Skip to main content
(844) 422-7000

Siemans WIBU Systems CodeMeter

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.0
ATTENTION: Exploitable remotely
Vendor: Siemens
Equipment: WIBU Systems CodeMeter
Vulnerability: Heap-Based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated attacker to escalate privileges or execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

PSS(R)CAPE V14: All versions prior to V14.2023-08-23
PSS(R)CAPE V15: All versions prior to V15.0.22
PSS(R)E V34: All versions prior to V34.9.6
PSS(R)E V35: All versions
PSS(R)ODMS V13.0: All versions
PSS(R)ODMS V13.1: All versions prior to V13.1.12.1
SIMATIC PCS neo V3: All versions
SIMATIC PCS neo V4: All versions
SIMATIC WinCC OA V3.17: All versions
SIMATIC WinCC OA V3.18: All versions
SIMATIC WinCC OA V3.19: All versions prior to V3.19 P006
SIMIT Simulation Platform: All versions
SINEC INS: All versions
SINEMA Remote Connect: All versions

3.2 Vulnerability Overview

3.2.1 HEAP-BASED BUFFER OVERFLOW CWE-122

In CodeMeter Runtime versions up to 7.60b, there is a heap buffer overflow vulnerability which can potentially lead to a remote code execution. Currently, no PoC is known. To exploit the heap overflow, additional protection mechanisms need to be broken. Remote access is only possible if CodeMeter is configured as a server. If CodeMeter is not configured as a server, an attacker would need to log in to the machine where the CodeMeter Runtime is running or trick a user into sending a malicious request to CodeMeter. This might result in an escalation of privilege. (WIBU-230704-01)

CVE-2023-3935 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

PSS(R)CAPE V14, PSS(R)CAPE V15, PSS(R)E V34, PSS(R)E V35, PSS(R)ODMS V13.0, PSS(R)ODMS V13.1, SIMATIC PCS neo V3, SIMATIC PCS neo V4, SIMATIC WinCC OA V3.17, SIMATIC WinCC OA V3.18, SIMATIC WinCC OA V3.19, SIMIT Simulation Platform, SINEC INS, SINEMA Remote Connect: If CodeMeter Runtime is configured as server: Limit remote access to systems where the CodeMeter Runtime network server is running
SIMIT Simulation Platform: Ensure that only trusted persons have access to the system and avoid the configuration of additional local accounts
PSS(R)CAPE V15, PSS(R)E V34, PSS(R)ODMS V13.1: For affected versions: Install WIBU Systems CodeMeter Runtime V7.60c or later version manually to fix the issue: Download the package from
https://www.wibu.com/support/user/user-software.html and follow the installation instructions from WIBU Systems.
SIMATIC PCS neo V3, SINEC INS, SINEMA Remote Connect: Currently no fix is planned
SIMATIC PCS neo V4, SIMATIC WinCC OA V3.17, SIMATIC WinCC OA V3.18: Currently no fix is available
PSS(R)ODMS V13.1: Update to V13.1.12.1 or later version
PSS(R)CAPE V15: Update to V15.0.22 or later version
SIMATIC WinCC OA V3.19: Update to V3.19 P006 or later version
PSS(R)E V34: Update to V34.9.6 or later version
PSS(R)E V35, SIMIT Simulation Platform: Install WIBU Systems CodeMeter Runtime V7.60c or later version manually to fix the issue: Download the package from
https://www.wibu.com/support/user/user-software.html and follow the installation instructions from WIBU Systems.
PSS(R)CAPE V14: CAPE V14 installations installed from material dated 2023-08-23 or later are not affected, as they contain a fixed version of CodeMeter Runtime.

For installations of CAPE V14 using material earlier than 2023-08-23: Install WIBU Systems CodeMeter Runtime V7.60c or later version manually to fix the issue: Download the package from https://www.wibu.com/support/user/user-software.html and follow the installation instructions from WIBU Systems.

