cnvd - cnvd-2024-32687

CNVD-2024-32687

Vulnerability from cnvd - Published: 2024-07-19

Title

Siemens SIMATIC WinCC信息泄露漏洞（CNVD-2024-32687）

Description

Siemens SIMATIC PCS 7是德国西门子（Siemens）公司的一套过程控制系统。SIMATIC WinCC是一套自动化的数据采集与监控（SCADA）系统。SIMATIC WinCC Runtime Professional是用于操作员的可视化运行时平台机器和设备的控制和监控。 Siemens SIMATIC WinCC存在信息泄露漏洞，攻击者可利用该漏洞检索用户和密码等信息。

Severity

中

Patch Name

Siemens SIMATIC WinCC信息泄露漏洞（CNVD-2024-32687）的补丁

Patch Description

Formal description

用户可参考如下供应商提供的安全公告获得补丁信息： https://cert-portal.siemens.com/productcert/html/ssa-883918.html

Reference

https://cert-portal.siemens.com/productcert/html/ssa-883918.html

Impacted products

Name
['Siemens SIMATIC PCS 7 V9.1', 'Siemens SIMATIC WinCC Runtime Professional V18', 'Siemens SIMATIC WinCC Runtime Professional V19 < V19 Update 2', 'Siemens SIMATIC WinCC V7.4 < V7.4 SP1 Update 23', 'Siemens SIMATIC WinCC V7.5 < V7.5 SP2 Update 17', 'Siemens SIMATIC WinCC V8.0 < V8.0 Update 5']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-30321"
    }
  },
  "description": "Siemens SIMATIC PCS 7\u662f\u5fb7\u56fd\u897f\u95e8\u5b50\uff08Siemens\uff09\u516c\u53f8\u7684\u4e00\u5957\u8fc7\u7a0b\u63a7\u5236\u7cfb\u7edf\u3002SIMATIC WinCC\u662f\u4e00\u5957\u81ea\u52a8\u5316\u7684\u6570\u636e\u91c7\u96c6\u4e0e\u76d1\u63a7\uff08SCADA\uff09\u7cfb\u7edf\u3002SIMATIC WinCC Runtime Professional\u662f\u7528\u4e8e\u64cd\u4f5c\u5458\u7684\u53ef\u89c6\u5316\u8fd0\u884c\u65f6\u5e73\u53f0\u673a\u5668\u548c\u8bbe\u5907\u7684\u63a7\u5236\u548c\u76d1\u63a7\u3002 \n\nSiemens SIMATIC WinCC\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u68c0\u7d22\u7528\u6237\u548c\u5bc6\u7801\u7b49\u4fe1\u606f\u3002",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://cert-portal.siemens.com/productcert/html/ssa-883918.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-32687",
  "openTime": "2024-07-19",
  "patchDescription": "Siemens SIMATIC PCS 7\u662f\u5fb7\u56fd\u897f\u95e8\u5b50\uff08Siemens\uff09\u516c\u53f8\u7684\u4e00\u5957\u8fc7\u7a0b\u63a7\u5236\u7cfb\u7edf\u3002SIMATIC WinCC\u662f\u4e00\u5957\u81ea\u52a8\u5316\u7684\u6570\u636e\u91c7\u96c6\u4e0e\u76d1\u63a7\uff08SCADA\uff09\u7cfb\u7edf\u3002SIMATIC WinCC Runtime Professional\u662f\u7528\u4e8e\u64cd\u4f5c\u5458\u7684\u53ef\u89c6\u5316\u8fd0\u884c\u65f6\u5e73\u53f0\u673a\u5668\u548c\u8bbe\u5907\u7684\u63a7\u5236\u548c\u76d1\u63a7\u3002 \r\n\r\nSiemens SIMATIC WinCC\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u68c0\u7d22\u7528\u6237\u548c\u5bc6\u7801\u7b49\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Siemens SIMATIC WinCC\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2024-32687\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Siemens SIMATIC PCS 7 V9.1",
      "Siemens SIMATIC WinCC Runtime Professional V18",
      "Siemens SIMATIC WinCC Runtime Professional V19 \u003c V19 Update 2",
      "Siemens SIMATIC WinCC V7.4 \u003c V7.4 SP1 Update 23",
      "Siemens SIMATIC WinCC V7.5 \u003c V7.5 SP2 Update 17",
      "Siemens SIMATIC WinCC V8.0 \u003c V8.0 Update 5"
    ]
  },
  "referenceLink": "https://cert-portal.siemens.com/productcert/html/ssa-883918.html",
  "serverity": "\u4e2d",
  "submitTime": "2024-07-10",
  "title": "Siemens SIMATIC WinCC\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2024-32687\uff09"
}

CVE-2024-30321 (GCVE-0-2024-30321)

Vulnerability from cvelistv5 – Published: 2024-07-09 12:04 – Updated: 2025-08-27 20:42

Summary

A vulnerability has been identified in SIMATIC PCS 7 V9.1 (All versions < V9.1 SP2 UC05), SIMATIC WinCC Runtime Professional V18 (All versions < V18 Update 5), SIMATIC WinCC Runtime Professional V19 (All versions < V19 Update 2), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 23), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 17), SIMATIC WinCC V8.0 (All versions < V8.0 Update 5). The affected products do not properly handle certain requests to their web application, which may lead to the leak of privileged information. This could allow an unauthenticated remote attacker to retrieve information such as users and passwords.

