information in clear text (CWE-319) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-014894 // NVD: CVE-2021-40366

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202111-868

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202111-868

CONFIGURATIONS

sources: NVD: CVE-2021-40366

PATCH

title:	SSA-703715	url:	https://cert-portal.siemens.com/productcert/pdf/ssa-703715.pdf	Trust: 0.8
title:	Patch for Siemens Climatix POL909 (AWM) Information Disclosure Vulnerability	url:	https://www.cnvd.org.cn/patchinfo/show/300041	Trust: 0.6
title:	Siemens Climatix POL909 Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=169828	Trust: 0.6

sources: CNVD: CNVD-2021-89433 // JVNDB: JVNDB-2021-014894 // CNNVD: CNNVD-202111-868

EXTERNAL IDS

db:	NVD	id:	CVE-2021-40366	Trust: 3.8
db:	SIEMENS	id:	SSA-703715	Trust: 2.2
db:	ICS CERT	id:	ICSA-21-315-09	Trust: 1.4
db:	JVN	id:	JVNVU95671889	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-014894	Trust: 0.8
db:	CNVD	id:	CNVD-2021-89433	Trust: 0.6
db:	CS-HELP	id:	SB2021111510	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.3874	Trust: 0.6
db:	CNNVD	id:	CNNVD-202111-868	Trust: 0.6

sources: CNVD: CNVD-2021-89433 // JVNDB: JVNDB-2021-014894 // NVD: CVE-2021-40366 // CNNVD: CNNVD-202111-868

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-703715.pdf	Trust: 2.2
url:	http://jvn.jp/vu/jvnvu95671889/index.html	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-40366	Trust: 0.8
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-09	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021111510	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-315-09	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.3874	Trust: 0.6

sources: CNVD: CNVD-2021-89433 // JVNDB: JVNDB-2021-014894 // NVD: CVE-2021-40366 // CNNVD: CNNVD-202111-868

CREDITS

Siemens reported this vulnerability to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202111-868

SOURCES

db:	CNVD	id:	CNVD-2021-89433
db:	JVNDB	id:	JVNDB-2021-014894
db:	NVD	id:	CVE-2021-40366
db:	CNNVD	id:	CNNVD-202111-868

LAST UPDATE DATE

2023-12-18T11:01:10.938000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-89433	date:	2021-11-20T00:00:00
db:	JVNDB	id:	JVNDB-2021-014894	date:	2022-10-31T07:16:00
db:	NVD	id:	CVE-2021-40366	date:	2022-08-09T13:41:39.827
db:	CNNVD	id:	CNNVD-202111-868	date:	2022-08-10T00:00:00

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-89433	date:	2021-11-20T00:00:00
db:	JVNDB	id:	JVNDB-2021-014894	date:	2022-10-31T00:00:00
db:	NVD	id:	CVE-2021-40366	date:	2021-11-09T12:15:10.123
db:	CNNVD	id:	CNNVD-202111-868	date:	2021-11-09T00:00:00