CVE-2021-27395 - Vulnerability Details - OpenCVE

A vulnerability has been identified in SIMATIC Process Historian 2013 and earlier (All versions), SIMATIC Process Historian 2014 (All versions < SP3 Update 6), SIMATIC Process Historian 2019 (All versions), SIMATIC Process Historian 2020 (All versions). An interface in the software that is used for critical functionalities lacks authentication, which could allow a malicious user to maliciously insert, modify or delete data.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Siemens	Simatic Process Historian 2013 Simatic Process Historian 2014 Simatic Process Historian 2019 Simatic Process Historian 2020

Configuration 1 [-]

OR	cpe:2.3:a:siemens:simatic_process_historian_2013::::::::
	cpe:2.3:a:siemens:simatic_process_historian_2014:-:sp1::::::
	cpe:2.3:a:siemens:simatic_process_historian_2014:-:sp2::::::
	cpe:2.3:a:siemens:simatic_process_historian_2014:-:sp3::::::
	cpe:2.3:a:siemens:simatic_process_historian_2014:-:sp3_update4::::::
	cpe:2.3:a:siemens:simatic_process_historian_2019::::::::
	cpe:2.3:a:siemens:simatic_process_historian_2020::::::::

No data.

References

Link	Providers
https://cert-portal.siemens.com/productcert/pdf/ssa-766247.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: siemens

Published: 2021-10-12T09:49:20

Updated: 2024-08-03T20:48:16.821Z

Reserved: 2021-02-18T00:00:00

Link: CVE-2021-27395

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-10-12T10:15:11.493

Modified: 2024-11-21T05:57:54.560

Link: CVE-2021-27395

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "SIMATIC Process Historian 2013 and earlier", "vendor": "Siemens", "versions": [{"status": "affected", "version": "All versions"}]}, {"product": "SIMATIC Process Historian 2014", "vendor": "Siemens", "versions": [{"status": "affected", "version": "All versions < SP3 Update 6"}]}, {"product": "SIMATIC Process Historian 2019", "vendor": "Siemens", "versions": [{"status": "affected", "version": "All versions"}]}, {"product": "SIMATIC Process Historian 2020", "vendor": "Siemens", "versions": [{"status": "affected", "version": "All versions"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in SIMATIC Process Historian 2013 and earlier (All versions), SIMATIC Process Historian 2014 (All versions < SP3 Update 6), SIMATIC Process Historian 2019 (All versions), SIMATIC Process Historian 2020 (All versions). An interface in the software that is used for critical functionalities lacks authentication, which could allow a malicious user to maliciously insert, modify or delete data."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-01-11T11:27:05", "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-766247.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "productcert@siemens.com", "ID": "CVE-2021-27395", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SIMATIC Process Historian 2013 and earlier", "version": {"version_data": [{"version_value": "All versions"}]}}, {"product_name": "SIMATIC Process Historian 2014", "version": {"version_data": [{"version_value": "All versions < SP3 Update 6"}]}}, {"product_name": "SIMATIC Process Historian 2019", "version": {"version_data": [{"version_value": "All versions"}]}}, {"product_name": "SIMATIC Process Historian 2020", "version": {"version_data": [{"version_value": "All versions"}]}}]}, "vendor_name": "Siemens"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability has been identified in SIMATIC Process Historian 2013 and earlier (All versions), SIMATIC Process Historian 2014 (All versions < SP3 Update 6), SIMATIC Process Historian 2019 (All versions), SIMATIC Process Historian 2020 (All versions). An interface in the software that is used for critical functionalities lacks authentication, which could allow a malicious user to maliciously insert, modify or delete data."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-306: Missing Authentication for Critical Function"}]}]}, "references": {"reference_data": [{"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-766247.pdf", "refsource": "MISC", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-766247.pdf"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:48:16.821Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-766247.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "assignerShortName": "siemens", "cveId": "CVE-2021-27395", "datePublished": "2021-10-12T09:49:20", "dateReserved": "2021-02-18T00:00:00", "dateUpdated": "2024-08-03T20:48:16.821Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:siemens:simatic_process_historian_2013:*:*:*:*:*:*:*:*", "matchCriteriaId": "78883EE0-420B-49C6-B8C6-64915216504E", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:simatic_process_historian_2014:-:sp1:*:*:*:*:*:*", "matchCriteriaId": "0D802BDB-8F9C-481E-A152-CAF4347C8B3B", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:simatic_process_historian_2014:-:sp2:*:*:*:*:*:*", "matchCriteriaId": "FEBF81AD-7354-4CD5-89A4-0088F6C00721", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:simatic_process_historian_2014:-:sp3:*:*:*:*:*:*", "matchCriteriaId": "DA9B2CB2-5D15-4470-9DBC-E168F12F3880", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:simatic_process_historian_2014:-:sp3_update4:*:*:*:*:*:*", "matchCriteriaId": "98216800-858E-4C6E-B086-0F5E56888C9C", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:simatic_process_historian_2019:*:*:*:*:*:*:*:*", "matchCriteriaId": "81E1CC4F-602E-4DF8-9B4F-E52AF18C9B07", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:simatic_process_historian_2020:*:*:*:*:*:*:*:*", "matchCriteriaId": "E89C6F2E-C7A9-4ACE-9247-4CE06BE90C53", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in SIMATIC Process Historian 2013 and earlier (All versions), SIMATIC Process Historian 2014 (All versions < SP3 Update 6), SIMATIC Process Historian 2019 (All versions), SIMATIC Process Historian 2020 (All versions). An interface in the software that is used for critical functionalities lacks authentication, which could allow a malicious user to maliciously insert, modify or delete data."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en SIMATIC Process Historian 2013 y anteriores (Todas las versiones), SIMATIC Process Historian 2014 (Todas las versiones anteriores a SP3 Update 6), SIMATIC Process Historian 2019 (Todas las versiones), SIMATIC Process Historian 2020 (Todas las versiones). Una interfaz en el software que es usada para funcionalidades cr\u00edticas carece de autenticaci\u00f3n, lo que podr\u00eda permitir a un usuario malicioso insertar, modificar o eliminar datos de forma maliciosa"}], "id": "CVE-2021-27395", "lastModified": "2024-11-21T05:57:54.560", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 5.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-10-12T10:15:11.493", "references": [{"source": "productcert@siemens.com", "tags": ["Vendor Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-766247.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-766247.pdf"}], "sourceIdentifier": "productcert@siemens.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "productcert@siemens.com", "type": "Secondary"}]}