CVE-2020-15798

Siemens Comfort Panel Telnet Service Missing Authentication Remote Code Execution Vulnerability

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability has been identified in SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions < V16 Update 3a), SIMATIC HMI KTP Mobile Panels (All versions < V16 Update 3a), SINAMICS GH150 (All versions), SINAMICS GL150 (with option X30) (All versions), SINAMICS GM150 (with option X30) (All versions), SINAMICS SH150 (All versions), SINAMICS SL150 (All versions), SINAMICS SM120 (All versions), SINAMICS SM150 (All versions), SINAMICS SM150i (All versions). Affected devices with enabled telnet service do not require authentication for this service. This could allow a remote attacker to gain full access to the device. (ZDI-CAN-12046)

Se ha identificado una vulnerabilidad en SIMATIC HMI Comfort Panels (incl. Variantes SIPLUS) (Todas las versiones anteriores a V16 Update 3a), SIMATIC HMI KTP Mobile Panels (Todas las versiones anteriores a V16 Update 3a), SINAMICS GH150 (Todas las versiones), SINAMICS GL150 (con la opción X30) (Todas las versiones), SINAMICS GM150 (con la opción X30) (Todas las versiones), SINAMICS SH150 (Todas las versiones), SINAMICS SL150 (Todas las versiones), SINAMICS SM120 (Todas las versiones), SINAMICS SM150 (Todas las versiones), SINAMICS SM150i (Todas las versiones). Los dispositivos afectados con el servicio telnet activado no requieren autenticación para este servicio. Esto podría permitir a un atacante remoto obtener acceso completo al dispositivo. (ZDI-CAN-12046)

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Siemens Comfort Panel. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the telnet service, which listens on TCP port 22 by default. The issue results from the lack of authentication prior to allowing remote connections. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.

*Credits: Ta-Lun Yen of TXOne IoT/ICS Security Research Labs (Trend Micro)

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-07-15 CVE Reserved
2021-02-04 CVE Published
2024-05-28 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-306: Missing Authentication for Critical Function

CAPEC

References (3)

URL	Tag	Source
https://us-cert.cisa.gov/ics/advisories/icsa-21-033-02	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://cert-portal.siemens.com/productcert/pdf/ssa-752103.pdf	2022-10-19

URL	Date	SRC
https://cert-portal.siemens.com/productcert/pdf/ssa-520004.pdf	2022-10-19

