icsa-21-315-07
Vulnerability from csaf_cisa
Published
2021-11-11 00:00
Modified
2022-05-12 00:00
Summary
Siemens Nucleus RTOS-based APOGEE and TALON Products (Update C)
Notes
CISA Disclaimer
This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Risk evaluation
Successful exploitation of these vulnerabilities could allow denial-of-service conditions, remote code execution, information leaks, and out-of-bounds reads and writes.
Critical infrastructure sectors
Critical Manufacturing
Countries/areas deployed
Worldwide
Company headquarters location
Germany
Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet; Locate control system networks and remote devices behind firewalls and isolate them from the business network; When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.
Recommended Practices
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
Additional Resources
For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories
Exploitability
No known public exploits specifically target these vulnerabilities.
{
"document": {
"acknowledgments": [
{
"organization": "Siemens",
"summary": "reporting these vulnerabilities to CISA"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
"title": "CISA Disclaimer"
},
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "summary",
"text": "Successful exploitation of these vulnerabilities could allow denial-of-service conditions, remote code execution, information leaks, and out-of-bounds reads and writes.",
"title": "Risk evaluation"
},
{
"category": "other",
"text": "Critical Manufacturing",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "Germany",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet; Locate control system networks and remote devices behind firewalls and isolate them from the business network; When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
"title": "Additional Resources"
},
{
"category": "other",
"text": "No known public exploits specifically target these vulnerabilities.",
"title": "Exploitability"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "external",
"summary": "SSA-114589: Multiple Vulnerabilities in Nucleus RTOS based APOGEE, TALON and Desigo PXC/PXM Products - CSAF Version",
"url": "https://cert-portal.siemens.com/productcert/csaf/ssa-114589.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-21-315-07 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2021/icsa-21-315-07.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-21-315-07 Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-21-315-07"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-21-315-07"
},
{
"category": "external",
"summary": "SSA-114589: Multiple Vulnerabilities in Nucleus RTOS based APOGEE, TALON and Desigo PXC/PXM Products - PDF Version",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-114589.pdf"
},
{
"category": "external",
"summary": "SSA-114589: Multiple Vulnerabilities in Nucleus RTOS based APOGEE, TALON and Desigo PXC/PXM Products - TXT Version",
"url": "https://cert-portal.siemens.com/productcert/txt/ssa-114589.txt"
}
],
"title": "Siemens Nucleus RTOS-based APOGEE and TALON Products (Update C)",
"tracking": {
"current_release_date": "2022-05-12T00:00:00.000000Z",
"generator": {
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSA-21-315-07",
"initial_release_date": "2021-11-11T00:00:00.000000Z",
"revision_history": [
{
"date": "2021-11-11T00:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "ICSA-21-315-07 Siemens Nucleus RTOS-based APOGEE and TALON"
},
{
"date": "2021-12-16T00:00:00.000000Z",
"legacy_version": "A",
"number": "2",
"summary": "ICSA-21-315-07 Siemens Nucleus RTOS-based APOGEE and TALON (Update A)"
},
{
"date": "2022-04-14T00:00:00.000000Z",
"legacy_version": "B",
"number": "3",
"summary": "ICSA-21-315-07 Siemens Nucleus RTOS-based APOGEE and TALON (Update B)"
},
{
"date": "2022-05-12T00:00:00.000000Z",
"legacy_version": "C",
"number": "4",
"summary": "ICSA-21-315-07 Siemens Nucleus RTOS-based APOGEE and TALON (Update C)"
}
],
"status": "final",
"version": "4"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "APOGEE MBC (PPC) (BACnet)",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "APOGEE MBC (PPC) (BACnet)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "APOGEE MBC (PPC) (P2 Ethernet)",
"product_id": "CSAFPID-0002"
}
}
],
"category": "product_name",
"name": "APOGEE MBC (PPC) (P2 Ethernet)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "APOGEE MEC (PPC) (BACnet)",
"product_id": "CSAFPID-0003"
}
}
],
"category": "product_name",
"name": "APOGEE MEC (PPC) (BACnet)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "APOGEE MEC (PPC) (P2 Ethernet)",
"product_id": "CSAFPID-0004"
}
}
],
"category": "product_name",
"name": "APOGEE MEC (PPC) (P2 Ethernet)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c V3.5.4",
"product": {
"name": "APOGEE PXC Compact (BACnet)",
"product_id": "CSAFPID-0005"
}
}
],
"category": "product_name",
"name": "APOGEE PXC Compact (BACnet)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c V2.8.19",
"product": {
"name": "APOGEE PXC Compact (P2 Ethernet)",
"product_id": "CSAFPID-0006"
}
}
],
"category": "product_name",
"name": "APOGEE PXC Compact (P2 Ethernet)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c V3.5.4",
"product": {
"name": "APOGEE PXC Modular (BACnet)",
"product_id": "CSAFPID-0007"
}
}
],
"category": "product_name",
"name": "APOGEE PXC Modular (BACnet)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c V2.8.19",
"product": {
"name": "APOGEE PXC Modular (P2 Ethernet)",
"product_id": "CSAFPID-0008"
}
}
],
"category": "product_name",
"name": "APOGEE PXC Modular (P2 Ethernet)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e= V2.3 and \u003c V6.30.016",
"product": {
"name": "Desigo PXC00-E.D",
"product_id": "CSAFPID-0009"
