Siemens SiPass Integrated

Plan Patch7.5ICS-CERT ICSA-21-350-19Dec 14, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SiPass integrated contains multiple vulnerabilities allowing unauthenticated remote attackers to access or modify internal application resources. Affected versions include v2.76 (all versions), v2.80 (all versions), and v2.85 (all versions). Siemens has released a remediation tool (SiPass integrated Component Manager) for v2.80 and v2.85, and recommends updating v2.64 systems to v2.76 SP2.

What this means

What could happen

An unauthenticated attacker with network access to SiPass integrated could read or modify critical access control system data, potentially allowing unauthorized building entry or disabling security functions.

Who's at risk

Organizations operating physical access control systems using Siemens SiPass integrated (building entry, badge readers, door locks). This includes security departments, facilities management, and any entity relying on SiPass for building perimeter or internal access control.

How it could be exploited

An attacker on the network sends unauthenticated requests to SiPass integrated to access or modify internal application resources. No credentials or authentication are required; the attacker simply needs network connectivity to the device.

Prerequisites

Network access to SiPass integrated service ports
Device reachable from attacker's network segment (no authentication required)

remotely exploitableno authentication requiredlow complexityaffects access control systems

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (3)

2 with fix1 EOL

ProductAffected VersionsFix Status

SiPass integrated V2.76All versionsNo fix (EOL)

SiPass integrated V2.80All versionsvia SiPass integrated Component Manager

SiPass integrated V2.85All versionsvia SiPass integrated Component Manager

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict network access to SiPass integrated devices using firewall rules and access control lists; ensure the device is not accessible from the Internet or untrusted networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

SiPass integrated V2.80

HOTFIXFor SiPass Integrated v2.80 and v2.85: Download and execute the SiPass integrated Component Manager remediation tool provided by Siemens

All products

HOTFIXFor SiPass Integrated v2.64: Update to v2.76 SP2 or later

Mitigations - no patch available

0/1

SiPass integrated V2.76 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate SiPass integrated from the business network and general IT systems

CVEs (3)

CVE-2021-44522 CVE-2021-44523 CVE-2021-44524

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/83c5f659-37ae-433f-8146-be1bd8791b95