Vulnerabilities > CVE-2022-33137 - Insufficient Session Expiration vulnerability in Siemens products

CVSS 6.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

siemens

CWE-613

NVD

Published: 2022-07-12

Updated: 2022-07-15

Summary

A vulnerability has been identified in SIMATIC MV540 H (All versions < V3.3), SIMATIC MV540 S (All versions < V3.3), SIMATIC MV550 H (All versions < V3.3), SIMATIC MV550 S (All versions < V3.3), SIMATIC MV560 U (All versions < V3.3), SIMATIC MV560 X (All versions < V3.3). The web session management of affected devices does not invalidate session ids in certain logout scenarios. This could allow an authenticated remote attacker to hijack other users' sessions.

Vulnerable Configurations

Part	Description	Count
OS	Siemens Siemens Simatic Mv540 H Firmware * Siemens Simatic Mv540 S Firmware * Siemens Simatic Mv550 H Firmware * Siemens Simatic Mv550 S Firmware * Siemens Simatic Mv560 U Firmware * Siemens Simatic Mv560 X Firmware *	6
Hardware	Siemens Siemens Simatic Mv540 H - Siemens Simatic Mv540 S - Siemens Simatic Mv550 H - Siemens Simatic Mv550 S - Siemens Simatic Mv560 U - Siemens Simatic Mv560 X -	6

Common Weakness Enumeration (CWE)

CWE-613 - Insufficient Session Expiration

References

https://cert-portal.siemens.com/productcert/pdf/ssa-348662.pdf