}
}
],
"category": "product_name",
"name": "Desigo PXC00-E.D"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e= V2.3 and \u003c V6.30.016",
"product": {
"name": "Desigo PXC00-U",
"product_id": "CSAFPID-00010"
}
}
],
"category": "product_name",
"name": "Desigo PXC00-U"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e= V2.3 and \u003c V6.30.016",
"product": {
"name": "Desigo PXC001-E.D",
"product_id": "CSAFPID-00011"
}
}
],
"category": "product_name",
"name": "Desigo PXC001-E.D"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e= V2.3 and \u003c V6.30.016",
"product": {
"name": "Desigo PXC12-E.D",
"product_id": "CSAFPID-00012"
}
}
],
"category": "product_name",
"name": "Desigo PXC12-E.D"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e= V2.3 and \u003c V6.30.016",
"product": {
"name": "Desigo PXC22-E.D",
"product_id": "CSAFPID-00013"
}
}
],
"category": "product_name",
"name": "Desigo PXC22-E.D"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e= V2.3 and \u003c V6.30.016",
"product": {
"name": "Desigo PXC22.1-E.D",
"product_id": "CSAFPID-00014"
}
}
],
"category": "product_name",
"name": "Desigo PXC22.1-E.D"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e= V2.3 and \u003c V6.30.016",
"product": {
"name": "Desigo PXC36.1-E.D",
"product_id": "CSAFPID-00015"
}
}
],
"category": "product_name",
"name": "Desigo PXC36.1-E.D"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e= V2.3 and \u003c V6.30.016",
"product": {
"name": "Desigo PXC50-E.D",
"product_id": "CSAFPID-00016"
}
}
],
"category": "product_name",
"name": "Desigo PXC50-E.D"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e= V2.3 and \u003c V6.30.016",
"product": {
"name": "Desigo PXC64-U",
"product_id": "CSAFPID-00017"
}
}
],
"category": "product_name",
"name": "Desigo PXC64-U"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e= V2.3 and \u003c V6.30.016",
"product": {
"name": "Desigo PXC100-E.D",
"product_id": "CSAFPID-00018"
}
}
],
"category": "product_name",
"name": "Desigo PXC100-E.D"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e= V2.3 and \u003c V6.30.016",
"product": {
"name": "Desigo PXC128-U",
"product_id": "CSAFPID-00019"
}
}
],
"category": "product_name",
"name": "Desigo PXC128-U"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e= V2.3 and \u003c V6.30.016",
"product": {
"name": "Desigo PXC200-E.D",
"product_id": "CSAFPID-00020"
}
}
],
"category": "product_name",
"name": "Desigo PXC200-E.D"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e= V2.3 and \u003c V6.30.016",
"product": {
"name": "Desigo PXM20-E",
"product_id": "CSAFPID-00021"
}
}
],
"category": "product_name",
"name": "Desigo PXM20-E"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c V3.5.4",
"product": {
"name": "TALON TC Compact (BACnet)",
"product_id": "CSAFPID-00022"
}
}
],
"category": "product_name",
"name": "TALON TC Compact (BACnet)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c V3.5.4",
"product": {
"name": "TALON TC Modular (BACnet)",
"product_id": "CSAFPID-00023"
}
}
],
"category": "product_name",
"name": "TALON TC Modular (BACnet)"
}
],
"category": "vendor",
"name": "Siemens"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-31344",
"cwe": {
"id": "CWE-843",
"name": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)"
},
"notes": [
{
"category": "summary",
"text": "ICMP echo packets with fake IP options allow sending ICMP echo reply messages to arbitrary hosts on the network. (FSMD-2021-0004). CVE-2021-31344 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
"references": [
{
"summary": "CVE-2021-31344 - Desigo PXC00-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31344 - Desigo PXC00-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31344 - Desigo PXC001-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31344 - Desigo PXC12-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31344 - Desigo PXC22-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31344 - Desigo PXC22.1-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31344 - Desigo PXC36.1-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31344 - Desigo PXC50-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31344 - Desigo PXC64-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31344 - Desigo PXC100-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31344 - Desigo PXC128-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31344 - Desigo PXC200-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31344 - Desigo PXM20-E",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31344 Mitre 5.0 json",
"url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-31344.json"
},
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31344"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
}
],
"remediations": [
{
"category": "no_fix_planned",
"details": "Currently no fix is planned",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "Update to V3.5.4 or later version",
"product_ids": [
"CSAFPID-0005",
"CSAFPID-0007",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "vendor_fix",
"details": "Update to V2.8.19 or later version",
"product_ids": [
"CSAFPID-0006",
"CSAFPID-0008"
]
},
{
"category": "vendor_fix",
"details": "Update to V6.30.016 or later version",
"product_ids": [
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"category": "mitigation",
"details": "CVE-2021-31881, CVE-2021-31882, CVE-2021-31883, CVE-2021-31884: Disable the DHCP client and use static IP address configuration instead (Note that the DHCP client is disabled by default on APOGEE/TALON and Desigo products.)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "mitigation",
"details": "CVE-2021-31885, CVE-2021-31886, CVE-2021-31887, CVE-2021-31888: Disable the FTP service (Note that the FTP service is disabled by default on Desigo products.)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "mitigation",
