-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# SSA-163251: Multiple Vulnerabilities in SINEC NMS

Publication Date:        2021-10-12
Last Update:             2021-10-12
Current Version:         1.0
CVSS v3.1 Base Score:    8.8

SUMMARY
=======

The latest update for SINEC NMS fixes multiple vulnerabilities. The most
severe could allow an authenticated remote attacker to execute arbitrary
code on the system, with system privileges, under certain conditions.

Siemens has released an update for SINEC NMS and recommends to update to
the latest version.


AFFECTED PRODUCTS AND SOLUTION
==============================


* SINEC NMS 
  - Affected versions:
       All versions < V1.0 SP2 Update 1
  - Remediation:
       Update to V1.0 SP2 Update 1 or later version
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109802731/


WORKAROUNDS AND MITIGATIONS
===========================

Siemens has identified the following specific workarounds and mitigations that
customers can apply to reduce the risk:

* Restrict access to the affected systems, especially to port 443/tcp, to
trusted IP addresses only



GENERAL SECURITY RECOMMENDATIONS
================================

As a general security measure, Siemens strongly recommends to protect
network access to devices with appropriate mechanisms. In order to
operate the devices in a protected IT environment, Siemens recommends to
configure the environment according to Siemens' operational guidelines
for Industrial Security (Download:
https://www.siemens.com/cert/operational-guidelines-industrial-security),
and to follow the recommendations in the product manuals.

Additional information on Industrial Security by Siemens can be found
at: https://www.siemens.com/industrialsecurity

PRODUCT DESCRIPTION
===================

SINEC NMS is a new generation of the Network Management System (NMS) for
the Digital Enterprise. This system can be used to centrally monitor,
manage, and configure networks.

VULNERABILITY CLASSIFICATION
============================

The vulnerability classification has been performed by using the CVSS scoring
system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS
environmental score is specific to the customer's environment and will impact
the overall CVSS score. The environmental score should therefore be
individually defined by the customer to accomplish final scoring.

An additional classification has been performed using the CWE classification, a
community-developed list of common software security weaknesses. This serves as
a common language and as a baseline for weakness identification, mitigation,
and prevention efforts. A detailed list of CWE classes can be found at:
https://cwe.mitre.org/.



* Vulnerability CVE-2021-33722

  The affected system has a Path Traversal vulnerability when exporting a
  firmware container. With this a privileged authenticated attacker could
  create arbitrary files on an affected system.

  CVSS v3.1 Base Score: 7.2
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal')

* Vulnerability CVE-2021-33723

  An authenticated attacker could change the user profile of any user
  without proper authorization. With this, the attacker could change the
  password of any user in the affected system.

  CVSS v3.1 Base Score: 8.8
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-285: Improper Authorization

* Vulnerability CVE-2021-33724

  The affected system contains an Arbitrary File Deletion vulnerability
  that possibly allows to delete an arbitrary file or directory under a
  user controlled path.

  CVSS v3.1 Base Score: 6.5
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal')

* Vulnerability CVE-2021-33725

  The affected system allows to delete arbitrary files or directories
  under a user controlled path and does not correctly check if the
  relative path is still within the intended target directory.

  CVSS v3.1 Base Score: 4.9
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal')

* Vulnerability CVE-2021-33726

  The affected system allows to download arbitrary files under a user
  controlled path and does not correctly check if the relative path is
  still within the intended target directory.

  CVSS v3.1 Base Score: 6.5
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
  CWE:                  CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal')

* Vulnerability CVE-2021-33727

  An authenticated attacker could download the user profile of any user.
  With this, the attacker could leak confidential information of any user
  in the affected system.

  CVSS v3.1 Base Score: 6.5
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
  CWE:                  CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

* Vulnerability CVE-2021-33728

  The affected system allows to upload JSON objects that are deserialized
  to JAVA objects. Due to insecure deserialization of user-supplied
  content by the affected software, a privileged attacker could exploit
  this vulnerability by sending a crafted serialized Java object.
  
  An exploit could allow the attacker to execute arbitrary code on the
  device with root privileges.

  CVSS v3.1 Base Score: 7.2
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-502: Deserialization of Untrusted Data

* Vulnerability CVE-2021-33729

  An authenticated attacker that is able to import firmware containers to
  an affected system could execute arbitrary commands in the local
  database.

