CVE-2013-6920

Siemens SINAMICS S/G controllers with firmware before 4.6.11 do not require authentication for FTP and TELNET sessions, which allows remote attackers to bypass intended access restrictions via TCP traffic to port (1) 21 or (2) 23.

CVSS v2.0 10.0 HIGH

10.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://ics-cert.us-cert.gov/advisories/ICSA-13-338-01	US Government Resource
http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-742938.pdf	Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-742938.pdf

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:siemens:sinamics_s\/g_family_firmware:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:siemens:sinamics_g110:-:::::::*
	cpe:2.3:h:siemens:sinamics_g110d:-:::::::*
	cpe:2.3:h:siemens:sinamics_g120:-:::::::*
	cpe:2.3:h:siemens:sinamics_g120c:-:::::::*
	cpe:2.3:h:siemens:sinamics_g120d:-:::::::*
	cpe:2.3:h:siemens:sinamics_g120p:-:::::::*
	cpe:2.3:h:siemens:sinamics_g130:-:::::::*
	cpe:2.3:h:siemens:sinamics_g150:-:::::::*
	cpe:2.3:h:siemens:sinamics_g180:-:::::::*
	cpe:2.3:h:siemens:sinamics_s110:-:::::::*
	cpe:2.3:h:siemens:sinamics_s120:-:::::::*
	cpe:2.3:h:siemens:sinamics_s120cm:-:::::::*
	cpe:2.3:h:siemens:sinamics_s150:-:::::::*

History

No history.

Information

Published : 2013-12-07 00:55

Updated : 2020-02-10 15:15

NVD link : CVE-2013-6920

Mitre link : CVE-2013-6920

CVE.ORG link : CVE-2013-6920

JSON object : View

Products Affected

siemens

sinamics_g110
sinamics_g150
sinamics_s110
sinamics_g120
sinamics_g120p
sinamics_s120
sinamics_g120c
sinamics_s120cm
sinamics_s150
sinamics_g130
sinamics_g110d
sinamics_g120d
sinamics_s\/g_family_firmware
sinamics_g180

CWE

CWE-287

Improper Authentication

{"id": "CVE-2013-6920", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2013-12-07T00:55:04.147", "references": [{"url": "http://ics-cert.us-cert.gov/advisories/ICSA-13-338-01", "tags": ["US Government Resource"], "source": "cve@mitre.org"}, {"url": "http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-742938.pdf", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-742938.pdf", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "Siemens SINAMICS S/G controllers with firmware before 4.6.11 do not require authentication for FTP and TELNET sessions, which allows remote attackers to bypass intended access restrictions via TCP traffic to port (1) 21 or (2) 23."}, {"lang": "es", "value": "Los controladores Siemens SINAMICS S/G con firmware anterior a 4.6.11 no requiere autenticaci\u00f3n para sesiones FTP y TELNET, lo que permite a atacantes remotos evadir restricciones de acceso intencionadas a trav\u00e9s de trafico TCP al puerto (1) 21 o (2) 23."}], "lastModified": "2020-02-10T15:15:12.573", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:siemens:sinamics_s\\/g_family_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F15BC1E1-45E3-44F0-BD41-E7A73FB33662", "versionEndIncluding": "4.6"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:siemens:sinamics_g110:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E5ADF0BB-01FA-4FE4-BF4D-D33A6C5DAAFD"}, {"criteria": "cpe:2.3:h:siemens:sinamics_g110d:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5CE4257F-7262-4CC0-A874-374106B4B2C8"}, {"criteria": "cpe:2.3:h:siemens:sinamics_g120:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "61A60DCE-384B-43A4-A669-973FB8ECA932"}, {"criteria": "cpe:2.3:h:siemens:sinamics_g120c:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "909DED2E-4CA6-4A07-B924-797260FDE2E4"}, {"criteria": "cpe:2.3:h:siemens:sinamics_g120d:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "75ED7DEA-67F8-4971-A076-79AF82026FD0"}, {"criteria": "cpe:2.3:h:siemens:sinamics_g120p:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "21FAA04F-FBE9-4EFA-BE79-1EAFF47A20D3"}, {"criteria": "cpe:2.3:h:siemens:sinamics_g130:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "373DBE44-AC28-4D04-93BB-35CD8C60E899"}, {"criteria": "cpe:2.3:h:siemens:sinamics_g150:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2296CA65-0E89-4BCB-8003-E7212BF1F585"}, {"criteria": "cpe:2.3:h:siemens:sinamics_g180:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EC515520-BB04-4849-ACE8-87ED5D591454"}, {"criteria": "cpe:2.3:h:siemens:sinamics_s110:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6218802E-D3B1-4197-A6B5-7343A50F7D88"}, {"criteria": "cpe:2.3:h:siemens:sinamics_s120:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E5A824BD-935F-4E53-8313-C5544B0489C7"}, {"criteria": "cpe:2.3:h:siemens:sinamics_s120cm:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C0ECF745-CE82-42C6-9EA0-12FBD89F6220"}, {"criteria": "cpe:2.3:h:siemens:sinamics_s150:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0D48682C-A39D-4A09-B904-50FA64A9D2A5"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}