"details": "As a general security measure Siemens strongly recommends to protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
}
],
"title": "CVE-2021-31344"
},
{
"cve": "CVE-2021-31345",
"cwe": {
"id": "CWE-1284",
"name": "Improper Validation of Specified Quantity in Input"
},
"notes": [
{
"category": "summary",
"text": "The total length of an UDP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on a user-defined applications that runs on top of the UDP protocol. (FSMD-2021-0006). CVE-2021-31345 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
"references": [
{
"summary": "CVE-2021-31345 - Desigo PXC00-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31345 - Desigo PXC00-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31345 - Desigo PXC001-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31345 - Desigo PXC12-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31345 - Desigo PXC22-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31345 - Desigo PXC22.1-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31345 - Desigo PXC36.1-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31345 - Desigo PXC50-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31345 - Desigo PXC64-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31345 - Desigo PXC100-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31345 - Desigo PXC128-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31345 - Desigo PXC200-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31345 - Desigo PXM20-E",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31345 Mitre 5.0 json",
"url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-31345.json"
},
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31345"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"remediations": [
{
"category": "no_fix_planned",
"details": "Currently no fix is planned",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "Update to V3.5.4 or later version",
"product_ids": [
"CSAFPID-0005",
"CSAFPID-0007",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "vendor_fix",
"details": "Update to V2.8.19 or later version",
"product_ids": [
"CSAFPID-0006",
"CSAFPID-0008"
]
},
{
"category": "vendor_fix",
"details": "Update to V6.30.016 or later version",
"product_ids": [
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"category": "mitigation",
"details": "CVE-2021-31881, CVE-2021-31882, CVE-2021-31883, CVE-2021-31884: Disable the DHCP client and use static IP address configuration instead (Note that the DHCP client is disabled by default on APOGEE/TALON and Desigo products.)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "mitigation",
"details": "CVE-2021-31885, CVE-2021-31886, CVE-2021-31887, CVE-2021-31888: Disable the FTP service (Note that the FTP service is disabled by default on Desigo products.)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "mitigation",
"details": "As a general security measure Siemens strongly recommends to protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
}
],
"title": "CVE-2021-31345"
},
{
"cve": "CVE-2021-31346",
"cwe": {
"id": "CWE-1284",
"name": "Improper Validation of Specified Quantity in Input"
},
"notes": [
{
"category": "summary",
"text": "The total length of an ICMP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory. (FSMD-2021-0007). CVE-2021-31346 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H).",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
"references": [
{
"summary": "CVE-2021-31346 - Desigo PXC00-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31346 - Desigo PXC00-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31346 - Desigo PXC001-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31346 - Desigo PXC12-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31346 - Desigo PXC22-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31346 - Desigo PXC22.1-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31346 - Desigo PXC36.1-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31346 - Desigo PXC50-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31346 - Desigo PXC64-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31346 - Desigo PXC100-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31346 - Desigo PXC128-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31346 - Desigo PXC200-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31346 - Desigo PXM20-E",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31346 Mitre 5.0 json",
"url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-31346.json"
},
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31346"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"
}
],
"remediations": [
{
"category": "no_fix_planned",
"details": "Currently no fix is planned",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "Update to V3.5.4 or later version",
"product_ids": [
"CSAFPID-0005",
"CSAFPID-0007",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "vendor_fix",
"details": "Update to V2.8.19 or later version",
"product_ids": [
"CSAFPID-0006",
"CSAFPID-0008"
]
},
{
"category": "vendor_fix",
"details": "Update to V6.30.016 or later version",
"product_ids": [
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"category": "mitigation",
"details": "CVE-2021-31881, CVE-2021-31882, CVE-2021-31883, CVE-2021-31884: Disable the DHCP client and use static IP address configuration instead (Note that the DHCP client is disabled by default on APOGEE/TALON and Desigo products.)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "mitigation",
"details": "CVE-2021-31885, CVE-2021-31886, CVE-2021-31887, CVE-2021-31888: Disable the FTP service (Note that the FTP service is disabled by default on Desigo products.)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "mitigation",