PSS(R)ODMS V13.0: Install WIBU Systems CodeMeter Runtime V7.60c or later version manually to fix the issue: Download the package from
https://www.wibu.com/support/user/user-software.html and follow the installation instructions from WIBU Systems.
PSS(R)CAPE V14, PSS(R)CAPE V15, PSS(R)E V34, PSS(R)E V35, PSS(R)ODMS V13.0, PSS(R)ODMS V13.1, SIMATIC PCS neo V3, SIMATIC PCS neo V4, SIMATIC WinCC OA V3.17, SIMATIC WinCC OA V3.18, SIMATIC WinCC OA V3.19, SIMIT Simulation Platform, SINEC INS, SINEMA Remote Connect: If CodeMeter Runtime is configured as client only in the affected product: Ensure that only trusted persons have access to the system and avoid the configuration of additional local accounts

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-240541 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

September 14, 2023: Initial Publication

Siemens SIMATIC, SIPLUS Products

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SIMATIC, SIPLUS Products
Vulnerability: Integer Overflow or Wraparound

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to create a denial-of-service condition by sending a specially crafted certificate.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens products are affected:

SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00): All versions prior to v2.2
SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00): All versions prior to v2.2
SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0): All versions prior to v2.9.7
SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0): All versions from v3.0.1 to v3.0.3
SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0): All versions prior to v2.9.7
SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0): All versions from v3.0.1 to v3.0.3
SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants): All versions prior to v21.9.7
SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants): Versions 30.0.0 and prior
SIMATIC S7-1200 CPU family (incl. SIPLUS variants): All versions
SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SJ01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DJ01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DK03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK02-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK00-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK02-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TK01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UK01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK00-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SK01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DK01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DM03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL02-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL02-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RL00-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RM03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1514SP-2 PN (6ES7514-2DN03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM02-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM02-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RM00-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RN03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TM01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UM01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN02-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN02-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1517H-3 PN (6ES7517-3HP00-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0):All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1518HF-4 PN (6ES7518-4JP00-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU S7-1518-4 PN/DP ODK (6ES7518-4AP00-3AB0):All versions prior to v2.9.7
SIMATIC S7-1500 CPU S7-1518F-4 PN/DP ODK (6ES7518-4FP00-3AB0): All versions prior to v2.9.7
SIMATIC S7-1500 ET 200pro: CPU 1513PRO F-2 PN (6ES7513-2GL00-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 ET 200pro: CPU 1513PRO-2 PN (6ES7513-2PL00-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 ET 200pro: CPU 1516PRO F-2 PN (6ES7516-2GN00-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 ET 200pro: CPU 1516PRO-2 PN (6ES7516-2PN00-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 Software Controller V2: All versions prior to v21.9.7
SIMATIC S7-1500 Software Controller V3: All versions
SIMATIC S7-PLCSIM Advanced: All versions
SIPLUS ET 200SP CPU 1510SP F-1 PN (6AG1510-1SJ01-2AB0): All versions prior to v2.9.7
SIPLUS ET 200SP CPU 1510SP F-1 PN RAIL (6AG2510-1SJ01-1AB0):All versions prior to v2.9.7
SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-2AB0): All versions prior to v2.9.7
SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-7AB0): All versions prior to v2.9.7
SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-4AB0): All versions prior to v2.9.7
SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-1AB0): All versions prior to v2.9.7
SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-2AB0): All versions prior to v2.9.7
SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-7AB0): All versions prior to v2.9.7
SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-1AB0): All versions prior to v2.9.7
SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-4AB0): All versions prior to v2.9.7
SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-2AB0): All versions prior to v2.9.7
SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-7AB0): All versions prior to v2.9.7
SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-4AB0): All versions prior to v2.9.7
SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-1AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-7AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-7AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK01-1AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK02-1AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK01-4AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK02-4AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK01-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK02-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-7AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-7AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL01-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL02-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM01-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM02-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1515F-2 PN RAIL (6AG2515-2FM02-4AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1515F-2 PN T2 RAIL (6AG2515-2FM01-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1515R-2 PN (6AG1515-2RM00-7AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1515R-2 PN TX RAIL (6AG2515-2RM00-4AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-7AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-7AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1516-3 PN/DP RAIL (6AG2516-3AN02-4AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1516-3 PN/DP TX RAIL (6AG2516-3AN01-4AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN02-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN01-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-4AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1517H-3 PN (6AG1517-3HP00-4AB0): All versions prior to v3.0.3
SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0): All versions prior to v3.0.3
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0): All versions prior to v3.0.3
SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0): All versions prior to v3.0.3
SIPLUS S7-1500 CPU 1518HF-4 PN (6AG1518-4JP00-4AB0): All versions prior to v3.0.3

3.2 Vulnerability Overview

3.2.1 INTEGER OVERFLOW OR WRAPAROUND CWE-190

The ANSI C OPC UA SDK contains an integer overflow vulnerability that could cause the application to run into an infinite loop during certificate validation. This could allow an unauthenticated remote attacker to create a denial of service condition by sending a specially crafted certificate.

