CVE-2013-5709 - Vulnerability Details - OpenCVE

The authentication implementation in the web server on Siemens SCALANCE X-200 switches with firmware before 5.0.0 does not use a sufficient source of entropy for generating values of random numbers, which makes it easier for remote attackers to hijack sessions by predicting a value.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Complete

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Siemens	Scalance X-200 Scalance X-200 Series Firmware Scalance X-200rna Scalance X200-4p Irt Scalance X201-3p Irt Scalance X202-2irt Scalance X202-2p Irt Scalance X204irt Scalance Xf-200

Configuration 1 [-]

AND

OR	cpe:2.3:o:siemens:scalance_x-200_series_firmware::::::::
	cpe:2.3:o:siemens:scalance_x-200_series_firmware:4.3:::::::*

OR	cpe:2.3:h:siemens:scalance_x-200:-:::::::*
	cpe:2.3:h:siemens:scalance_x-200rna:-:::::::*
	cpe:2.3:h:siemens:scalance_x200-4p_irt:-:::::::*
	cpe:2.3:h:siemens:scalance_x201-3p_irt:-:::::::*
	cpe:2.3:h:siemens:scalance_x201-3p_irt:-:-:pro:::::*
	cpe:2.3:h:siemens:scalance_x202-2irt:-:::::::*
	cpe:2.3:h:siemens:scalance_x202-2p_irt:-:::::::*
	cpe:2.3:h:siemens:scalance_x202-2p_irt:-:-:pro:::::*
	cpe:2.3:h:siemens:scalance_x204irt:-:::::::*
	cpe:2.3:h:siemens:scalance_x204irt:-:-:pro:::::*
	cpe:2.3:h:siemens:scalance_xf-200:-:::::::*

No data.

References

Link	Providers
http://ics-cert.us-cert.gov/advisories/ICSA-13-254-01
http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-850708.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-850708.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2013-09-17T10:00:00