"details": "As a general security measure Siemens strongly recommends to protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
}
],
"title": "CVE-2021-31346"
},
{
"cve": "CVE-2021-31881",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "summary",
"text": "When processing a DHCP OFFER message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of-Service conditions. (FSMD-2021-0008). CVE-2021-31881 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H).",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
"references": [
{
"summary": "CVE-2021-31881 - Desigo PXC00-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31881 - Desigo PXC00-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31881 - Desigo PXC001-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31881 - Desigo PXC12-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31881 - Desigo PXC22-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31881 - Desigo PXC22.1-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31881 - Desigo PXC36.1-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31881 - Desigo PXC50-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31881 - Desigo PXC64-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31881 - Desigo PXC100-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31881 - Desigo PXC128-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31881 - Desigo PXC200-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31881 - Desigo PXM20-E",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31881 Mitre 5.0 json",
"url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-31881.json"
},
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31881"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"
}
],
"remediations": [
{
"category": "no_fix_planned",
"details": "Currently no fix is planned",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "Update to V3.5.4 or later version",
"product_ids": [
"CSAFPID-0005",
"CSAFPID-0007",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "vendor_fix",
"details": "Update to V2.8.19 or later version",
"product_ids": [
"CSAFPID-0006",
"CSAFPID-0008"
]
},
{
"category": "vendor_fix",
"details": "Update to V6.30.016 or later version",
"product_ids": [
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"category": "mitigation",
"details": "CVE-2021-31881, CVE-2021-31882, CVE-2021-31883, CVE-2021-31884: Disable the DHCP client and use static IP address configuration instead (Note that the DHCP client is disabled by default on APOGEE/TALON and Desigo products.)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "mitigation",
"details": "CVE-2021-31885, CVE-2021-31886, CVE-2021-31887, CVE-2021-31888: Disable the FTP service (Note that the FTP service is disabled by default on Desigo products.)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "mitigation",
"details": "As a general security measure Siemens strongly recommends to protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
}
],
"title": "CVE-2021-31881"
},
{
"cve": "CVE-2021-31882",
"cwe": {
"id": "CWE-119",
"name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
},
"notes": [
{
"category": "summary",
"text": "The DHCP client application does not validate the length of the Domain Name Server IP option(s) (0x06) when processing DHCP ACK packets. This may lead to Denial-of-Service conditions. (FSMD-2021-0011). CVE-2021-31882 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
"references": [
{
"summary": "CVE-2021-31882 - Desigo PXC00-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31882 - Desigo PXC00-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31882 - Desigo PXC001-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31882 - Desigo PXC12-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31882 - Desigo PXC22-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31882 - Desigo PXC22.1-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31882 - Desigo PXC36.1-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31882 - Desigo PXC50-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31882 - Desigo PXC64-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31882 - Desigo PXC100-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31882 - Desigo PXC128-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31882 - Desigo PXC200-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31882 - Desigo PXM20-E",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31882 Mitre 5.0 json",
"url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-31882.json"
},
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31882"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "no_fix_planned",
"details": "Currently no fix is planned",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "Update to V3.5.4 or later version",
"product_ids": [
"CSAFPID-0005",
"CSAFPID-0007",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "vendor_fix",
"details": "Update to V2.8.19 or later version",
"product_ids": [
"CSAFPID-0006",
"CSAFPID-0008"
]
},
{
"category": "vendor_fix",
"details": "Update to V6.30.016 or later version",
"product_ids": [
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"category": "mitigation",
"details": "CVE-2021-31881, CVE-2021-31882, CVE-2021-31883, CVE-2021-31884: Disable the DHCP client and use static IP address configuration instead (Note that the DHCP client is disabled by default on APOGEE/TALON and Desigo products.)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "mitigation",
"details": "CVE-2021-31885, CVE-2021-31886, CVE-2021-31887, CVE-2021-31888: Disable the FTP service (Note that the FTP service is disabled by default on Desigo products.)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "mitigation",