Severity ?

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

8.2 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE

CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor

Assigner

siemens

References

URL

Tags

https://cert-portal.siemens.com/productcert/html/…

Impacted products

Vendor

Product

Version

Siemens

SIMATIC PCS 7 V9.1

Affected: 0 , < V9.1 SP2 UC05 (custom)

Siemens	SIMATIC WinCC Runtime Professional V18	Affected: 0 , < V18 Update 5 (custom)
Siemens	SIMATIC WinCC Runtime Professional V19	Affected: 0 , < V19 Update 2 (custom)
Siemens	SIMATIC WinCC V7.4	Affected: 0 , < V7.4 SP1 Update 23 (custom)
Siemens	SIMATIC WinCC V7.5	Affected: 0 , < V7.5 SP2 Update 17 (custom)
Siemens	SIMATIC WinCC V8.0	Affected: 0 , < V8.0 Update 5 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T01:32:07.025Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-883918.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:siemens:simatic_pcs_7:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "simatic_pcs_7",
            "vendor": "siemens",
            "versions": [
              {
                "lessThan": "10",
                "status": "affected",
                "version": "9.1",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:siemens:simatic_wincc:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "simatic_wincc",
            "vendor": "siemens",
            "versions": [
              {
                "lessThan": "7.4_sp1_update_23",
                "status": "affected",
                "version": "7.4",
                "versionType": "custom"
              },
              {
                "lessThan": "7.5_sp2_update_17",
                "status": "affected",
                "version": "7.5",
                "versionType": "custom"
              },
              {
                "lessThan": "8.0_update_5",
                "status": "affected",
                "version": "8.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:siemens:simatic_wincc:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "simatic_wincc",
            "vendor": "siemens",
            "versions": [
              {
                "lessThan": "7.4_sp1_update_23",
                "status": "affected",
                "version": "7.4",
                "versionType": "custom"
              },
              {
                "lessThan": "7.5_sp2_update_17",
                "status": "affected",
                "version": "7.5",
                "versionType": "custom"
              },
              {
                "lessThan": "8.0_update_5",
                "status": "affected",
                "version": "8.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:siemens:simatic_wincc:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "simatic_wincc",
            "vendor": "siemens",
            "versions": [
              {
                "lessThan": "7.4_sp1_update_23",
                "status": "affected",
                "version": "7.4",
                "versionType": "custom"
              },
              {
                "lessThan": "7.5_sp2_update_17",
                "status": "affected",
                "version": "7.5",
                "versionType": "custom"
              },
              {
                "lessThan": "8.0_update_5",
                "status": "affected",
                "version": "8.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:siemens:simatic_wincc_runtime_professional:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "simatic_wincc_runtime_professional",
            "vendor": "siemens",
            "versions": [
              {
                "lessThan": "19",
                "status": "affected",
                "version": "18",
                "versionType": "custom"
              },
              {
                "lessThan": "19_update_2",
                "status": "affected",
                "version": "19",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:siemens:simatic_wincc_runtime_professional:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "simatic_wincc_runtime_professional",
            "vendor": "siemens",
            "versions": [
              {
                "lessThan": "19",
                "status": "affected",
                "version": "18",
                "versionType": "custom"
              },
              {
                "lessThan": "19_update_2",
                "status": "affected",
                "version": "19",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-30321",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-19T16:20:35.487955Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-27T20:42:53.823Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "SIMATIC PCS 7 V9.1",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V9.1 SP2 UC05",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "SIMATIC WinCC Runtime Professional V18",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V18 Update 5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "SIMATIC WinCC Runtime Professional V19",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V19 Update 2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "SIMATIC WinCC V7.4",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V7.4 SP1 Update 23",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "SIMATIC WinCC V7.5",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V7.5 SP2 Update 17",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "SIMATIC WinCC V8.0",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V8.0 Update 5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been identified in SIMATIC PCS 7 V9.1 (All versions \u003c V9.1 SP2 UC05), SIMATIC WinCC Runtime Professional V18 (All versions \u003c V18 Update 5), SIMATIC WinCC Runtime Professional V19 (All versions \u003c V19 Update 2), SIMATIC WinCC V7.4 (All versions \u003c V7.4 SP1 Update 23), SIMATIC WinCC V7.5 (All versions \u003c V7.5 SP2 Update 17), SIMATIC WinCC V8.0 (All versions \u003c V8.0 Update 5). The affected products do not properly handle certain requests to their web application, which may lead to the leak of privileged information.\r\nThis could allow an unauthenticated remote attacker to retrieve information such as users and passwords."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV4_0": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-359",
              "description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-12T12:49:28.352Z",
        "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
        "shortName": "siemens"
      },
      "references": [
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-883918.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
    "assignerShortName": "siemens",
    "cveId": "CVE-2024-30321",
    "datePublished": "2024-07-09T12:04:43.997Z",
    "dateReserved": "2024-03-26T16:42:16.797Z",
    "dateUpdated": "2025-08-27T20:42:53.823Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2024-32687

CVE-2024-30321 (GCVE-0-2024-30321)

Tags

Sightings

Nomenclature