Details of VAR-202405-0154

ID

VAR-202405-0154

CVE

CVE-2024-33494

TITLE

Siemens SIMATIC RTLS Locating Manager Insufficient Data Authenticity Verification Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2024-23117

DESCRIPTION

A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). Affected components do not properly authenticate heartbeat messages. This could allow an unauthenticated remote attacker to affected the availability of secondary RTLS systems configured using a TeeRevProxy service and potentially cause loss of data generated during the time the attack is ongoing. SIMATIC RTLS Locating Manager is used to configure, operate, and maintain SIMATIC RTLS devices, which is a real-time wireless location system that provides location solutions. Siemens SIMATIC RTLS Locating Manager has an insufficient data authenticity verification vulnerability, which is due to the affected component failing to properly verify the heartbeat message

Trust: 1.44

sources: NVD: CVE-2024-33494 // CNVD: CNVD-2024-23117

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-23117

AFFECTED PRODUCTS

vendor:

siemens

model:

simatic rtls locating manager

scope:

version:

v3.0.1.1

Trust: 4.2

sources: CNVD: CNVD-2024-23117

CVSS

SEVERITY

CVSSV2

CVSSV3

productcert@siemens.com:	CVE-2024-33494
value:	MEDIUM
Trust: 1.0
CNVD:	CNVD-2024-23117
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2024-23117
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

productcert@siemens.com:
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	3.9
impactScore:	2.5
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2024-23117 // NVD: CVE-2024-33494

PROBLEMTYPE DATA

problemtype:

CWE-345

Trust: 1.0

sources: NVD: CVE-2024-33494

PATCH

title:

Patch for Siemens SIMATIC RTLS Locating Manager Insufficient Data Authenticity Verification Vulnerability

url:

https://www.cnvd.org.cn/patchinfo/show/546781

Trust: 0.6

sources: CNVD: CNVD-2024-23117

EXTERNAL IDS

db:	SIEMENS	id:	SSA-093430	Trust: 1.6
db:	NVD	id:	CVE-2024-33494	Trust: 1.6
db:	CNVD	id:	CNVD-2024-23117	Trust: 0.6

sources: CNVD: CNVD-2024-23117 // NVD: CVE-2024-33494

REFERENCES

url:

https://cert-portal.siemens.com/productcert/html/ssa-093430.html

Trust: 1.6

sources: CNVD: CNVD-2024-23117 // NVD: CVE-2024-33494

SOURCES

db:	CNVD	id:	CNVD-2024-23117
db:	NVD	id:	CVE-2024-33494

LAST UPDATE DATE

2024-06-11T22:48:54.735000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-23117	date:	2024-05-17T00:00:00
db:	NVD	id:	CVE-2024-33494	date:	2024-06-11T12:15:15.330

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-23117	date:	2024-05-17T00:00:00
db:	NVD	id:	CVE-2024-33494	date:	2024-05-14T16:17:17.983