"details": "As a general security measure Siemens strongly recommends to protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
}
],
"title": "CVE-2021-31882"
},
{
"cve": "CVE-2021-31883",
"cwe": {
"id": "CWE-119",
"name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
},
"notes": [
{
"category": "summary",
"text": "When processing a DHCP ACK message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of-Service conditions. (FSMD-2021-0013). CVE-2021-31883 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H).",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
"references": [
{
"summary": "CVE-2021-31883 - Desigo PXC00-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31883 - Desigo PXC00-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31883 - Desigo PXC001-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31883 - Desigo PXC12-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31883 - Desigo PXC22-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31883 - Desigo PXC22.1-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31883 - Desigo PXC36.1-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31883 - Desigo PXC50-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31883 - Desigo PXC64-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31883 - Desigo PXC100-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31883 - Desigo PXC128-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31883 - Desigo PXC200-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31883 - Desigo PXM20-E",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31883 Mitre 5.0 json",
"url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-31883.json"
},
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31883"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"
}
],
"remediations": [
{
"category": "no_fix_planned",
"details": "Currently no fix is planned",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "Update to V3.5.4 or later version",
"product_ids": [
"CSAFPID-0005",
"CSAFPID-0007",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "vendor_fix",
"details": "Update to V2.8.19 or later version",
"product_ids": [
"CSAFPID-0006",
"CSAFPID-0008"
]
},
{
"category": "vendor_fix",
"details": "Update to V6.30.016 or later version",
"product_ids": [
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"category": "mitigation",
"details": "CVE-2021-31881, CVE-2021-31882, CVE-2021-31883, CVE-2021-31884: Disable the DHCP client and use static IP address configuration instead (Note that the DHCP client is disabled by default on APOGEE/TALON and Desigo products.)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "mitigation",
"details": "CVE-2021-31885, CVE-2021-31886, CVE-2021-31887, CVE-2021-31888: Disable the FTP service (Note that the FTP service is disabled by default on Desigo products.)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "mitigation",
"details": "As a general security measure Siemens strongly recommends to protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
}
],
"title": "CVE-2021-31883"
},
{
"cve": "CVE-2021-31884",
"cwe": {
"id": "CWE-170",
"name": "Improper Null Termination"
},
"notes": [
{
"category": "summary",
"text": "The DHCP client application assumes that the data supplied with the \u201cHostname\u201d DHCP option is NULL terminated. In cases when global hostname variable is not defined, this may lead to Out-of-bound reads, writes, and Denial-of-service conditions. (FSMD-2021-0014). CVE-2021-31884 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
"references": [
{
"summary": "CVE-2021-31884 - Desigo PXC00-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31884 - Desigo PXC00-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31884 - Desigo PXC001-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31884 - Desigo PXC12-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31884 - Desigo PXC22-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31884 - Desigo PXC22.1-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31884 - Desigo PXC36.1-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31884 - Desigo PXC50-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31884 - Desigo PXC64-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31884 - Desigo PXC100-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31884 - Desigo PXC128-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31884 - Desigo PXC200-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31884 - Desigo PXM20-E",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31884 Mitre 5.0 json",
"url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-31884.json"
},
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31884"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "no_fix_planned",
"details": "Currently no fix is planned",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "Update to V3.5.4 or later version",
"product_ids": [
"CSAFPID-0005",
"CSAFPID-0007",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "vendor_fix",
"details": "Update to V2.8.19 or later version",
"product_ids": [
"CSAFPID-0006",
"CSAFPID-0008"
]
},
{
"category": "vendor_fix",
"details": "Update to V6.30.016 or later version",
"product_ids": [
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"category": "mitigation",
"details": "CVE-2021-31881, CVE-2021-31882, CVE-2021-31883, CVE-2021-31884: Disable the DHCP client and use static IP address configuration instead (Note that the DHCP client is disabled by default on APOGEE/TALON and Desigo products.)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "mitigation",