Updated: 2024-08-06T17:22:31.062Z

Reserved: 2013-09-06T00:00:00

Link: CVE-2013-5709

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2013-09-17T12:04:28.820

Modified: 2025-04-11T00:51:21.963

Link: CVE-2013-5709

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-09-11T00:00:00", "descriptions": [{"lang": "en", "value": "The authentication implementation in the web server on Siemens SCALANCE X-200 switches with firmware before 5.0.0 does not use a sufficient source of entropy for generating values of random numbers, which makes it easier for remote attackers to hijack sessions by predicting a value."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-02-10T14:06:16", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-850708.pdf"}, {"tags": ["x_refsource_MISC"], "url": "http://ics-cert.us-cert.gov/advisories/ICSA-13-254-01"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-850708.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-5709", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The authentication implementation in the web server on Siemens SCALANCE X-200 switches with firmware before 5.0.0 does not use a sufficient source of entropy for generating values of random numbers, which makes it easier for remote attackers to hijack sessions by predicting a value."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-850708.pdf", "refsource": "CONFIRM", "url": "http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-850708.pdf"}, {"name": "http://ics-cert.us-cert.gov/advisories/ICSA-13-254-01", "refsource": "MISC", "url": "http://ics-cert.us-cert.gov/advisories/ICSA-13-254-01"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-850708.pdf", "refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-850708.pdf"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T17:22:31.062Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-850708.pdf"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://ics-cert.us-cert.gov/advisories/ICSA-13-254-01"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-850708.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-5709", "datePublished": "2013-09-17T10:00:00", "dateReserved": "2013-09-06T00:00:00", "dateUpdated": "2024-08-06T17:22:31.062Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:scalance_x-200_series_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "756EF73B-3FF0-458A-AD4F-02D9F1895C56", "versionEndIncluding": "4.4", "vulnerable": true}, {"criteria": "cpe:2.3:o:siemens:scalance_x-200_series_firmware:4.3:*:*:*:*:*:*:*", "matchCriteriaId": "17C52F7B-5B34-42B6-BE60-B24EDBE221C8", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:scalance_x-200:-:*:*:*:*:*:*:*", "matchCriteriaId": "6FEF9F9F-4066-483B-BF95-3BA5625284DF", "vulnerable": true}, {"criteria": "cpe:2.3:h:siemens:scalance_x-200rna:-:*:*:*:*:*:*:*", "matchCriteriaId": "4BCF5B82-0766-4711-90E6-C2A6FACE44EE", "vulnerable": true}, {"criteria": "cpe:2.3:h:siemens:scalance_x200-4p_irt:-:*:*:*:*:*:*:*", "matchCriteriaId": "8B9CBC72-92D9-4B3A-884F-33124C457016", "vulnerable": true}, {"criteria": "cpe:2.3:h:siemens:scalance_x201-3p_irt:-:*:*:*:*:*:*:*", "matchCriteriaId": "3268CF75-6DAB-416A-B19B-2A8F95C268CF", "vulnerable": true}, {"criteria": "cpe:2.3:h:siemens:scalance_x201-3p_irt:-:-:pro:*:*:*:*:*", "matchCriteriaId": "21095E8E-A67B-448C-90B1-6234D931C005", "vulnerable": true}, {"criteria": "cpe:2.3:h:siemens:scalance_x202-2irt:-:*:*:*:*:*:*:*", "matchCriteriaId": "A8B1D979-038F-42F4-AB7D-E0664D051B4E", "vulnerable": true}, {"criteria": "cpe:2.3:h:siemens:scalance_x202-2p_irt:-:*:*:*:*:*:*:*", "matchCriteriaId": "CEB62730-E759-455A-A308-F9DB084B35B5", "vulnerable": true}, {"criteria": "cpe:2.3:h:siemens:scalance_x202-2p_irt:-:-:pro:*:*:*:*:*", "matchCriteriaId": "39CAF419-AB8D-4F79-A5E7-602A77D55E65", "vulnerable": true}, {"criteria": "cpe:2.3:h:siemens:scalance_x204irt:-:*:*:*:*:*:*:*", "matchCriteriaId": "6716DCDE-BD3F-4BA2-A66A-A0C14C6A3C15", "vulnerable": true}, {"criteria": "cpe:2.3:h:siemens:scalance_x204irt:-:-:pro:*:*:*:*:*", "matchCriteriaId": "BB688C82-7454-4FD0-B484-C400E7FF4898", "vulnerable": true}, {"criteria": "cpe:2.3:h:siemens:scalance_xf-200:-:*:*:*:*:*:*:*", "matchCriteriaId": "BB503096-C528-478C-BD07-019C2CC882E4", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The authentication implementation in the web server on Siemens SCALANCE X-200 switches with firmware before 5.0.0 does not use a sufficient source of entropy for generating values of random numbers, which makes it easier for remote attackers to hijack sessions by predicting a value."}, {"lang": "es", "value": "La implementaci\u00f3n de autentificaci\u00f3n en el servidor web de los switches Siemens SCALANCE X-200 con firmware anterior a 5.0.0 no utiliza suficiente fuente de entrop\u00eda para generar valores de numeros aleatorios, lo que hace mucho m\u00e1s f\u00e1cil para un atacante remoto secuestrar sesiones prediciendo un valor."}], "id": "CVE-2013-5709", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 8.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 8.5, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-09-17T12:04:28.820", "references": [{"source": "cve@mitre.org", "tags": ["US Government Resource"], "url": "http://ics-cert.us-cert.gov/advisories/ICSA-13-254-01"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-850708.pdf"}, {"source": "cve@mitre.org", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-850708.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["US Government Resource"], "url": "http://ics-cert.us-cert.gov/advisories/ICSA-13-254-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-850708.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-850708.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-189"}], "source": "nvd@nist.gov", "type": "Primary"}]}