製品・ソフトウェアに関する情報

JVN脆弱性詳細

複数のシーメンス製品における境界外書き込みに関する脆弱性

Title	複数のシーメンス製品における境界外書き込みに関する脆弱性
Summary	複数のシーメンス製品には、境界外書き込みに関する脆弱性が存在します。 Zero Day Initiative は、本脆弱性に ZDI-CAN-11885 を採番していました。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Sept. 25, 2020, midnight
Registration Date	Sept. 15, 2021, 5:32 p.m.
Last Update	Sept. 15, 2021, 5:32 p.m.

Affected System

シーメンス

JT2Go 13.1.0.1 未満

Solid Edge SE2020MP12 未満

Solid Edge SE2021MP2 未満

Teamcenter Visualization 13.1.0.1 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-28383	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28383
National Vulnerability Database (NVD)
2	CVE-2020-28383	https://nvd.nist.gov/vuln/detail/CVE-2020-28383

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-787	https://cwe.mitre.org/data/definitions/787.html

ベンダー情報

No	Name	URL
Siemens Security Advisory
1	SSA-622830	https://cert-portal.siemens.com/productcert/pdf/ssa-622830.pdf
2	SSA-663999	https://cert-portal.siemens.com/productcert/pdf/ssa-663999.pdf
3	SSA-979834	https://cert-portal.siemens.com/productcert/pdf/ssa-979834.pdf

その他

No	Name	URL
ICS-CERT ADVISORY
1	ICSA-21-012-04	https://us-cert.cisa.gov/ics/advisories/icsa-21-012-04
JVN
2	JVNVU#91685542	https://jvn.jp/vu/JVNVU91685542/
関連文書
3	ZDI-21-047 (Siemens JT2Go PAR File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability)	https://www.zerodayinitiative.com/advisories/ZDI-21-047/

Change Log

No	Changed Details	Date of change
1	[2021年09月15日] 掲載	Sept. 15, 2021, 5:32 p.m.

NVD Vulnerability Information

CVE-2020-28383

Summary	A vulnerability has been identified in JT2Go (All versions < V13.1.0.1), Solid Edge SE2020 (All Versions < SE2020MP12), Solid Edge SE2021 (All Versions < SE2021MP2), Teamcenter Visualization (All versions < V13.1.0.1). Affected applications lack proper validation of user-supplied data when parsing PAR files. This can result in an out of bounds write past the memory location that is a read only image address. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-11885)
Publication Date	Jan. 13, 2021, 6:15 a.m.
Registration Date	Jan. 26, 2021, 10:40 a.m.
Last Update	Nov. 21, 2024, 2:22 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:siemens:jt2go::::::::				13.1.0.1
cpe:2.3:a:siemens:teamcenter_visualization::::::::				13.1.0.1
cpe:2.3:a:siemens:solid_edge:se2021:-::::::
cpe:2.3:a:siemens:solid_edge:se2021:maintenance_pack1::::::
cpe:2.3:a:siemens:solid_edge:se2020:-::::::
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack1::::::
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack2::::::
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack3::::::
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack4::::::
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack5::::::
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack6::::::
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack7::::::
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack8::::::
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack9::::::
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack10::::::
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack11::::::

Related information, measures and tools

No	URL	タグ
1	https://cert-portal.siemens.com/productcert/pdf/ssa-622830.pdf	Vendor Advisory
2	https://cert-portal.siemens.com/productcert/pdf/ssa-622830.pdf	Vendor Advisory
3	https://cert-portal.siemens.com/productcert/pdf/ssa-663999.pdf	Vendor Advisory
4	https://cert-portal.siemens.com/productcert/pdf/ssa-663999.pdf	Vendor Advisory
5	https://cert-portal.siemens.com/productcert/pdf/ssa-979834.pdf	Vendor Advisory
6	https://cert-portal.siemens.com/productcert/pdf/ssa-979834.pdf	Vendor Advisory
7	https://us-cert.cisa.gov/ics/advisories/icsa-21-012-04	Third Party Advisory US Government Resource
8	https://us-cert.cisa.gov/ics/advisories/icsa-21-012-04	Third Party Advisory US Government Resource
9	https://www.zerodayinitiative.com/advisories/ZDI-21-047/	Third Party Advisory VDB Entry
10	https://www.zerodayinitiative.com/advisories/ZDI-21-047/	Third Party Advisory VDB Entry
11	https://www.zerodayinitiative.com/advisories/ZDI-21-054/	Third Party Advisory VDB Entry
12	https://www.zerodayinitiative.com/advisories/ZDI-21-054/	Third Party Advisory VDB Entry
13	https://www.zerodayinitiative.com/advisories/ZDI-21-073/	Third Party Advisory VDB Entry
14	https://www.zerodayinitiative.com/advisories/ZDI-21-073/	Third Party Advisory VDB Entry

Common Vulnerabilities List

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:siemens:jt2go::::::::				13.1.0.1
cpe:2.3:a:siemens:teamcenter_visualization::::::::				13.1.0.1
cpe:2.3:a:siemens:solid_edge:se2021:-::::::
cpe:2.3:a:siemens:solid_edge:se2021:maintenance_pack1::::::
cpe:2.3:a:siemens:solid_edge:se2020:-::::::
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack1::::::
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack2::::::
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack3::::::
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack4::::::
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack5::::::
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack6::::::
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack7::::::
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack8::::::
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack9::::::
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack10::::::
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack11::::::