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Siemens Search vendor "Siemens"	Simatic Hmi Comfort Panels Firmware Search vendor "Siemens" for product "Simatic Hmi Comfort Panels Firmware"	< 16.0 Search vendor "Siemens" for product "Simatic Hmi Comfort Panels Firmware" and version " < 16.0"	-	Affected	in	Siemens Search vendor "Siemens"	Simatic Hmi Comfort Panels Search vendor "Siemens" for product "Simatic Hmi Comfort Panels"	-	-	Safe
Siemens Search vendor "Siemens"	Simatic Hmi Comfort Panels Firmware Search vendor "Siemens" for product "Simatic Hmi Comfort Panels Firmware"	16.0 Search vendor "Siemens" for product "Simatic Hmi Comfort Panels Firmware" and version "16.0"	-	Affected	in	Siemens Search vendor "Siemens"	Simatic Hmi Comfort Panels Search vendor "Siemens" for product "Simatic Hmi Comfort Panels"	-	-	Safe
Siemens Search vendor "Siemens"	Simatic Hmi Comfort Panels Firmware Search vendor "Siemens" for product "Simatic Hmi Comfort Panels Firmware"	16.0 Search vendor "Siemens" for product "Simatic Hmi Comfort Panels Firmware" and version "16.0"	update1	Affected	in	Siemens Search vendor "Siemens"	Simatic Hmi Comfort Panels Search vendor "Siemens" for product "Simatic Hmi Comfort Panels"	-	-	Safe
Siemens Search vendor "Siemens"	Simatic Hmi Comfort Panels Firmware Search vendor "Siemens" for product "Simatic Hmi Comfort Panels Firmware"	16.0 Search vendor "Siemens" for product "Simatic Hmi Comfort Panels Firmware" and version "16.0"	update2	Affected	in	Siemens Search vendor "Siemens"	Simatic Hmi Comfort Panels Search vendor "Siemens" for product "Simatic Hmi Comfort Panels"	-	-	Safe
Siemens Search vendor "Siemens"	Simatic Hmi Comfort Panels Firmware Search vendor "Siemens" for product "Simatic Hmi Comfort Panels Firmware"	16.0 Search vendor "Siemens" for product "Simatic Hmi Comfort Panels Firmware" and version "16.0"	update3	Affected	in	Siemens Search vendor "Siemens"	Simatic Hmi Comfort Panels Search vendor "Siemens" for product "Simatic Hmi Comfort Panels"	-	-	Safe
Siemens Search vendor "Siemens"	Simatic Hmi Ktp Mobile Panels Firmware Search vendor "Siemens" for product "Simatic Hmi Ktp Mobile Panels Firmware"	< 16.0 Search vendor "Siemens" for product "Simatic Hmi Ktp Mobile Panels Firmware" and version " < 16.0"	-	Affected	in	Siemens Search vendor "Siemens"	Simatic Hmi Ktp Mobile Panels Search vendor "Siemens" for product "Simatic Hmi Ktp Mobile Panels"	-	-	Safe
Siemens Search vendor "Siemens"	Simatic Hmi Ktp Mobile Panels Firmware Search vendor "Siemens" for product "Simatic Hmi Ktp Mobile Panels Firmware"	16.0 Search vendor "Siemens" for product "Simatic Hmi Ktp Mobile Panels Firmware" and version "16.0"	-	Affected	in	Siemens Search vendor "Siemens"	Simatic Hmi Ktp Mobile Panels Search vendor "Siemens" for product "Simatic Hmi Ktp Mobile Panels"	-	-	Safe
Siemens Search vendor "Siemens"	Simatic Hmi Ktp Mobile Panels Firmware Search vendor "Siemens" for product "Simatic Hmi Ktp Mobile Panels Firmware"	16.0 Search vendor "Siemens" for product "Simatic Hmi Ktp Mobile Panels Firmware" and version "16.0"	update1	Affected	in	Siemens Search vendor "Siemens"	Simatic Hmi Ktp Mobile Panels Search vendor "Siemens" for product "Simatic Hmi Ktp Mobile Panels"	-	-	Safe
Siemens Search vendor "Siemens"	Simatic Hmi Ktp Mobile Panels Firmware Search vendor "Siemens" for product "Simatic Hmi Ktp Mobile Panels Firmware"	16.0 Search vendor "Siemens" for product "Simatic Hmi Ktp Mobile Panels Firmware" and version "16.0"	update2	Affected	in	Siemens Search vendor "Siemens"	Simatic Hmi Ktp Mobile Panels Search vendor "Siemens" for product "Simatic Hmi Ktp Mobile Panels"	-	-	Safe
Siemens Search vendor "Siemens"	Simatic Hmi Ktp Mobile Panels Firmware Search vendor "Siemens" for product "Simatic Hmi Ktp Mobile Panels Firmware"	16.0 Search vendor "Siemens" for product "Simatic Hmi Ktp Mobile Panels Firmware" and version "16.0"	update3	Affected	in	Siemens Search vendor "Siemens"	Simatic Hmi Ktp Mobile Panels Search vendor "Siemens" for product "Simatic Hmi Ktp Mobile Panels"	-	-	Safe
Siemens Search vendor "Siemens"	Sinamics Gh150 Firmware Search vendor "Siemens" for product "Sinamics Gh150 Firmware"	-	-	Affected	in	Siemens Search vendor "Siemens"	Sinamics Gh150 Search vendor "Siemens" for product "Sinamics Gh150"	-	-	Safe
Siemens Search vendor "Siemens"	Sinamics Gl150 Firmware Search vendor "Siemens" for product "Sinamics Gl150 Firmware"	-	-	Affected	in	Siemens Search vendor "Siemens"	Sinamics Gl150 Search vendor "Siemens" for product "Sinamics Gl150"	-	-	Safe
Siemens Search vendor "Siemens"	Sinamics Gm150 Firmware Search vendor "Siemens" for product "Sinamics Gm150 Firmware"	-	-	Affected	in	Siemens Search vendor "Siemens"	Sinamics Gm150 Search vendor "Siemens" for product "Sinamics Gm150"	-	-	Safe
Siemens Search vendor "Siemens"	Sinamics Sh150 Firmware Search vendor "Siemens" for product "Sinamics Sh150 Firmware"	-	-	Affected	in	Siemens Search vendor "Siemens"	Sinamics Sh150 Search vendor "Siemens" for product "Sinamics Sh150"	-	-	Safe
Siemens Search vendor "Siemens"	Sinamics Sl150 Firmware Search vendor "Siemens" for product "Sinamics Sl150 Firmware"	-	-	Affected	in	Siemens Search vendor "Siemens"	Sinamics Sl150 Search vendor "Siemens" for product "Sinamics Sl150"	-	-	Safe
Siemens Search vendor "Siemens"	Sinamics Sm150 Firmware Search vendor "Siemens" for product "Sinamics Sm150 Firmware"	-	-	Affected	in	Siemens Search vendor "Siemens"	Sinamics Sm150 Search vendor "Siemens" for product "Sinamics Sm150"	-	-	Safe
Siemens Search vendor "Siemens"	Sinamics Sm120 Firmware Search vendor "Siemens" for product "Sinamics Sm120 Firmware"	-	-	Affected	in	Siemens Search vendor "Siemens"	Sinamics Sm120 Search vendor "Siemens" for product "Sinamics Sm120"	-	-	Safe
Siemens Search vendor "Siemens"	Sinamics Sm150i Firmware Search vendor "Siemens" for product "Sinamics Sm150i Firmware"	-	-	Affected	in	Siemens Search vendor "Siemens"	Sinamics Sm150i Search vendor "Siemens" for product "Sinamics Sm150i"	-	-	Safe