Vulnerabilities > CVE-2014-2250 - Cryptographic Issues vulnerability in Siemens products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
COMPLETE Summary
The random-number generator on Siemens SIMATIC S7-1200 CPU PLC devices with firmware before 4.0 does not have sufficient entropy, which makes it easier for remote attackers to defeat cryptographic protection mechanisms and hijack sessions via unspecified vectors, a different vulnerability than CVE-2014-2251.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 3 | |
| Hardware | 5 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Seebug
| bulletinFamily | exploit |
| description | CVE ID: CVE-2014-2249,CVE-2014-2250,CVE-2014-2252,CVE-2014-2254,CVE-2014-2256,CVE-2014-2258 SIMATIC S7-1200是可编程控制器,可实现简单却高度精确的自动化任务。 Siemens SIMATIC S7-1200 4.0.0之前版本在实现上存在多个漏洞,可被恶意利用执行跨站请求伪造、劫持用户会话、造成拒绝服务。 1、向TCP端口443发送特制的数据包造成的错误可造成设备进入defect模式。 2、随机生成器内弱熵相关错误,可导致劫持另外用户的会话。 3、特制的PROFINET数据包造成的错误可造成设备进入defect模式。 4、向TCP端口80发送特制的数据包造成的错误可造成设备进入defect模式。 5、向TCP端口102发送特制的数据包造成的错误可造成设备进入defect模式。 0 Siemens SIMATIC S7-1200 < 4.0.0 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.siemens.com/corporate-technology/pool/ |
| id | SSV:61889 |
| last seen | 2017-11-19 |
| modified | 2014-03-21 |
| published | 2014-03-21 |
| reporter | Root |
| title | Siemens SIMATIC S7-1200多个漏洞 |