"details": "CVE-2021-31885, CVE-2021-31886, CVE-2021-31887, CVE-2021-31888: Disable the FTP service (Note that the FTP service is disabled by default on Desigo products.)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "mitigation",
"details": "As a general security measure Siemens strongly recommends to protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
}
],
"title": "CVE-2021-31884"
},
{
"cve": "CVE-2021-31885",
"cwe": {
"id": "CWE-805",
"name": "Buffer Access with Incorrect Length Value"
},
"notes": [
{
"category": "summary",
"text": "TFTP server application allows for reading the contents of the TFTP memory buffer via sending malformed TFTP commands. (FSMD-2021-0009). CVE-2021-31885 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
"references": [
{
"summary": "CVE-2021-31885 - Desigo PXC00-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31885 - Desigo PXC00-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31885 - Desigo PXC001-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31885 - Desigo PXC12-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31885 - Desigo PXC22-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31885 - Desigo PXC22.1-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31885 - Desigo PXC36.1-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31885 - Desigo PXC50-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31885 - Desigo PXC64-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31885 - Desigo PXC100-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31885 - Desigo PXC128-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31885 - Desigo PXC200-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31885 - Desigo PXM20-E",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31885 Mitre 5.0 json",
"url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-31885.json"
},
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31885"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"remediations": [
{
"category": "no_fix_planned",
"details": "Currently no fix is planned",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "Update to V3.5.4 or later version",
"product_ids": [
"CSAFPID-0005",
"CSAFPID-0007",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "vendor_fix",
"details": "Update to V2.8.19 or later version",
"product_ids": [
"CSAFPID-0006",
"CSAFPID-0008"
]
},
{
"category": "vendor_fix",
"details": "Update to V6.30.016 or later version",
"product_ids": [
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"category": "mitigation",
"details": "CVE-2021-31881, CVE-2021-31882, CVE-2021-31883, CVE-2021-31884: Disable the DHCP client and use static IP address configuration instead (Note that the DHCP client is disabled by default on APOGEE/TALON and Desigo products.)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "mitigation",
"details": "CVE-2021-31885, CVE-2021-31886, CVE-2021-31887, CVE-2021-31888: Disable the FTP service (Note that the FTP service is disabled by default on Desigo products.)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "mitigation",
"details": "As a general security measure Siemens strongly recommends to protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
}
],
"title": "CVE-2021-31885"
},
{
"cve": "CVE-2021-31886",
"cwe": {
"id": "CWE-170",
"name": "Improper Null Termination"
},
"notes": [
{
"category": "summary",
"text": "FTP server does not properly validate the length of the \u201cUSER\u201d command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution. (FSMD-2021-0010). CVE-2021-31886 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
"references": [
{
"summary": "CVE-2021-31886 - Desigo PXC00-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31886 - Desigo PXC00-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31886 - Desigo PXC001-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31886 - Desigo PXC12-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31886 - Desigo PXC22-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31886 - Desigo PXC22.1-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31886 - Desigo PXC36.1-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31886 - Desigo PXC50-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31886 - Desigo PXC64-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31886 - Desigo PXC100-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31886 - Desigo PXC128-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31886 - Desigo PXC200-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31886 - Desigo PXM20-E",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31886 Mitre 5.0 json",
"url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-31886.json"
},
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31886"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "no_fix_planned",
"details": "Currently no fix is planned",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "Update to V3.5.4 or later version",
"product_ids": [
"CSAFPID-0005",
"CSAFPID-0007",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "vendor_fix",
"details": "Update to V2.8.19 or later version",
"product_ids": [
"CSAFPID-0006",
"CSAFPID-0008"
]
},
{
"category": "vendor_fix",
"details": "Update to V6.30.016 or later version",
"product_ids": [
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"category": "mitigation",
"details": "CVE-2021-31881, CVE-2021-31882, CVE-2021-31883, CVE-2021-31884: Disable the DHCP client and use static IP address configuration instead (Note that the DHCP client is disabled by default on APOGEE/TALON and Desigo products.)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "mitigation",
"details": "CVE-2021-31885, CVE-2021-31886, CVE-2021-31887, CVE-2021-31888: Disable the FTP service (Note that the FTP service is disabled by default on Desigo products.)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "mitigation",