CVE-2023-28831 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Currently no fix available for the following products:

SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants)
SIMATIC S7-1200 CPU family (incl. SIPLUS variants)
SIMATIC S7-1500 Software Controller V3
SIMATIC S7-PLCSIM Advanced

Apply Update v2.2 or a later version to the following products:

SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00)
SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00)
SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0)

Apply Update v2.9.7 or a later version to the following products:

SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-4AB0)
SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0)
SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SJ01-0AB0)
SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DJ01-0AB0)
SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK01-0AB0)
SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK02-0AB0)
SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK00-0AB0)
SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK01-0AB0)
SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK01-0AB0)
SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK02-0AB0)
SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TK01-0AB0)
SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UK01-0AB0)
SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK00-0AB0)
SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK01-0AB0)
SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SK01-0AB0)
SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DK01-0AB0)
SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL01-0AB0)
SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL02-0AB0)
SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL01-0AB0)
SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL02-0AB0)
SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RL00-0AB0)
SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM01-0AB0)
SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM02-0AB0)
SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM01-0AB0)
SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM02-0AB0)
SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RM00-0AB0)
SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TM01-0AB0)
SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UM01-0AB0)
SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN01-0AB0)
SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN02-0AB0)
SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN01-0AB0)
SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN02-0AB0)
SIMATIC S7-1500 CPU S7-1518-4 PN/DP ODK (6ES7518-4AP00-3AB0)
SIMATIC S7-1500 CPU S7-1518F-4 PN/DP ODK (6ES7518-4FP00-3AB0)
SIMATIC S7-1500 ET 200pro: CPU 1513PRO F-2 PN (6ES7513-2GL00-0AB0)
SIMATIC S7-1500 ET 200pro: CPU 1513PRO-2 PN (6ES7513-2PL00-0AB0)
SIMATIC S7-1500 ET 200pro: CPU 1516PRO F-2 PN (6ES7516-2GN00-0AB0)
SIMATIC S7-1500 ET 200pro: CPU 1516PRO-2 PN (6ES7516-2PN00-0AB0)
SIPLUS ET 200SP CPU 1510SP F-1 PN (6AG1510-1SJ01-2AB0)
SIPLUS ET 200SP CPU 1510SP F-1 PN RAIL (6AG2510-1SJ01-1AB0)
SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-2AB0)
SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-7AB0)
SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-4AB0)
SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-1AB0)
SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-2AB0)
SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-7AB0)
SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-1AB0)
SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-4AB0)
SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-2AB0)
SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-7AB0)
SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-4AB0)
SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-1AB0)
SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-2AB0)
SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-2AB0)
SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-7AB0)
SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-7AB0)
SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK01-1AB0)
SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK02-1AB0)
SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK01-4AB0)
SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK02-4AB0)
SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK01-2AB0)
SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK02-2AB0)
SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-7AB0)
SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-2AB0)
SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-2AB0)
SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-7AB0)
SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL01-2AB0)
SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL02-2AB0)
SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM01-2AB0)
SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM02-2AB0)
SIPLUS S7-1500 CPU 1515F-2 PN RAIL (6AG2515-2FM02-4AB0)
SIPLUS S7-1500 CPU 1515F-2 PN T2 RAIL (6AG2515-2FM01-2AB0)
SIPLUS S7-1500 CPU 1515R-2 PN (6AG1515-2RM00-7AB0)
SIPLUS S7-1500 CPU 1515R-2 PN TX RAIL (6AG2515-2RM00-4AB0)
SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-7AB0)
SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-2AB0)
SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-2AB0)
SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-7AB0)
SIPLUS S7-1500 CPU 1516-3 PN/DP RAIL (6AG2516-3AN02-4AB0)
SIPLUS S7-1500 CPU 1516-3 PN/DP TX RAIL (6AG2516-3AN01-4AB0)
SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN02-2AB0)
SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN01-2AB0)
SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-2AB0)

Apply Update V21.9.7 or a later version to the following products:

SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants)
SIMATIC S7-1500 Software Controller V2

