CVE-2021-42023

A vulnerability has been identified in ModelSim Simulation (All versions), Questa Simulation (All versions). The RSA white-box implementation in affected applications insufficiently protects the built-in private keys that are required to decrypt electronic intellectual property (IP) data in accordance with the IEEE 1735 recommended practice. This could allow a sophisticated attacker to discover the keys, bypassing the protection intended by the IEEE 1735 recommended practice.

CVSS v3 6.5 MEDIUM
CVSS v2.0 2.1 LOW

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-400332.pdf	Patch Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-400332.pdf	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:siemens:modelsim::::::::
	cpe:2.3:a:siemens:questa::::::::

History

21 Nov 2024, 06:27

Type	Values Removed	Values Added
References	~~() https://cert-portal.siemens.com/productcert/pdf/ssa-400332.pdf - Patch, Vendor Advisory~~	() https://cert-portal.siemens.com/productcert/pdf/ssa-400332.pdf - Patch, Vendor Advisory

Information

Published : 2021-12-14 12:15

Updated : 2024-11-21 06:27

NVD link : CVE-2021-42023

Mitre link : CVE-2021-42023

CVE.ORG link : CVE-2021-42023

JSON object : View

Products Affected

siemens

modelsim
questa

CWE

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2021-42023", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2021-12-14T12:15:09.917", "references": [{"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-400332.pdf", "tags": ["Patch", "Vendor Advisory"], "source": "productcert@siemens.com"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-400332.pdf", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "productcert@siemens.com", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in ModelSim Simulation (All versions), Questa Simulation (All versions). The RSA white-box implementation in affected applications insufficiently protects the built-in private keys that are required to decrypt electronic intellectual property (IP) data in accordance with the IEEE 1735 recommended practice. This could allow a sophisticated attacker to discover the keys, bypassing the protection intended by the IEEE 1735 recommended practice."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en ModelSim Simulation (Todas las versiones), Questa Simulation (Todas las versiones). La implementaci\u00f3n de caja blanca RSA en las aplicaciones afectadas no protege suficientemente las claves privadas incorporadas que son requeridas para descifrar datos electr\u00f3nicos de propiedad intelectual (IP) de acuerdo con la pr\u00e1ctica recomendada por el IEEE 1735. Esto podr\u00eda permitir a un atacante sofisticado detectar las claves, omitiendo la protecci\u00f3n prevista por la pr\u00e1ctica recomendada IEEE 1735"}], "lastModified": "2024-11-21T06:27:06.147", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:siemens:modelsim:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1B71482B-C9EC-42CE-84C2-73B4022D86A7"}, {"criteria": "cpe:2.3:a:siemens:questa:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7F1CF6C5-4501-48C1-96D3-7971F0A8A10C"}], "operator": "OR"}]}], "sourceIdentifier": "productcert@siemens.com"}