SB2024081438 - Multiple vulnerabilities in Siemens Location Intelligence
Published: August 14, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Inadequate Encryption Strength (CVE-ID: CVE-2024-41681)
CWE-ID: CWE-326 - Inadequate Encryption Strength
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the web server is configured to support weak ciphers by default. A remote attacker on the local network can read and modify any data passed over the connection between legitimate clients and the affected device.
2) Improper Restriction of Excessive Authentication Attempts (CVE-ID: CVE-2024-41682)
CWE-ID: CWE-307 - Improper Restriction of Excessive Authentication Attempts
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper restriction of excessive authentication attempts. A remote attacker can conduct brute force attacks against legitimate user passwords.
3) Weak password requirements (CVE-ID: CVE-2024-41683)
CWE-ID: CWE-521 - Weak Password Requirements
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows an attacker to perform brute-force attack and guess the password.
The vulnerability exists due to weak password requirements. An attacker can perform a brute-force attack and guess users' passwords.
Remediation
Install update from vendor's website.