Apply Update v3.0.3 or a later version to the following products:

SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0)
SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0)
SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0)
SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DK03-0AB0)
SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0)
SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0)
SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0)
SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0)
SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0)
SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DM03-0AB0)
SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0)
SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0)
SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RM03-0AB0)
SIMATIC S7-1500 CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0)
SIMATIC S7-1500 CPU 1514SP-2 PN (6ES7514-2DN03-0AB0)
SIMATIC S7-1500 CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0)
SIMATIC S7-1500 CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0)
SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0)
SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0)
SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RN03-0AB0)
SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0)
SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0)
SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0)
SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0)
SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0)
SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0)
SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0)
SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0)
SIMATIC S7-1500 CPU 1517H-3 PN (6ES7517-3HP00-0AB0)
SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0)
SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0)
SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0)
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0)
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
SIMATIC S7-1500 CPU 1518HF-4 PN (6ES7518-4JP00-0AB0)
SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0)
SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0)
SIPLUS S7-1500 CPU 1517H-3 PN (6AG1517-3HP00-4AB0)
SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0)
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0)
SIPLUS S7-1500 CPU 1518HF-4 PN (6AG1518-4JP00-4AB0)

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on Siemens industrial security can be found on the Siemens industrial security webpage

For more information, see the associated Siemens security advisory SSA-711309 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically targeting this vulnerability have been reported to CISA at this time.

5. UPDATE HISTORY

September 14, 2023: Initial Publication

Siemans QMS Automotive

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 8.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: QMS Automotive
Vulnerabilities: Plaintext Storage of a Password, Cleartext Storage of Sensitive Information in Memory, Generation of Error Message Containing Sensitive Information, Server-generated Error Message Containing Sensitive Information, Improper Verification of Cryptographic Signature, Insecure Storage of Sensitive Information, Cleartext Transmission of Sensitive Information, Improper Access Control, Unrestricted Upload of File with Dangerous Type, Insufficient Session Expiration

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to perform malicious code injection, information disclosure or lead to a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

QMS Automotive: All versions prior to v12.39

3.2 Vulnerability Overview

3.2.1 PLAINTEXT STORAGE OF A PASSWORD CWE-256

User credentials are stored in plaintext in the database without any hashing mechanism. This could allow an attacker to gain access to credentials and impersonate other users.

CVE-2022-43958 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L).

3.2.2 CLEARTEXT STORAGE OF SENSITIVE INFORMATION IN MEMORY CWE-316

User credentials are found in memory as plaintext. An attacker could perform a memory dump, and get access to credentials, and use it for impersonation.

CVE-2023-40724 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L).

3.2.3 GENERATION OF ERROR MESSAGE CONTAINING SENSITIVE INFORMATION CWE-209

The affected application returns inconsistent error messages in response to invalid user credentials during login session. This allows an attacker to enumerate usernames, and identify valid usernames.

CVE-2023-40725 has been assigned to this vulnerability. A CVSS v3 base score of 4.0 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

3.2.4 SERVER-GENERATED ERROR MESSAGE CONTAINING SENSITIVE INFORMATION CWE-550

The affected application server responds with sensitive information about the server. This could allow an attacker to directly access the database.

CVE-2023-40726 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.5 IMPROPER VERIFICATION OF CRYPTOGRAPHIC SIGNATURE CWE-347

The QMS.Mobile module of the affected application uses weak outdated application signing mechanism. This could allow an attacker to tamper the application code.

CVE-2023-40727 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.6 INSECURE STORAGE OF SENSITIVE INFORMATION CWE-922

The QMS.Mobile module of the affected application stores sensitive application data in an external insecure storage. This could allow an attacker to alter content, leading to arbitrary code execution or denial-of-service condition.

CVE-2023-40728 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L).

3.2.7 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

The affected application lacks security control to prevent unencrypted communication without HTTPS. An attacker who managed to gain machine-in-the-middle position could manipulate, or steal confidential information.

CVE-2023-40729 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N).

3.2.8 IMPROPER ACCESS CONTROL CWE-284

The QMS.Mobile module of the affected application lacks sufficient authorization checks. This could allow an attacker to access confidential information, perform administrative functions, or lead to a denial-of-service condition.

CVE-2023-40730 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L).

3.2.9 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

The affected application allows users to upload arbitrary file types. This could allow an attacker to upload malicious files, that could potentially lead to code tampering.

