As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 6.5
ATTENTION: Low Attack Complexity
Vendor: Siemens
Equipment: SIMATIC Field PG and SIMATIC IPC
Vulnerability: Exposure of Sensitive Information to an Unauthorized Actor

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an authenticated local user to potentially read other users’ data.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

SIMATIC Field PG M6: All Versions
SIMATIC IPC BX-39A: All Versions
SIMATIC IPC PX-39A: All Versions
SIMATIC IPC PX-39A PRO: All Versions
SIMATIC IPC RW-543A: All Versions
SIMATIC IPC627E: All Versions
SIMATIC IPC647E: All Versions
SIMATIC IPC677E: All Versions
SIMATIC IPC847E: All Versions

3.2 Vulnerability Overview

3.2.1 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVE-2022-40982 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Ensure that only trusted persons have access to the system and avoid the configuration of additional accounts.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-981975 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

September 14, 2023: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Siemens
Equipment: Parasolid
Vulnerabilities: Out-of-bounds Write

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute code in the context of the current process.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens Parasolid, a 3D geometric modeling tool, are affected:

Parasolid V34.1: all versions prior to V34.1.258
Parasolid V35.0: all versions prior to V35.0.253
Parasolid V35.0: all versions prior to V35.0.260
Parasolid V35.1: all versions prior to V35.1.184
Parasolid V35.1: all versions prior to V35.1.246
Parasolid V36.0: all versions prior to V36.0.142
Parasolid V36.0: all versions prior to V36.0.156

3.2 Vulnerability Overview

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

The affected application contains an out of bounds write past the end of an allocated structure while parsing specially crafted X_T files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-41032 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.2 OUT-OF-BOUNDS WRITE CWE-787

The affected application contains an out of bounds write past the end of an allocated structure while parsing specially crafted X_T files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-41033 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Parasolid V34.1: Update to V34.1.258 or later version
Parasolid V35.0: Update to V35.0.253 or later version
Parasolid V35.1: Update to V35.1.184 or later version
Parasolid V36.0: Update to V36.0.142 or later version
Parasolid V35.0: Update to V35.0.260 or later version
Parasolid V35.1: Update to V35.1.246 or later version
Parasolid V36.0: Update to V36.0.156 or later version
Do not open untrusted X_T files in Parasolid

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-190839 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this (these) vulnerability(ies), such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

September 14, 2023: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 8.2
ATTENTION: Low Attack Complexity
Vendor: Siemens
Equipment: RUGGEDCOM APE1808 Product Family
Vulnerabilities: Exposure of Sensitive Information to an Unauthorized Actor, Buffer Underflow, Classic Buffer Overflow, Time-of-check Time-of-use Race Condition, Out-of-bounds Read, Improper Restriction of Operations within the Bounds of a Memory Buffer, Out-of-bounds Write, Improper Input Validation, Missing Release of Memory after Effective Lifetime, Improperly Implemented Security Check for Standard, Plaintext Storage of a Password

2. RISK EVALUATION

Successful exploitation of these vulnerabilities on affected products could lead to information disclosure, system crash or escalation of privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products contain affected versions of Insyde BIOS:

