CVE-2021-37181 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: How do I fix CVE-2021-37181?

1. Download the QU1 update from Siemens support portal. 2. Apply the update to all affected systems. 3. Restart the application/services. 4. Verify the update was successful.

Q: What is the severity of CVE-2021-37181?

CVE-2021-37181 has a CVSS score of 10.0 (CRITICAL). This vulnerability allows unauthenticated attackers to execute arbitrary code on affected systems by exploiting insecure deserialization in Siemens Cerberus DMS and Desigo CC products. The flaw exists in the CCOM communication component used for client connectivity, affecting multiple versions of these building management systems. Attackers can achieve remote code execution without authentication.

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary code on affected systems by exploiting insecure deserialization in Siemens Cerberus DMS and Desigo CC products. The flaw exists in the CCOM communication component used for client connectivity, affecting multiple versions of these building management systems. Attackers can achieve remote code execution without authentication.

💻 Affected Systems

Products:

Cerberus DMS
Desigo CC Compact
Desigo CC

Versions: Cerberus DMS V4.0-V4.2 (all versions), V5.0 (all versions < v5.0 QU1); Desigo CC Compact V4.0-V4.2 (all versions), V5.0 (all versions < V5.0 QU1); Desigo CC V4.0-V4.2 (all versions), V5.0 (all versions < V5.0 QU1)

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects CCOM communication component used for Windows App/Click-Once and IE Web/XBAP client connectivity.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary code, potentially leading to data theft, system disruption, or lateral movement within the network.

🟠

Likely Case

Remote code execution enabling attackers to install malware, create backdoors, or disrupt building management operations.

🟢

If Mitigated

Limited impact if systems are isolated, patched, or have network controls preventing exploitation attempts.

🌐 Internet-Facing: HIGH - Unauthenticated remote code execution with CVSS 10.0 score indicates critical risk for internet-exposed systems.

🏢 Internal Only: HIGH - Even internally, unauthenticated attackers on the network can exploit this vulnerability for code execution.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Insecure deserialization vulnerabilities are commonly exploited and weaponized. The unauthenticated nature and high CVSS score make this attractive to attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Cerberus DMS V5.0 QU1 and later; Desigo CC Compact V5.0 QU1 and later; Desigo CC V5.0 QU1 and later

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-453715.pdf

Restart Required: Yes

Instructions:

1. Download the QU1 update from Siemens support portal. 2. Apply the update to all affected systems. 3. Restart the application/services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected systems from untrusted networks and limit access to only necessary connections.

Disable Vulnerable Components

windows

Disable CCOM communication component if not required for operations.

🧯 If You Can't Patch

Implement strict network access controls to limit connections to affected systems
Monitor for exploitation attempts and anomalous behavior on affected systems

🔍 How to Verify

Check if Vulnerable:

Check product version against affected versions list. Verify if CCOM component is enabled.

Check Version:

Check version through product administration interface or consult Siemens documentation for version verification.

Verify Fix Applied:

Confirm system is running Cerberus DMS V5.0 QU1 or later, Desigo CC Compact V5.0 QU1 or later, or Desigo CC V5.0 QU1 or later.

📡 Detection & Monitoring

Log Indicators:

Unusual process creation
Abnormal network connections from CCOM component
Deserialization errors or exceptions

Network Indicators:

Unexpected traffic to CCOM ports
Malformed serialized data packets

SIEM Query:

Process creation from Cerberus/Desigo services OR network connections to CCOM ports from untrusted sources

📊 Metadata

CVE ID: CVE-2021-37181

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-502

Published: September 14, 2021

Last Updated: November 21, 2024

🔗 References

https://cert-portal.siemens.com/productcert/pdf/ssa-453715.pdf Patch,Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-453715.pdf Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37181, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Cerberus Dms by Siemens

Cerberus Dms by Siemens

Cerberus Dms by Siemens

Cerberus Dms by Siemens

Desigo Cc by Siemens

Desigo Cc by Siemens

Desigo Cc by Siemens

Desigo Cc by Siemens

Desigo Cc Compact by Siemens

Desigo Cc Compact by Siemens

Desigo Cc Compact by Siemens

Desigo Cc Compact by Siemens

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

Disable Vulnerable Components

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities