Sign-up

ID

VAR-202205-0542


CVE

CVE-2021-41545


TITLE

Vulnerabilities in multiple Siemens products

Trust: 0.8

sources: JVNDB: JVNDB-2021-019581

DESCRIPTION

A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). When the controller receives a specific BACnet protocol packet, an exception causes the BACnet communication function to go into a “out of work” state and could result in the controller going into a “factory reset” state. desigo dxr2 firmware, desigo pxc3 firmware, desigo pxc4 Multiple Siemens products such as firmware have unspecified vulnerabilities.Service operation interruption (DoS) It may be in a state. Desigo DXR2 controllers are programmable automation stations to support the standard control needs of terminal HVAC equipment and TRA (Total Room Automation) applications. The Desigo PXC3 series of automation stations can be used in buildings with higher requirements for functionality and flexibility. Use Desigo room automation when multiple specialties (HVAC, lighting, shading) are combined into one solution and when a high degree of flexibility is required. The Desigo PXC4 building automation controller is designed for HVAC system control. It is a compact device with built-in IOs that can be expanded to your needs with additional TX-IO modules. The Desigo PXC5 is a freely programmable controller for BACnet system-level functions such as alarm routing, system-wide scheduling and trending, and device monitoring. There are security vulnerabilities in Siemens Desigo PXC and DXR Controllers, which can be exploited by attackers. "state

Trust: 2.25

sources: NVD: CVE-2021-41545 // JVNDB: JVNDB-2021-019581 // CNVD: CNVD-2022-37373 // VULMON: CVE-2021-41545

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2022-37373

AFFECTED PRODUCTS

vendor:siemensmodel:desigo pxc4scope:ltversion:02.20.142.10-10884

Trust: 1.0

vendor:siemensmodel:desigo pxc3scope:ltversion:01.21.142.4-18

Trust: 1.0

vendor:siemensmodel:desigo pxc5scope:ltversion:02.20.142.10-10884

Trust: 1.0

vendor:siemensmodel:desigo dxr2scope:ltversion:01.21.142.5-22

Trust: 1.0

vendor:シーメンスmodel:desigo dxr2scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:desigo pxc3scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:desigo pxc5scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:desigo pxc4scope: - version: -

Trust: 0.8

vendor:siemensmodel:desigo pxc5scope:ltversion:v02.20.142.10-10884

Trust: 0.6

vendor:siemensmodel:desigo pxc4scope:ltversion:v02.20.142.10-10884

Trust: 0.6

vendor:siemensmodel:desigo pxc3scope:ltversion:v01.21.142.4-18

Trust: 0.6

vendor:siemensmodel:desigo dxr2scope:ltversion:v01.21.142.5-22

Trust: 0.6

sources: CNVD: CNVD-2022-37373 // JVNDB: JVNDB-2021-019581 // NVD: CVE-2021-41545

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-41545
value: HIGH

Trust: 1.0

NVD: CVE-2021-41545
value: HIGH

Trust: 0.8

CNVD: CNVD-2022-37373
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202205-2791
value: HIGH

Trust: 0.6

VULMON: CVE-2021-41545
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-41545
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2022-37373
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2021-41545
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2021-41545
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2022-37373 // VULMON: CVE-2021-41545 // JVNDB: JVNDB-2021-019581 // CNNVD: CNNVD-202205-2791 // NVD: CVE-2021-41545

PROBLEMTYPE DATA

problemtype:CWE-248

Trust: 1.0

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:Lack of information (CWE-noinfo) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-019581 // NVD: CVE-2021-41545

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202205-2791

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202205-2791

PATCH

title:Patch for Siemens Desigo DXR and PXC Controllers Denial of Service Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/332656

Trust: 0.6

title:Multiple Siemens Product security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=193549

Trust: 0.6

sources: CNVD: CNVD-2022-37373 // CNNVD: CNNVD-202205-2791

EXTERNAL IDS

db:NVDid:CVE-2021-41545

Trust: 3.9

db:SIEMENSid:SSA-662649

Trust: 3.1

db:JVNDBid:JVNDB-2021-019581

Trust: 0.8

db:ICS CERTid:ICSA-22-132-10

Trust: 0.7

db:CNVDid:CNVD-2022-37373

Trust: 0.6

db:CS-HELPid:SB2022051124

Trust: 0.6

db:AUSCERTid:ESB-2022.2349

Trust: 0.6

db:CNNVDid:CNNVD-202205-2791

Trust: 0.6

db:VULMONid:CVE-2021-41545

Trust: 0.1

sources: CNVD: CNVD-2022-37373 // VULMON: CVE-2021-41545 // JVNDB: JVNDB-2021-019581 // CNNVD: CNNVD-202205-2791 // NVD: CVE-2021-41545

REFERENCES

url:https://cert-portal.siemens.com/productcert/pdf/ssa-662649.pdf

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2021-41545

Trust: 0.8

url:https://cert-portal.siemens.com/productcert/html/ssa-662649.html

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2021-41545/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.2349

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-132-10

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022051124

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-132-10

Trust: 0.1

sources: CNVD: CNVD-2022-37373 // VULMON: CVE-2021-41545 // JVNDB: JVNDB-2021-019581 // CNNVD: CNNVD-202205-2791 // NVD: CVE-2021-41545

CREDITS

reported these vulnerabilities to CISA.,Andrea Palanca, of Nozomi Networks

Trust: 0.6

sources: CNNVD: CNNVD-202205-2791

SOURCES

db:CNVDid:CNVD-2022-37373
db:VULMONid:CVE-2021-41545
db:JVNDBid:JVNDB-2021-019581
db:CNNVDid:CNNVD-202205-2791
db:NVDid:CVE-2021-41545

LAST UPDATE DATE

2024-11-23T21:50:29.808000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2022-37373date:2022-05-16T00:00:00
db:VULMONid:CVE-2021-41545date:2022-05-19T00:00:00
db:JVNDBid:JVNDB-2021-019581date:2023-08-04T08:29:00
db:CNNVDid:CNNVD-202205-2791date:2022-05-20T00:00:00
db:NVDid:CVE-2021-41545date:2024-11-21T06:26:23.437

SOURCES RELEASE DATE

db:CNVDid:CNVD-2022-37373date:2022-05-16T00:00:00
db:VULMONid:CVE-2021-41545date:2022-05-10T00:00:00
db:JVNDBid:JVNDB-2021-019581date:2023-08-04T00:00:00
db:CNNVDid:CNNVD-202205-2791date:2022-05-10T00:00:00
db:NVDid:CVE-2021-41545date:2022-05-10T11:15:07.840