CVE-2023-40731 has been assigned to this vulnerability. A CVSS v3 base score of 5.7 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N).

3.2.10 INSUFFICIENT SESSION EXPIRATION CWE-613

The QMS.Mobile module of the affected application does not invalidate the session token on logout. This could allow an attacker to perform session hijacking attacks.

CVE-2023-40732 has been assigned to this vulnerability. A CVSS v3 base score of 3.9 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

QMS Automotive: Update to V12.39 or later version. The patch is available upon request from customer support.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-147266 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

September 14, 2023: Initial Publication

Hitachi Energy Lumada APM Edge

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Hitachi Energy
Equipment: Lumada Asset Performance Management (APM) Edge
Vulnerabilities: Use After Free, Double Free, Type Confusion, Observable Discrepancy

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition or disclosure of sensitive information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Hitachi products are affected:

Lumada APM Edge: Versions 4.0 and prior
Lumada APM Edge: Version 6.3

3.2 Vulnerability Overview

3.2.1 USE AFTER FREE CWE-416

The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash.

CVE-2023-0215 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ).

3.2.2 DOUBLE FREE CWE-415

The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the “name” (e.g. “CERTIFICATE”), any header data and the payload data. If the function succeeds then the “name_out”, “header” and “data” arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been
freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial-of-service attack.

CVE-2022-4450 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.3 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE (‘TYPE CONFUSION’) CWE-843

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial-of-service.

CVE-2023-0286 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H).

3.2.4 OBSERVABLE DISCREPANCY CWE-203

A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.

CVE-2022-4304 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported this vulnerability to CISA.

4. MITIGATIONS

Hitachi Energy has fixed the vulnerabilities for Lumada APM in version 6.5.0.2 and later and recommends users update their systems to the appropriate version. Lumada APM Edge versions 4.0 and prior are no longer supported and are considered End-of-Life.

Hitachi Energy reported that Lumada APM Edge relies on the HAProxy service (a pre-requisite component) as an API gateway, so it must be exposed to the end-users via network. For Lumada APM Edge to be accessible to the end-users, it is crucial for this service, which also utilizes OpenSSL libraries, to be updated along with its underlying operating system.

Recommended security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network. Such practices include that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed, have security updates applied to installed software components and others that must be evaluated case by case. Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.

For more information, see Hitachi Energy advisory 8DBD000169.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should:

When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

September 12, 2023: Initial Publication

Fujitsu Software Infrastructure Manager

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 5.9
ATTENTION: Low attack complexity
Vendor: Fujitsu Software
Equipment: Infrastructure Manager
Vulnerability: Cleartext Storage of Sensitive Information

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in an attacker retrieving the password for the proxy server that is configured in ISM from the maintenance data.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Infrastructure Manager are affected:

Infrastructure Manager: Advanced Edition V2.8.0.060
Infrastructure Manager: Advanced Edition for PRIMEFLEX V2.8.0.060
Infrastructure Manager: Essential Edition V2.8.0.060

3.2 Vulnerability Overview

3.2.1 Cleartext Storage of Sensitive Information CWE-312

An issue was discovered in Fujitsu Software Infrastructure Manager (ISM) before 2.8.0.061. The ismsnap component (in this specific case at /var/log/fujitsu/ServerViewSuite/ism/FirmwareManagement/FirmwareManagement.log) allows insecure collection and storage of authorization credentials in cleartext. That occurs when users perform any ISM Firmware Repository Address setup test (Test the Connection), or regularly authorize against an already configured remote firmware repository site, as set up in ISM Firmware Repository Address. A privileged attacker is therefore able to potentially gather the associated ismsnap maintenance data, in the same manner as a trusted party allowed to export ismsnap data from ISM. The preconditions for an ISM installation to be generally vulnerable are that the Download Firmware (Firmware Repository Server) function is enabled and configured, and that the character (backslash) is used in a user credential (i.e., user/ID or password) of the remote proxy host / firmware repository server.

CVE-2023-39903 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Fujitsu Technology Solutions GmbH and the Fujitsu PSIRT (Europe) reported the vulnerability to MITRE and Fujitsu Limited. Fujitsu Limited and JPCERT/CC reported this vulnerability to CISA.

