CVE-2021-20093

A buffer over-read vulnerability exists in Wibu-Systems CodeMeter versions < 7.21a. An unauthenticated remote attacker can exploit this issue to disclose heap memory contents or crash the CodeMeter Runtime Server.

CVSS v3 9.1 CRITICAL
CVSS v2.0 6.4 MEDIUM

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

6.4^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:P

Exploitability : 10.0 / Impact : 4.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210423-01.pdf	Mitigation Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-675303.pdf	Patch Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-21-210-02	Third Party Advisory US Government Resource
https://www.tenable.com/security/research/tra-2021-24	Exploit Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wibu:codemeter:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:siemens:pss_cape:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:siemens:sicam_230_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:sicam_230:-:*:*:*:*:*:*:*

Configuration 4 (hide)

OR	cpe:2.3:a:siemens:simatic_information_server:2019:sp1::::::
	cpe:2.3:a:siemens:simatic_information_server:2020:-::::::
	cpe:2.3:a:siemens:simatic_pcs_neo::::::::
	cpe:2.3:a:siemens:simatic_wincc_oa:3.17:-::::::
	cpe:2.3:a:siemens:simatic_wincc_oa:3.18:-::::::
	cpe:2.3:a:siemens:simit_simulation_platform::::::::
	cpe:2.3:a:siemens:simit_simulation_platform:10.3:-::::::
	cpe:2.3:a:siemens:sinec_infrastructure_network_services::::::::
	cpe:2.3:a:siemens:sinec_infrastructure_network_services:1.0.1:-::::::
	cpe:2.3:a:siemens:sinema_remote_connect_server::::::::
	cpe:2.3:a:siemens:sinema_remote_connect_server:3.0:-::::::
	cpe:2.3:a:siemens:sinema_remote_connect_server:3.0:sp1::::::
	cpe:2.3:h:siemens:simatic_process_historian::::::::
	cpe:2.3:h:siemens:simatic_process_historian:2020:-::::::

History

06 Oct 2022, 17:43

Type	Values Removed	Values Added
First Time		Siemens sinec Infrastructure Network Services Siemens sicam 230 Firmware Siemens simit Simulation Platform Siemens simatic Process Historian Siemens sicam 230 Siemens simatic Pcs Neo Siemens sinema Remote Connect Server Siemens simatic Wincc Oa Siemens simatic Information Server Siemens pss Cape Siemens
References		(MISC) https://us-cert.cisa.gov/ics/advisories/icsa-21-210-02 - Third Party Advisory, US Government Resource
References	~~(CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-675303.pdf -~~	(CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-675303.pdf - Patch, Third Party Advisory
CPE		cpe:2.3:a:siemens:simit_simulation_platform:::::::: cpe:2.3:a:siemens:simatic_wincc_oa:3.17:-:::::: cpe:2.3:a:siemens:sinema_remote_connect_server:3.0:-:::::: cpe:2.3:a:siemens:sinec_infrastructure_network_services:::::::: cpe:2.3:h:siemens:sicam_230:-:::::::* cpe:2.3:a:siemens:sinema_remote_connect_server:::::::: cpe:2.3:a:siemens:sinec_infrastructure_network_services:1.0.1:-:::::: cpe:2.3:a:siemens:simatic_information_server:2019:sp1:::::: cpe:2.3:h:siemens:simatic_process_historian:::::::: cpe:2.3:a:siemens:simatic_wincc_oa:3.18:-:::::: cpe:2.3:a:siemens:simatic_information_server:2020:-:::::: cpe:2.3:a:siemens:simatic_pcs_neo:::::::: cpe:2.3:o:siemens:sicam_230_firmware:::::::: cpe:2.3:a:siemens:simit_simulation_platform:10.3:-:::::: cpe:2.3:h:siemens:simatic_process_historian:2020:-:::::: cpe:2.3:a:siemens:pss_cape:-:::::::* cpe:2.3:a:siemens:sinema_remote_connect_server:3.0:sp1::::::

05 Aug 2021, 21:15

Type	Values Removed	Values Added
References		(CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-675303.pdf -

22 Jun 2021, 19:52

Type	Values Removed	Values Added
References	~~(MISC) https://www.tenable.com/security/research/tra-2021-24 -~~	(MISC) https://www.tenable.com/security/research/tra-2021-24 - Exploit, Patch, Third Party Advisory
References	~~(MISC) https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210423-01.pdf -~~	(MISC) https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-210423-01.pdf - Mitigation, Vendor Advisory
CWE		CWE-125
CPE		cpe:2.3:a:wibu:codemeter::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 6.4 v3 : 9.1

16 Jun 2021, 12:49

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-06-16 12:15

Updated : 2023-12-10 13:55

NVD link : CVE-2021-20093

Mitre link : CVE-2021-20093

CVE.ORG link : CVE-2021-20093

JSON object : View

Products Affected

siemens

sicam_230
pss_cape
sicam_230_firmware
simatic_pcs_neo
simatic_wincc_oa
sinema_remote_connect_server
sinec_infrastructure_network_services
simatic_information_server
simatic_process_historian
simit_simulation_platform

wibu

codemeter

CWE

CWE-125

Out-of-bounds Read

9.1 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

6.4 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2021-20093

9.1^/10

6.4^/10

Attach tags to `CVE-2021-20093`