PT-2022-21704 · Siemens · Simatic Mv560 X+2
Published
2022-07-12
·
Updated
2022-07-15
·
CVE-2022-33137
CVSS v3.1
8.0
High
| Vector | AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
SIMATIC MV540 H versions prior to V3.3
SIMATIC MV540 S versions prior to V3.3
SIMATIC MV550 H versions prior to V3.3
SIMATIC MV550 S versions prior to V3.3
SIMATIC MV560 U versions prior to V3.3
SIMATIC MV560 X versions prior to V3.3
Description
A security issue has been identified where the web session management of affected devices fails to invalidate session ids in certain logout scenarios. This could allow an authenticated remote attacker to hijack other users' sessions.
Recommendations
For SIMATIC MV540 H versions prior to V3.3, update to version V3.3 or later to resolve the issue.
For SIMATIC MV540 S versions prior to V3.3, update to version V3.3 or later to resolve the issue.
For SIMATIC MV550 H versions prior to V3.3, update to version V3.3 or later to resolve the issue.
For SIMATIC MV550 S versions prior to V3.3, update to version V3.3 or later to resolve the issue.
For SIMATIC MV560 U versions prior to V3.3, update to version V3.3 or later to resolve the issue.
For SIMATIC MV560 X versions prior to V3.3, update to version V3.3 or later to resolve the issue.
Fix
Insufficient Session Expiration
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Simatic Mv540 S
Simatic Mv550 H
Simatic Mv560 X