4. MITIGATIONS

Fujitsu Software recommends updating the software to version V2.8.0.061, which has been released to fix this vulnerability.

Fujitsu Software recommends, as a workaround, using a user ID and/or a password for the proxy server not including “” (backslash) character, when downloading firmware.

Fujitsu Software recommends, as a workaround, storing the maintenance data in a trusted location, and deleting when unnecessary.

JPCERT/CC published JVN#38847224 regarding this issue.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

September 12, 2023: Initial Publication

Dover Fueling Solutions MAGLINK LX Console

1. EXECUTIVE SUMMARY

CVSS v3 9.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Dover Fueling Solutions
Equipment: MAGLINK LX – Web Console Configuration
Vulnerabilities: Authentication Bypass using an Alternate Path or Channel, Improper Access Control, Path Traversal

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to gain full access to the system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of MAGLINK LX Web Console Configuration are affected:

MAGLINK LX Web Console Configuration: version 2.5.1
MAGLINK LX Web Console Configuration: version 2.5.2
MAGLINK LX Web Console Configuration: version 2.5.3
MAGLINK LX Web Console Configuration: version 2.6.1
MAGLINK LX Web Console Configuration: version 2.11
MAGLINK LX Web Console Configuration: version 3.0
MAGLINK LX Web Console Configuration: version 3.2
MAGLINK LX Web Console Configuration: version 3.3

3.2 Vulnerability Overview

3.2.1 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL CWE-288

The affected product is vulnerable to authentication bypass that could allow an unauthorized attacker to obtain user access by leveraging the MAGLINK LX Web Console.

CVE-2023-41256 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

3.2.2 IMPROPER ACCESS CONTROL CWE-284

The affected product could allow a guest user to elevate to admin privileges by leveraging the MAGLINK LX Web Console.

CVE-2023-36497 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.3 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

The affected product is vulnerable to a path traversal attack, which could allow an attacker to access files stored on the system.

CVE-2023-38256 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Certified in the EU and UK, but may also be found Worldwide.
COMPANY HEADQUARTERS LOCATION: United States of America

3.4 RESEARCHER

Soufian El Yadmani of Darktrace / CSIRT.global reported these vulnerabilities to CISA.

4. MITIGATIONS

In 2023, Dover Fueling Solutions announced end-of-life for MAGLINK LX 3 and released MAGLINK LX 4. However, MAGLINK LX 3 version 3.4.2.2.6 and MAGLINK LX 4 fixes these vulnerabilities.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

September 07, 2023: Initial Publication

Socomec MOD3GP-SY-120K

1. EXECUTIVE SUMMARY

CVSS v3 10.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Socomec
Equipment: MOD3GP-SY-120K
Vulnerabilities: Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Insecure Storage of Sensitive Information, Reliance on Cookies without Validation and Integrity Checking, Code Injection, Plaintext Storage of a Password

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute malicious Javascript code, obtain sensitive information, or steal session cookies.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Socomec products are affected:

MODULYS GP (MOD3GP-SY-120K): Web firmware v01.12.10

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

Persistent cross-site scripting (XSS) in the web application of MOD3GP-SY-120K allows an authenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into the field MAIL_RCV. When a legitimate user attempts to access to the vulnerable page of the web application, the XSS payload will be executed.

CVE-2023-38582 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).

3.2.2 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

Thanks to the weaknesses that the web application has at the user management level, an attacker could obtain the information from the headers that is necessary to create specially designed URLs and originate malicious actions when a legitimate user is logged into the web application.

CVE-2023-39446 has been assigned to this vulnerability. A CVSS v3 base score of 8.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H).

3.2.3 INSECURE STORAGE OF SENSITIVE INFORMATION CWE-922

Sending some requests in the web application of the vulnerable device allows information to be obtained due to the lack of security in the authentication process.

CVE-2023-41965 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.4 RELIANCE ON COOKIES WITHOUT VALIDATION AND INTEGRITY CHECKING CWE-565

Session management within the web application is incorrect and allows attackers to steal session cookies to perform a multitude of actions that the web app allows on the device.

CVE-2023-41084 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.5 IMPROPER CONTROL OF GENERATION OF CODE (‘CODE INJECTION’) CWE-94

The absence of filters when loading some sections in the web application of the vulnerable device allows potential attackers to inject malicious code that will be interpreted when a legitimate user accesses the web section (MAIL SERVER) where the information is displayed. Injection can be done on parameter MAIL_RCV. When a legitimate user attempts to review NOTIFICATION/MAIL SERVER, the injected code will be executed.

