Vulnerability Details : CVE-2021-31892
A vulnerability has been identified in SINUMERIK Analyse MyCondition (All versions), SINUMERIK Analyze MyPerformance (All versions), SINUMERIK Analyze MyPerformance /OEE-Monitor (All versions), SINUMERIK Analyze MyPerformance /OEE-Tuning (All versions), SINUMERIK Integrate Client 02 (All versions >= V02.00.12 < 02.00.18), SINUMERIK Integrate Client 03 (All versions >= V03.00.12 < 03.00.18), SINUMERIK Integrate Client 04 (V04.00.02 and all versions >= V04.00.15 < 04.00.18), SINUMERIK Integrate for Production 4.1 (All versions < V4.1 SP10 HF3), SINUMERIK Integrate for Production 5.1 (V5.1), SINUMERIK Manage MyMachines (All versions), SINUMERIK Manage MyMachines /Remote (All versions), SINUMERIK Manage MyMachines /Spindel Monitor (All versions), SINUMERIK Manage MyPrograms (All versions), SINUMERIK Manage MyResources /Programs (All versions), SINUMERIK Manage MyResources /Tools (All versions), SINUMERIK Manage MyTools (All versions), SINUMERIK Operate V4.8 (All versions < V4.8 SP8), SINUMERIK Operate V4.93 (All versions < V4.93 HF7), SINUMERIK Operate V4.94 (All versions < V4.94 HF5), SINUMERIK Optimize MyProgramming /NX-Cam Editor (All versions). Due to an error in a third-party dependency the ssl flags used for setting up a TLS connection to a server are overwitten with wrong settings. This results in a missing validation of the server certificate and thus in a possible TLS MITM szenario.
Products affected by CVE-2021-31892
- cpe:2.3:o:siemens:sinumerik_analyse_mycondition_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_analyze_myperformance_firmware:-:*:*:*:*:*:*:*
- Siemens » Sinumerik Integrate Client FirmwareVersions from including (>=) 3.00.12 and before (<) 3.00.18cpe:2.3:o:siemens:sinumerik_integrate_client_firmware:*:*:*:*:*:*:*:*
- Siemens » Sinumerik Integrate Client FirmwareVersions from including (>=) 4.00.15 and before (<) 4.00.18cpe:2.3:o:siemens:sinumerik_integrate_client_firmware:*:*:*:*:*:*:*:*
- Siemens » Sinumerik Integrate Client FirmwareVersions from including (>=) 2.00.12 and before (<) 2.00.18cpe:2.3:o:siemens:sinumerik_integrate_client_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_integrate_for_production_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_integrate_for_production_firmware:5.1:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_manage_mymachines_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_manage_myprograms_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_manage_myresources_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_manage_mytools_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_operate_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_operate_firmware:4.8:-:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_operate_firmware:4.8:sp1:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_operate_firmware:4.8:sp2:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_operate_firmware:4.8:sp3:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_operate_firmware:4.8:sp4:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_operate_firmware:4.8:sp5:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_operate_firmware:4.8:sp6:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_operate_firmware:4.8:sp7:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_operate_firmware:4.93:-:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_operate_firmware:4.93:hotfix_1:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_operate_firmware:4.94:hotfix_1:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_operate_firmware:4.94:hotfix_2:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_operate_firmware:4.94:hotfix_3:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_operate_firmware:4.94:hotfix_4:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_operate_firmware:4.93:hotfix_2:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_operate_firmware:4.93:hotfix_3:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_operate_firmware:4.93:hotfix_4:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_operate_firmware:4.93:hotfix_5:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_operate_firmware:4.94:-:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_operate_firmware:4.93:hotfix_6:*:*:*:*:*:*
- cpe:2.3:o:siemens:sinumerik_optimize_myprogramming_firmware:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-31892
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 34 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-31892
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:N |
8.6
|
4.9
|
NIST | |
7.4
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
2.2
|
5.2
|
NIST |
CWE ids for CVE-2021-31892
-
The product does not validate, or incorrectly validates, a certificate.Assigned by: productcert@siemens.com (Primary)
References for CVE-2021-31892
-
https://cert-portal.siemens.com/productcert/pdf/ssa-729965.pdf
Vendor Advisory
-
https://us-cert.cisa.gov/ics/advisories/icsa-21-194-04
Siemens SINUMERIK Integrate Operate Client | CISAThird Party Advisory
Jump to