PT-2022-21705 · Siemens · Simatic Mv560 X+2

Published

2022-07-12

Updated

2022-07-15

CVE-2022-33138

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions SIMATIC MV540 H versions prior to V3.3 SIMATIC MV540 S versions prior to V3.3 SIMATIC MV550 H versions prior to V3.3 SIMATIC MV550 S versions prior to V3.3 SIMATIC MV560 U versions prior to V3.3 SIMATIC MV560 X versions prior to V3.3

Description A vulnerability has been identified where affected devices do not perform authentication for several web API endpoints. This could allow an unauthenticated remote attacker to read and download data from the device.

Recommendations For SIMATIC MV540 H versions prior to V3.3, update to version V3.3 or later. For SIMATIC MV540 S versions prior to V3.3, update to version V3.3 or later. For SIMATIC MV550 H versions prior to V3.3, update to version V3.3 or later. For SIMATIC MV550 S versions prior to V3.3, update to version V3.3 or later. For SIMATIC MV560 U versions prior to V3.3, update to version V3.3 or later. For SIMATIC MV560 X versions prior to V3.3, update to version V3.3 or later. As a temporary workaround, consider restricting access to the affected web API endpoints until a patch is available.

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306

Related Identifiers

CVE-2022-33138

Affected Products

Simatic Mv540 S

Simatic Mv550 H

Simatic Mv560 X

PT-2022-21705 · Siemens · Simatic Mv560 X+2

CVE-2022-33138

Weakness Enumeration

Related Identifiers

Affected Products

References · 4