CVE-2023-40221 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.6 PLAINTEXT STORAGE OF A PASSWORD CWE-256

The web application that owns the device clearly stores the credentials within the user management section. Obtaining this information can be done remotely due to the incorrect management of the sessions in the web application.

CVE-2023-39452 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.7 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

A potential attacker with or without (cookie theft) access to the device would be able to include malicious code (XSS) when uploading new device configuration that could affect the intended function of the device.

CVE-2023-38255 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Aarón Flecha Menéndez reported these vulnerabilities to CISA.

4. MITIGATIONS

Socomec reports that MODULYS GP (MOD3GP-SY-120K) is an End-of-Life product. Socomec recommends using MODULYS GP2 (M4-S-XXX) instead. MODULYS GP2 (M4-S-XXX) is not affected by the above vulnerabilities.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

September 07, 2023: Initial Publication

Phoenix Contact TC ROUTER and TC CLOUD CLIENT

1. EXECUTIVE SUMMARY

CVSS v3 9.6
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Phoenix Contact
Equipment: TC ROUTER and TC CLOUD CLIENT
Vulnerabilities: Cross-site Scripting, XML Entity Expansion

2. RISK EVALUATION

Successful exploitation of this these vulnerabilities could execute code in the context of the user’s browser or cause a denial of service.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Phoenix contact reports that the following products are affected:

TC ROUTER 3002T-4G: versions prior to 2.07.2
TC ROUTER 3002T-4G ATT: versions prior to 2.07.2
TC ROUTER 3002T-4G VZW: versions prior to 2.07.2
TC CLOUD CLIENT 1002-4G: versions prior to 2.07.2
TC CLOUD CLIENT 1002-4G ATT: versions prior to 2.07.2
TC CLOUD CLIENT 1002-4G VZW: versions prior to 2.07.2
CLOUD CLIENT 1101T-TX/TX: versions prior to 2.06.10

3.2 Vulnerability Overview

3.2.1 Cross-site Scripting CWE-79

In PHOENIX CONTACT TC ROUTER and TC CLOUD CLIENT prior to version 2.07.2 as well as CLOUD CLIENT 1101T-TX/TX prior to version 2.06.10 an unauthenticated remote attacker could use a reflective XSS within the license viewer page of the devices in order to execute code in the context of the user’s browser.

CVE-2023-3526 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

3.2.2 XML Entity Expansion CWE-776

In PHOENIX CONTACT TC ROUTER and TC CLOUD CLIENT prior to version 2.07.2 as well as CLOUD CLIENT 1101T-TX/TX prior to version 2.06.10 an authenticated remote attacker with admin privileges could upload a crafted XML file which causes a denial of service.

CVE-2023-3569 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

A. Resanovic and S. Stockinger at St. Pölten UAS discovered these vulnerabilities. T. Weber of CyberDanube Security Research coordinated the vulnerabilities with Phoenix Contact.

4. MITIGATIONS

Phoenix Contact has made the following fixed versions available and encourages users to download the latest version:

TC ROUTER 3002T-4G
TC ROUTER 3002T-4G ATT
TC ROUTER 3002T-4G VZW
TC CLOUD CLIENT 1002-4G
TC CLOUD CLIENT 1002-4G ATT
TC CLOUD CLIENT 1002-4G VZW
CLOUD CLIENT 1101T-TX/TX

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on their recommendations for measures to protect network-capable devices, please refer to this application note “Measures to protect network-capable devices with Ethernet connection”

Phoenix Contact published a security advisory

CERT@VDE published VDE-2023-017

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

September 07, 2023: Initial Publication

Fujitsu Limited Real-time Video Transmission Gear “IP series”

1. EXECUTIVE SUMMARY

CVSS v3 5.9
ATTENTION: Exploitable remotely
Vendor: Fujitsu Limited
Equipment: Real-time Video Transmission Gear “IP series”
Vulnerability: Use Of Hard-Coded Credentials

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in an attacker logging into the web interface using the obtained credentials. The attacker could initialize or reboot the products, terminating the video transmission.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Real-time Video Transmission Gear “IP series”, a hosted web application, are affected:

Real-time Video Transmission Gear “IP series” IP-HE950E: firmware versions V01L001 to V01L053
Real-time Video Transmission Gear “IP series” IP-HE950D: firmware versions V01L001 to V01L053
Real-time Video Transmission Gear “IP series” IP-HE900E: firmware versions V01L001 to V01L010
Real-time Video Transmission Gear “IP series” IP-HE900D: firmware versions V01L001 to V01L004
Real-time Video Transmission Gear “IP series” IP-900E / IP-920E: firmware versions V01L001 to V02L061
Real-time Video Transmission Gear “IP series” IP-900D / IP-900ⅡD / IP-920D: firmware versions V01L001 to V02L061
Real-time Video Transmission Gear “IP series” IP-90: firmware versions V01L001 to V01L013
Real-time Video Transmission Gear “IP series” IP-9610: firmware versions V01L001 to V02L007

3.2 Vulnerability Overview

3.2.1 Use Of Hard-Coded Credentials CWE-798

The credentials of Fujitsu Limited Real-time Video Transmission Gear “IP series” for factory testing may be obtained by reverse engineering and other methods.

CVE-2023-38433 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Government Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Fujitsu Limited reported this vulnerability to JPCERT/CC.

4. MITIGATIONS

Fujitsu Limited recommends updating the firmware to the latest version, which can be downloaded here.

Fujitsu Limited recommends placing the products on a secure network as a workaround.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

​PTC Kepware KepServerEX

1. EXECUTIVE SUMMARY

​CVSS v3 7.8
​ATTENTION: Exploitable remotely/low attack complexity
​Vendor: PTC
​Equipment: Kepware KepServerEX
​Vulnerabilities: Uncontrolled Search Path Element, Improper Input Validation, Insufficiently Protected Credentials

2. RISK EVALUATION

​Successful exploitation of these vulnerabilities could allow an attacker to gain elevated privileges, execute arbitrary code, and obtain server hashes and credentials.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following versions of Kepware KepServerEX, an industrial automation control platform, are affected:

​Kepware KepServerEX: version 6.14.263.0 and prior
​ThingWorx Kepware Server: version 6.14.263.0 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 ​UNCONTROLLED SEARCH PATH ELEMENT CWE-427

​The installer application of KEPServerEX is vulnerable to DLL search order hijacking. This could allow an adversary to repackage the installer with a malicious DLL and trick users into installing the trojanized software. Successful exploitation could lead to code execution with administrator privileges.

CVE-2023-29444 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned; the CVSS vector string is (AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

3.2.2 ​UNCONTROLLED SEARCH PATH ELEMENT CWE-427

​KEPServerEX binary is vulnerable to DLL search order hijacking. A locally authenticated adversary could escalate privileges to administrator by planting a malicious DLL in a specific directory.

CVE-2023-29445 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned; the CVSS vector string is (AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

3.2.3 ​IMPROPER INPUT VALIDATION CWE-20

​KEPServerEx is vulnerable to UNC path injection via a malicious project file. By tricking a user into loading a project file and clicking a specific button in the GUI, an adversary could obtain Windows user NTLMv2 hashes, and crack them offline.

CVE-2023-29446 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been assigned; the CVSS vector string is (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.2.4 ​INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

​The KEPServerEX Configuration web server uses basic authentication to protect user credentials. An adversary could perform a man-in-the-middle (MitM) attack via ARP spoofing to obtain the web server’s plaintext credentials.

CVE-2023-29447 has been assigned to this vulnerability. A CVSS v3 base score of 5.7 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
​COUNTRIES/AREAS DEPLOYED: Worldwide
​COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

​Sam Hanson of Dragos reported these vulnerabilities to CISA.

4. MITIGATIONS

​PTC is aware of these vulnerabilities and is developing patches to address them. PTC expects these issues to be addressed by November 2023. This advisory will be updated when these patches are ready.

​PTC recommends users follow the directions in the secure configuration documentation.

​Please refer to PTC’s security advisory on these vulnerabilities for more information.on these vulnerabilities for more information.

​CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

​Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
​Locate control system networks and remote devices behind firewalls and isolate them from business networks.
​When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​CISA also recommends users take the following measures to protect themselves from social engineering attacks:

​Do not click web links or open attachments in unsolicited email messages.
​Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
​Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

​No known public exploitation that specifically targets these vulnerabilities has been reported to CISA at this time.