"details": "As a general security measure Siemens strongly recommends to protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
}
],
"title": "CVE-2021-31886"
},
{
"cve": "CVE-2021-31887",
"cwe": {
"id": "CWE-170",
"name": "Improper Null Termination"
},
"notes": [
{
"category": "summary",
"text": "FTP server does not properly validate the length of the \u201cPWD/XPWD\u201d command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution. (FSMD-2021-0016). CVE-2021-31887 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
"references": [
{
"summary": "CVE-2021-31887 - Desigo PXC00-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31887 - Desigo PXC00-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31887 - Desigo PXC001-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31887 - Desigo PXC12-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31887 - Desigo PXC22-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31887 - Desigo PXC22.1-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31887 - Desigo PXC36.1-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31887 - Desigo PXC50-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31887 - Desigo PXC64-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31887 - Desigo PXC100-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31887 - Desigo PXC128-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31887 - Desigo PXC200-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31887 - Desigo PXM20-E",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31887 Mitre 5.0 json",
"url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-31887.json"
},
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31887"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "no_fix_planned",
"details": "Currently no fix is planned",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "Update to V3.5.4 or later version",
"product_ids": [
"CSAFPID-0005",
"CSAFPID-0007",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "vendor_fix",
"details": "Update to V2.8.19 or later version",
"product_ids": [
"CSAFPID-0006",
"CSAFPID-0008"
]
},
{
"category": "vendor_fix",
"details": "Update to V6.30.016 or later version",
"product_ids": [
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"category": "mitigation",
"details": "CVE-2021-31881, CVE-2021-31882, CVE-2021-31883, CVE-2021-31884: Disable the DHCP client and use static IP address configuration instead (Note that the DHCP client is disabled by default on APOGEE/TALON and Desigo products.)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "mitigation",
"details": "CVE-2021-31885, CVE-2021-31886, CVE-2021-31887, CVE-2021-31888: Disable the FTP service (Note that the FTP service is disabled by default on Desigo products.)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "mitigation",
"details": "As a general security measure Siemens strongly recommends to protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
}
],
"title": "CVE-2021-31887"
},
{
"cve": "CVE-2021-31888",
"cwe": {
"id": "CWE-170",
"name": "Improper Null Termination"
},
"notes": [
{
"category": "summary",
"text": "FTP server does not properly validate the length of the \u201cMKD/XMKD\u201d command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution. (FSMD-2021-0018). CVE-2021-31888 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
"references": [
{
"summary": "CVE-2021-31888 - Desigo PXC00-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31888 - Desigo PXC00-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31888 - Desigo PXC001-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31888 - Desigo PXC12-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31888 - Desigo PXC22-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31888 - Desigo PXC22.1-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31888 - Desigo PXC36.1-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31888 - Desigo PXC50-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31888 - Desigo PXC64-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31888 - Desigo PXC100-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31888 - Desigo PXC128-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31888 - Desigo PXC200-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31888 - Desigo PXM20-E",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31888 Mitre 5.0 json",
"url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-31888.json"
},
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31888"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "no_fix_planned",
"details": "Currently no fix is planned",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "Update to V3.5.4 or later version",
"product_ids": [
"CSAFPID-0005",
"CSAFPID-0007",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "vendor_fix",
"details": "Update to V2.8.19 or later version",
"product_ids": [
"CSAFPID-0006",
"CSAFPID-0008"
]
},
{
"category": "vendor_fix",
"details": "Update to V6.30.016 or later version",
"product_ids": [
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"category": "mitigation",
"details": "CVE-2021-31881, CVE-2021-31882, CVE-2021-31883, CVE-2021-31884: Disable the DHCP client and use static IP address configuration instead (Note that the DHCP client is disabled by default on APOGEE/TALON and Desigo products.)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "mitigation",
"details": "CVE-2021-31885, CVE-2021-31886, CVE-2021-31887, CVE-2021-31888: Disable the FTP service (Note that the FTP service is disabled by default on Desigo products.)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "mitigation",
"details": "As a general security measure Siemens strongly recommends to protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
