April 18, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Advisory – ICS: Advantech WebAccess SCADA
October 13, 2021Rewterz Threat Advisory – Multiple Microsoft Security Vulnerabilities
October 13, 2021Rewterz Threat Advisory – ICS: Advantech WebAccess SCADA
October 13, 2021Rewterz Threat Advisory – Multiple Microsoft Security Vulnerabilities
October 13, 2021
Severity
Medium
Analysis Summary
CVE-2021-33727
Siemens SINEC NMS could allow a remote authenticated attacker to obtain sensitive information, caused by improper validation of user-supplied input. By sending a specially crafted request, an attacker could exploit this vulnerability to download the user profile of any user and use this information to launch further attacks against the affected system.
CVE-2021-33728
Siemens SINEC NMS could allow a remote authenticated attacker to execute arbitrary code on the system, caused by insecure deserialization of user-supplied JSON objects. By sending a specially-crafted serialized Java object, an attacker could exploit this vulnerability to execute arbitrary code with root privileges on the system.
CVE-2021-33729
Siemens SINEC NMS could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by an unspecified flaw. By importing malicious firmware containers, an attacker could exploit this vulnerability to execute arbitrary commands in the local database.
CVE-2021-33730
Siemens SINEC NMS could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by an unspecified flaw. By sending specially crafted requests to the web server, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVE-2021-33731; CVE-2021-33732; CVE-2021-33733; CVE-2021-33734; CVE-2021-33735
Siemens SINEC NMS could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by an unspecified flaw. By sending specially crafted requests to the web server, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVE-2021-27395
Siemens SIMATIC Process Historian could allow a remote attacker to bypass security restrictions, caused by improper authentication by an interface used for critical functions. By sending a specially crafted request, an attacker could exploit this vulnerability to maliciously insert, modify or delete data.
CVE-2021-33722
Siemens SINEC NMS could allow a remote authenticated attacker to traverse directories on the system, caused by improper validation of user requests. By exporting a malicious firmware container, an attacker could create arbitrary files on an affected system.
CVE-2021-33723
Siemens SINEC NMS could allow a remote authenticated attacker to bypass security restrictions, caused by an unspecified flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to change the user profile and password of any user without proper authorization.
CVE-2021-33724
Siemens SINEC NMS could allow a remote authenticated attacker to delete arbitrary files, caused by improper validation of user requests. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/../) to delete arbitrary files or directories on the system.
CVE-2021-33725
Siemens SINEC NMS could allow a remote authenticated attacker to delete arbitrary files, caused by improper validation of user requests. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/../) to delete arbitrary files or directories on the system.
CVE-2021-33726
Siemens SINEC NMS could allow a remote authenticated attacker to traverse directories on the system, caused by improper validation of user request. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/../) to download arbitrary files from the system.
Impact
- Information Disclosure
- Command Execution
- Security Bypass
- File Menuplating
- Unauthorized Access
Affected Vendors
- Siemens
Affected Products
- Siemens SINEC NMS 1.0 SP1
- Siemens SINEC NMS 1.0
- Siemens SIMATIC Process Historian 2013
- Siemens SIMATIC Process Historian 2014 SP3 Update 5
- Siemens SIMATIC Process Historian 2019
- Siemens SIMATIC Process Historian 2020
Remediation
Refer to Siemens SINEC Security Advisory for patch, upgrade or suggested workaround information.
Refer to Siemens SIMATIC Security Advisory for patch, upgrade or suggested workaround information.