RUGGEDCOM APE1808 ADM (6GK6015-0AL20-0GL0): BIOS versions prior to V1.0.212N
RUGGEDCOM APE1808 ADM CC (6GK6015-0AL20-0GL1): BIOS versions prior to V1.0.212N
RUGGEDCOM APE1808 CKP (6GK6015-0AL20-0GK0): BIOS versions prior to V1.0.212N
RUGGEDCOM APE1808 CKP CC (6GK6015-0AL20-0GK1): BIOS versions prior to V1.0.212N
RUGGEDCOM APE1808 CLOUDCONNECT (6GK6015-0AL20-0GM0): BIOS versions prior to V1.0.212N
RUGGEDCOM APE1808 CLOUDCONNECT CC (6GK6015-0AL20-0GM1): BIOS versions < V1.0.212N
RUGGEDCOM APE1808 ELAN (6GK6015-0AL20-0GP0): BIOS versions prior to V1.0.212N
RUGGEDCOM APE1808 ELAN CC (6GK6015-0AL20-0GP1): BIOS versions prior to V1.0.212N
RUGGEDCOM APE1808 SAM-L (6GK6015-0AL20-0GN0): BIOS versions prior to V1.0.212N
RUGGEDCOM APE1808 SAM-L CC (6GK6015-0AL20-0GN1): BIOS versions prior to V1.0.212N
RUGGEDCOM APE1808CLA-P (6GK6015-0AL20-1AA0): BIOS versions prior to V1.0.212N
RUGGEDCOM APE1808CLA-P CC (6GK6015-0AL20-1AA1): BIOS versions prior to V1.0.212N
RUGGEDCOM APE1808CLA-S1 (6GK6015-0AL20-1AB0): BIOS versions prior to V1.0.212N
RUGGEDCOM APE1808CLA-S1 CC (6GK6015-0AL20-1AB1): BIOS versions prior to V1.0.212N
RUGGEDCOM APE1808CLA-S3 (6GK6015-0AL20-1AD0): BIOS versions prior to V1.0.212N
RUGGEDCOM APE1808CLA-S3 CC (6GK6015-0AL20-1AD1): BIOS versions prior to V1.0.212N
RUGGEDCOM APE1808CLA-S5 (6GK6015-0AL20-1AF0): BIOS versions prior to V1.0.212N
RUGGEDCOM APE1808CLA-S5 CC (6GK6015-0AL20-1AF1): BIOS versions prior to V1.0.212N
RUGGEDCOM APE1808LNX (6GK6015-0AL20-0GH0): BIOS versions prior to V1.0.212N
RUGGEDCOM APE1808LNX CC (6GK6015-0AL20-0GH1): BIOS versions prior to V1.0.212N
RUGGEDCOM APE1808W10 (6GK6015-0AL20-0GJ0): BIOS versions prior to V1.0.212N
RUGGEDCOM APE1808W10 CC (6GK6015-0AL20-0GJ1): BIOS versions prior to V1.0.212N

3.2 Vulnerability Overview

3.2.1 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

An attacker with local access to the system could potentially disclose information from protected memory areas via a side-channel attack on the processor cache.

CVE-2017-5715 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N).

3.2.2 BUFFER UNDERWRITE (‘BUFFER UNDERFLOW’) CWE-124

Existing CommBuffer checks in SmmEntryPoint will not catch underflow when computing BufferSize.

CVE-2021-38578 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

3.2.3 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120

An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. IHISI function 0x17 verifies that the output buffer lies within the command buffer but does not verify that output data does not go beyond the end of the command buffer. In particular, the GetFlashTable function is called directly on the Command Buffer before the DataSize is check, leading to possible circumstances where the data immediately following the command buffer could be destroyed before returning a buffer size error.

CVE-2022-24350 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).

3.2.4 TIME-OF-CHECK TIME-OF-USE (TOCTOU) RACE CONDITION CWE-367

Using SPI injection, it is possible to modify the FDM contents after it has been measured. This TOCTOU attack could be used to alter data and code used by the remainder of the boot process.

CVE-2022-24351 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N).

3.2.5 OUT-OF-BOUNDS READ CWE-125

Some versions of InsydeH2O use the FreeType tools to embed fonts into the BIOS. InsydeH2O does not use the FreeType API at runtime and usage during build time does not produce a vulnerability in the BIOS. The CVSS reflects this limited usage.

CVE-2022-27405 has been assigned to this vulnerability. A CVSS v3 base score of 3.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L).

3.2.6 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119

In UsbCoreDxe, untrusted input may allow SMRAM or OS memory tampering Use of untrusted pointers could allow OS or SMRAM memory tampering leading to escalation of privileges. This issue was discovered by Insyde during security review.