}
],
"title": "CVE-2021-31888"
},
{
"cve": "CVE-2021-31889",
"cwe": {
"id": "CWE-191",
"name": "Integer Underflow (Wrap or Wraparound)"
},
"notes": [
{
"category": "summary",
"text": "Malformed TCP packets with a corrupted SACK option leads to Information Leaks and Denial-of-Service conditions. (FSMD-2021-0015). CVE-2021-31889 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
"references": [
{
"summary": "CVE-2021-31889 - Desigo PXC00-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31889 - Desigo PXC00-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31889 - Desigo PXC001-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31889 - Desigo PXC12-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31889 - Desigo PXC22-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31889 - Desigo PXC22.1-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31889 - Desigo PXC36.1-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31889 - Desigo PXC50-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31889 - Desigo PXC64-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31889 - Desigo PXC100-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31889 - Desigo PXC128-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31889 - Desigo PXC200-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31889 - Desigo PXM20-E",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31889 Mitre 5.0 json",
"url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-31889.json"
},
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31889"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "no_fix_planned",
"details": "Currently no fix is planned",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "Update to V3.5.4 or later version",
"product_ids": [
"CSAFPID-0005",
"CSAFPID-0007",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "vendor_fix",
"details": "Update to V2.8.19 or later version",
"product_ids": [
"CSAFPID-0006",
"CSAFPID-0008"
]
},
{
"category": "vendor_fix",
"details": "Update to V6.30.016 or later version",
"product_ids": [
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"category": "mitigation",
"details": "CVE-2021-31881, CVE-2021-31882, CVE-2021-31883, CVE-2021-31884: Disable the DHCP client and use static IP address configuration instead (Note that the DHCP client is disabled by default on APOGEE/TALON and Desigo products.)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "mitigation",
"details": "CVE-2021-31885, CVE-2021-31886, CVE-2021-31887, CVE-2021-31888: Disable the FTP service (Note that the FTP service is disabled by default on Desigo products.)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "mitigation",
"details": "As a general security measure Siemens strongly recommends to protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
}
],
"title": "CVE-2021-31889"
},
{
"cve": "CVE-2021-31890",
"cwe": {
"id": "CWE-240",
"name": "Improper Handling of Inconsistent Structural Elements"
},
"notes": [
{
"category": "summary",
"text": "The total length of an TCP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory. (FSMD-2021-0017). CVE-2021-31890 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
"references": [
{
"summary": "CVE-2021-31890 - Desigo PXC00-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31890 - Desigo PXC00-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31890 - Desigo PXC001-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31890 - Desigo PXC12-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31890 - Desigo PXC22-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31890 - Desigo PXC22.1-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31890 - Desigo PXC36.1-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31890 - Desigo PXC50-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31890 - Desigo PXC64-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31890 - Desigo PXC100-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31890 - Desigo PXC128-U",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31890 - Desigo PXC200-E.D",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31890 - Desigo PXM20-E",
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"summary": "CVE-2021-31890 Mitre 5.0 json",
"url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-31890.json"
},
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31890"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "no_fix_planned",
"details": "Currently no fix is planned",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "Update to V3.5.4 or later version",
"product_ids": [
"CSAFPID-0005",
"CSAFPID-0007",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "vendor_fix",
"details": "Update to V2.8.19 or later version",
"product_ids": [
"CSAFPID-0006",
"CSAFPID-0008"
]
},
{
"category": "vendor_fix",
"details": "Update to V6.30.016 or later version",
"product_ids": [
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109810577"
},
{
"category": "mitigation",
"details": "CVE-2021-31881, CVE-2021-31882, CVE-2021-31883, CVE-2021-31884: Disable the DHCP client and use static IP address configuration instead (Note that the DHCP client is disabled by default on APOGEE/TALON and Desigo products.)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "mitigation",
"details": "CVE-2021-31885, CVE-2021-31886, CVE-2021-31887, CVE-2021-31888: Disable the FTP service (Note that the FTP service is disabled by default on Desigo products.)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
},
{
"category": "mitigation",
"details": "As a general security measure Siemens strongly recommends to protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021",
"CSAFPID-00022",
"CSAFPID-00023"
]
}
],
"title": "CVE-2021-31890"
}
]
}
Loading...