  CVSS v3.1 Base Score: 8.8
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL
Injection')

* Vulnerability CVE-2021-33730

  A privileged authenticated attacker could execute arbitrary commands in
  the local database by sending crafted requests to the webserver of the
  affected application.

  CVSS v3.1 Base Score: 7.2
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL
Injection')

* Vulnerability CVE-2021-33731

  A privileged authenticated attacker could execute arbitrary commands in
  the local database by sending crafted requests to the webserver of the
  affected application.

  CVSS v3.1 Base Score: 7.2
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL
Injection')

* Vulnerability CVE-2021-33732

  A privileged authenticated attacker could execute arbitrary commands in
  the local database by sending crafted requests to the webserver of the
  affected application.

  CVSS v3.1 Base Score: 7.2
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL
Injection')

* Vulnerability CVE-2021-33733

  A privileged authenticated attacker could execute arbitrary commands in
  the local database by sending crafted requests to the webserver of the
  affected application.

  CVSS v3.1 Base Score: 7.2
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL
Injection')

* Vulnerability CVE-2021-33734

  A privileged authenticated attacker could execute arbitrary commands in
  the local database by sending crafted requests to the webserver of the
  affected application.

  CVSS v3.1 Base Score: 7.2
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL
Injection')

* Vulnerability CVE-2021-33735

  A privileged authenticated attacker could execute arbitrary commands in
  the local database by sending crafted requests to the webserver of the
  affected application.

  CVSS v3.1 Base Score: 7.2
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL
Injection')

* Vulnerability CVE-2021-33736

  A privileged authenticated attacker could execute arbitrary commands in
  the local database by sending crafted requests to the webserver of the
  affected application.

  CVSS v3.1 Base Score: 7.2
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL
Injection')


ACKNOWLEDGMENTS
===============

Siemens thanks the following parties for their efforts:

   * Noam Moshe from Claroty for coordinated disclosure



ADDITIONAL INFORMATION
======================

For further inquiries on security vulnerabilities in Siemens products and
solutions, please contact the Siemens ProductCERT:

https://www.siemens.com/cert/advisories


HISTORY DATA
============

V1.0 (2021-10-12): Publication Date

TERMS OF USE
============

Siemens Security Advisories are subject to the terms and conditions contained
in Siemens' underlying license terms or other applicable agreements previously
agreed to with Siemens (hereinafter "License Terms"). To the extent applicable
to information, software or documentation made available in or through a
Siemens Security Advisory, the Terms of Use of Siemens' Global Website
(https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in
particular Sections 8-10 of the Terms of Use, shall apply additionally. In case
of conflicts, the License Terms shall prevail over the Terms of Use.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEHyx/myPwjH9jB9tDlm7gTEmyujQFAmFk0AAACgkQlm7gTEmy
ujTSZxAAht3dhFs7O2orky/yXIdpMl36RfKxGkdSMXukGbgLZ4Khf31Vqr2DKE53
8WvFyWIfjiC2b8v7RL/9ZBQO9XNFDjsaBMvNN/f8OZk1NZn99oqHkvC0i5XxzJ57
aIA59Q8cvgSV7g477sf16EtgmoW9Aj1tbqD5PbgowJLl9/QGkawnCq76rmqnYd+x
bC5w4r3zfyWne3QqV2g++IagGdbFpw4MymWjWcCoWbOIES2em8jf7HdicqSDRAt/
ASjGtsbA6UP9CUyzVp/IwdOkAahvQ6hc7Anwa/4LJ4Y/vh1K8QzkFK7BXorjajxw
oASpzSyq/B8YNeefBCssmYIEhwp/orbMdYSw6V9qGBB8DHcGN2aghVU4EpJ/0FId
H+fS9IfM3RoHUwPXCJ4KGRLMhMe0VFXaOnD5TgkLFM3Hltwt5fKh4ExkXTMvUvAj
HPxQT5Yas9OYHbAReYhg49ykKl3bQlLLXNfzOcww63lt0HF/Wn2xLvYn3QF0OGW8
3aTnck7dIbKg6Zafhf1z51bYizAGB3VfzPSFCJLbfF+PGQvu71l5P3+PeY7dxz/S
ykrO9R/vqL5rn8y3DA0DBrNlXKWiyJoXWGSfJVRuFBioWH1YVnSbDNZ1uB6W52vL
yfhg0u5QNDIbAmkxigTZX73N8zjTly/j56LnzjlYUcTA2+2CSyY=
=2jRa
-----END PGP SIGNATURE-----