{
  "document": {
    "title": "SSA-703715: Information Disclosure Vulnerability in Climatix POL909 (AWM and AWB)",
    "category": "Siemens Security Advisory",
    "csaf_version": "2.0",
    "publisher": {
      "name": "Siemens ProductCERT",
      "contact_details": "productcert@siemens.com",
      "category": "vendor",
      "namespace": "https://www.siemens.com"
    },
    "distribution": {
      "text": "Disclosure is not limited.",
      "tlp": {
        "label": "WHITE"
      }
    },
    "tracking": {
      "id": "SSA-703715",
      "status": "final",
      "version": "2",
      "revision_history": [
        {
          "number": "1",
          "legacy_version": "1.0",
          "date": "2021-11-09T00:00:00Z",
          "summary": "Publication Date"
        },
        {
          "number": "2",
          "legacy_version": "1.1",
          "date": "2022-03-08T00:00:00Z",
          "summary": "Added product: Climatix POL909 (AWB module)"
        }
      ],
      "initial_release_date": "2021-11-09T00:00:00Z",
      "current_release_date": "2022-03-08T00:00:00Z",
      "generator": {
        "engine": {
          "name": "Siemens ProductCERT CSAF Generator",
          "version": "1"
        }
      }
    },
    "notes": [
      {
        "title": "Summary",
        "category": "summary",
        "text": "Climatix POL909 (AWM and AWB) contains an information disclosure vulnerability that could allow a man-in-the-middle attacker to read sensitive data, such as administrator credentials, or modify data in transit.\n\nSiemens has released an update for Climatix POL909 (AWM and AWB) and recommends to update to the latest version."
      },
      {
        "title": "General Recommendations",
        "category": "general",
        "text": "As a general security measure Siemens strongly recommends to protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment."
      },
      {
        "title": "Additional Resources",
        "category": "general",
        "text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories"
      },
      {
        "title": "Terms of Use",
        "category": "legal_disclaimer",
        "text": "Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter \"License Terms\"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter \"Terms of Use\"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use."
      }
    ],
    "references": [
      {
        "category": "self",
        "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-703715.pdf",
        "summary": "SSA-703715: Information Disclosure Vulnerability in Climatix POL909 (AWM and AWB) - PDF Version"
      },
      {
        "category": "self",
        "url": "https://cert-portal.siemens.com/productcert/txt/ssa-703715.txt",
        "summary": "SSA-703715: Information Disclosure Vulnerability in Climatix POL909 (AWM and AWB) - TXT Version"
      },
      {
        "category": "self",
        "url": "https://cert-portal.siemens.com/productcert/csaf/ssa-703715.json",
        "summary": "SSA-703715: Information Disclosure Vulnerability in Climatix POL909 (AWM and AWB) - CSAF Version"
      }
    ]
  },
  "product_tree": {
    "branches": [
      {
        "name": "Siemens",
        "category": "vendor",
        "branches": [
          {
            "name": "Climatix POL909 (AWB module)",
            "category": "product_name",
            "branches": [
              {
                "name": "< V11.42",
                "category": "product_version_range",
                "product": {
                  "product_id": "1",
                  "name": "Climatix POL909 (AWB module)"
                }
              }
            ]
          },
          {
            "name": "Climatix POL909 (AWM module)",
            "category": "product_name",
            "branches": [
              {
                "name": "< V11.34",
                "category": "product_version_range",
                "product": {
                  "product_id": "2",
                  "name": "Climatix POL909 (AWM module)"
                }
              }
            ]
          }
        ]
      }
    ]
  },
  "vulnerabilities": [
    {
      "title": "CVE-2021-40366",
      "notes": [
        {
          "title": "Summary",
          "category": "summary",
          "text": "The web server of affected devices transmits data without TLS encryption. This could allow an unauthenticated remote attacker in a man-in-the-middle position to read sensitive data, such as administrator credentials, or modify data in transit."
        }
      ],
      "cve": "CVE-2021-40366",
      "cwe": {
        "id": "CWE-311",
        "name": "Missing Encryption of Sensitive Data"
      },
      "product_status": {
        "known_affected": [
          "1",
          "2"
        ]
      },
      "scores": [
        {
          "cvss_v3": {
            "version": "3.1",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L/E:P/RL:O/RC:C"
          },
          "products": [
            "1",
            "2"
          ]
        }
      ],
      "remediations": [
        {
          "product_ids": [
            "1"
          ],
          "category": "vendor_fix",
          "details": "Update to V11.42 or later version",
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109747351/"
        },
        {
          "product_ids": [
            "2"
          ],
          "category": "vendor_fix",
          "details": "Update to V11.34 or later version",
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109747351/"
        }
      ],
      "references": [
        {
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109747351/",
          "summary": "CVE-2021-40366 - Climatix POL909 (AWB module)"
        },
        {
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109747351/",
          "summary": "CVE-2021-40366 - Climatix POL909 (AWM module)"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-40366.json",
          "summary": "CVE-2021-40366 Mitre 5.0 json"
        }
      ]
    }
  ]
}

