CVE-2024-39871

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). Affected applications do not properly separate the rights to edit device settings and to edit settings for communication relations. This could allow an authenticated attacker with the permission to manage devices to gain access to participant groups that the attacked does not belong to.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://cert-portal.siemens.com/productcert/html/ssa-381581.html	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:siemens:sinema_remote_connect_server::::::::
	cpe:2.3:a:siemens:sinema_remote_connect_server:3.2:-::::::
	cpe:2.3:a:siemens:sinema_remote_connect_server:3.2:hf1::::::

History

06 Sep 2024, 18:32

Type	Values Removed	Values Added
CPE		cpe:2.3:a:siemens:sinema_remote_connect_server:3.2:hf1:::::: cpe:2.3:a:siemens:sinema_remote_connect_server:::::::: cpe:2.3:a:siemens:sinema_remote_connect_server:3.2:-::::::
Summary		(es) Se ha identificado una vulnerabilidad en SINEMA Remote Connect Server (todas las versiones < V3.2 SP1). Las aplicaciones afectadas no separan adecuadamente los derechos para editar la configuración del dispositivo y los derechos para editar la configuración de las relaciones de comunicación. Esto podría permitir que un atacante autenticado con permiso para administrar dispositivos obtenga acceso a grupos de participantes a los que el atacado no pertenece.
First Time		Siemens Siemens sinema Remote Connect Server
References	~~() https://cert-portal.siemens.com/productcert/html/ssa-381581.html -~~	() https://cert-portal.siemens.com/productcert/html/ssa-381581.html - Patch, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~6.3~~	v2 : unknown v3 : 5.4

09 Jul 2024, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-07-09 12:15

Updated : 2024-09-06 18:32

NVD link : CVE-2024-39871

Mitre link : CVE-2024-39871

CVE.ORG link : CVE-2024-39871

JSON object : View

Products Affected

siemens

sinema_remote_connect_server

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2024-39871", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "productcert@siemens.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "productcert@siemens.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 5.3, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "LOW", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "LOW", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "LOW", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-07-09T12:15:18.833", "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-381581.html", "tags": ["Patch", "Vendor Advisory"], "source": "productcert@siemens.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "productcert@siemens.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). Affected applications do not properly separate the rights to edit device settings and to edit settings for communication relations. This could allow an authenticated attacker with the permission to manage devices to gain access to participant groups that the attacked does not belong to."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en SINEMA Remote Connect Server (todas las versiones < V3.2 SP1). Las aplicaciones afectadas no separan adecuadamente los derechos para editar la configuraci\u00f3n del dispositivo y los derechos para editar la configuraci\u00f3n de las relaciones de comunicaci\u00f3n. Esto podr\u00eda permitir que un atacante autenticado con permiso para administrar dispositivos obtenga acceso a grupos de participantes a los que el atacado no pertenece."}], "lastModified": "2024-09-06T18:32:01.667", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:siemens:sinema_remote_connect_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BA2839E7-E397-4D69-865B-439F0017D540", "versionEndExcluding": "3.2"}, {"criteria": "cpe:2.3:a:siemens:sinema_remote_connect_server:3.2:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6CBBACB4-9C5A-4616-BD70-FEDEE9978BFC"}, {"criteria": "cpe:2.3:a:siemens:sinema_remote_connect_server:3.2:hf1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B9B79132-ECF2-4519-9D07-28DB6B0ABE2C"}], "operator": "OR"}]}], "sourceIdentifier": "productcert@siemens.com"}