CRITICAL🇵🇱 Wersja polska

CVE-2023-51438

CVSS 10.0v3.1pub. 2024-01-09upd. 2024-11-21

A vulnerability has been identified in SIMATIC IPC1047E (All versions with maxView Storage Manager < V4.14.00.26068 on Windows), SIMATIC IPC647E (All versions with maxView Storage Manager < V4.14.00.26068 on Windows), SIMATIC IPC847E (All versions with maxView Storage Manager < V4.14.00.26068 on Windows). In default installations of maxView Storage Manager where Redfish® server is configured for remote system management, a vulnerability has been identified that can provide unauthorized access.

🤖 AI Analysis
How it works

In default installations of maxView Storage Manager, the Redfish server is configured for remote system management. Due to improper input validation (CWE-20), the authentication or access control mechanism of the Redfish interface can be bypassed, allowing an unauthorized attacker to gain access over the network without needing to possess any credentials. The attack requires no user interaction or special privileges, and its scope covers components outside the directly vulnerable system (Scope: Changed).

Impact

An attacker can gain full, unauthorized access to the storage management system, which may lead to disclosure of sensitive data, modification of configuration, or disruption of system availability (complete breach of confidentiality, integrity, and availability).

Mitigation & patch

Update maxView Storage Manager to version V4.14.00.26068 or later. Detailed information and patches are available in the Siemens security bulletin SSA-702935 at: https://cert-portal.siemens.com/productcert/pdf/ssa-702935.pdf. Until the update is deployed, it is recommended to restrict network access to the Redfish interface using a firewall or network segmentation.

Who is affected

Siemens SIMATIC IPC1047E, SIMATIC IPC647E, and SIMATIC IPC847E — all versions with Microchip maxView Storage Manager version earlier than V4.14.00.26068 installed on Windows, in default configuration with Redfish server enabled

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Microchip Maxview Storage Manager

    APP
    Microchip
    < 4.14.00.26068
  • Siemens Simatic Ipc1047e

    HW
    Siemens
    wszystkie wersje
  • Siemens Simatic Ipc647e

    HW
    Siemens
    wszystkie wersje
  • Siemens Simatic Ipc847e

    HW
    Siemens
    wszystkie wersje
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-22216CRITICAL10.0PL ✓ten sam produkt

Nieautoryzowany dostęp w Microchip maxView Storage Manager przez serwer Redfish

CVE-2021-33627HIGH8.2ten sam produkt

An issue was discovered in Insyde InsydeH2O Kernel 5.0 before 05.09.11, 5.1 before 05.17.11, 5.2 before 05.27....

CVE-2020-5953HIGH7.5ten sam produkt

A vulnerability exists in System Management Interrupt (SWSMI) handler of InsydeH2O UEFI Firmware code located ...

CVE-2021-33625HIGH7.5ten sam produkt

An issue was discovered in Kernel 5.x in Insyde InsydeH2O, affecting HddPassword. Software SMI services that u...

CVE-2021-41837HIGH8.2ten sam produkt

An issue was discovered in AhciBusDxe in the kernel 5.0 through 5.5 in Insyde InsydeH2O. Because of an Untrust...