EZPDO

Main Menu

  • Home
  • PHP programming
  • Programming language
  • SQL
  • Data objects
  • Saving investment

EZPDO

Header Banner

EZPDO

  • Home
  • PHP programming
  • Programming language
  • SQL
  • Data objects
  • Saving investment
SQL
Home›SQL›More than a dozen flaws discovered in Siemens industrial network management system

More than a dozen flaws discovered in Siemens industrial network management system

By Marguerite Burton
June 18, 2022
0
0

Cybersecurity researchers have revealed details of 15 security flaws in the Siemens SINEC network management system (NMS), some of which could be chained together by an attacker to achieve remote code execution on affected systems.

“The vulnerabilities, if exploited, pose a number of risks to Siemens devices on the network, including denial of service attacks, credential leaks, and remote code execution under certain circumstances. “said industrial security firm Claroty in a new report.

cyber security

The shortcomings in question – followed by CVE-2021-33722 through CVE-2021-33736 – were fixed by Siemens in version V1.0 SP2 Update 1 as part of updates shipped on October 12, 2021.

“The most severe could allow an authenticated remote attacker to execute arbitrary code on the system, with system privileges, under certain conditions,” Siemens noted in an advisory at the time.

Siemens vulnerabilities

The main weakness is CVE-2021-33723 (CVSS score: 8.8), which allows elevation of privileges to an administrator account and could be combined with CVE-2021-33722 (CVSS score: 7.2), a flaw path traversal, to execute arbitrary code remotely.

Another notable flaw involves a SQL injection case (CVE-2021-33729, CVSS score: 8.8) which could be exploited by an authenticated attacker to execute arbitrary commands in the local database.

cyber security

“SINEC occupies a powerful central position within the network topology as it requires access to credentials, cryptographic keys and other secrets granting it administrator access in order to manage network devices,” said said Noam Moshe of Claroty.

“From the perspective of an attacker performing an off-the-ground living-type attack where legitimate credentials and network tools are abused to conduct malicious activity, access and control, SINEC places an attacker in a prime position to : recognition, lateral movement and escalation of privileges.

Related posts:

  1. Enterprise Edition 2021.4.1 | Press releases
  2. SQL query generator market – growing demand with industry professionals: Chartio, Datapine, Syncfusion – KSU
  3. Non-Native Database Management Systems Market – Major Tech Giants in Buzz Again | Amazon Athena, Apache, DBeaver, dbForge Studio – KSU
  4. Business News | Stock market and stock market news

Categories

  • Data objects
  • PHP programming
  • Programming language
  • Saving investment
  • SQL
  • Privacy Policy
  • Terms and Conditions