CVE-2022-29275 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.2.7 TIME-OF-CHECK TIME-OF-USE (TOCTOU) RACE CONDITION CWE-367

In UsbCoreDxe, tampering with the contents of the USB working buffer using DMA while certain USB transactions are in process leads to a TOCTOU problem that could be used by an attacker to cause SMRAM corruption and escalation of privileges The UsbCoreDxe module creates a working buffer for USB transactions outside of SMRAM. The code which uses can be inside of SMM, making the working buffer untrusted input. The buffer can be corrupted by DMA transfers. The SMM code code attempts to sanitize pointers to ensure all pointers refer to the working buffer, but when a pointer is not found in the list of pointers to sanitize, the current action is not aborted, leading to undefined behavior. This issue was discovered by Insyde engineering based on the general description provided by Intel’s iSTARE group. Fixed in: Kernel 5.0: Version 05.09. 21 Kernel 5.1: Version 05.17.21 Kernel 5.2: Version 05.27.21 Kernel 5.3: Version 05.36.21 Kernel 5.4: Version 05.44.21 Kernel 5.5: Version 05.52.21

CVE-2022-30283 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).

3.2.8 OUT-OF-BOUNDS WRITE CWE-787

Manipulation of the input address in PnpSmm function 0x52 could be used by malware to overwrite SMRAM or OS kernel memory. Function 0x52 of the PnpSmm driver is passed the address and size of data to write into the SMBIOS table, but manipulation of the address could be used by malware to overwrite SMRAM or OS kernel memory. This issue was discovered by Insyde engineering during a security review. This issue is fixed in: Kernel 5.0: 05.09.41 Kernel 5.1: 05.17.43 Kernel 5.2: 05.27.30 Kernel 5.3: 05.36.30 Kernel 5.4: 05.44.30 Kernel 5.5: 05.52.30

CVE-2022-30772 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H).

3.2.9 TIME-OF-CHECK TIME-OF-USE (TOCTOU) RACE CONDITION CWE-367

DMA attacks on the PnpSmm shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges.

CVE-2022-32469 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

3.2.10 TIME-OF-CHECK TIME-OF-USE (TOCTOU) RACE CONDITION CWE-367

DMA attacks on the FwBlockServiceSmm shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges.

CVE-2022-32470 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

3.2.11 TIME-OF-CHECK TIME-OF-USE (TOCTOU) RACE CONDITION CWE-367

DMA attacks on the IHISI command buffer could cause TOCTOU issues which could lead to corruption of SMRAM and escalation of privileges.

CVE-2022-32471 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

3.2.12 TIME-OF-CHECK TIME-OF-USE (TOCTOU) RACE CONDITION CWE-367

DMA attacks on the VariableRuntimeDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges.

CVE-2022-32475 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

3.2.13 TIME-OF-CHECK TIME-OF-USE (TOCTOU) RACE CONDITION CWE-367

DMA attacks on the FvbServicesRuntimeDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges.

CVE-2022-32477 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

3.2.14 TIME-OF-CHECK TIME-OF-USE (TOCTOU) RACE CONDITION CWE-367

DMA attacks on the SdHostDriver buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges.

CVE-2022-32953 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.2.15 TIME-OF-CHECK TIME-OF-USE (TOCTOU) RACE CONDITION CWE-367

DMA attacks on the SdMmcDevice buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges.

CVE-2022-32954 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.2.16 IMPROPER INPUT VALIDATION CWE-20

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM memory corruption vulnerability in the FvbServicesRuntimeDxe driver allows an attacker to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.

CVE-2022-35893 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

3.2.17 MISSING RELEASE OF MEMORY AFTER EFFECTIVE LIFETIME CWE-401

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. The SMI handler for the FwBlockServiceSmm driver uses an untrusted pointer as the location to copy data to an attacker-specified buffer, leading to information disclosure.

CVE-2022-35894 has been assigned to this vulnerability. A CVSS v3 base score of 6.0 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).

3.2.18 OUT-OF-BOUNDS WRITE CWE-787

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. The FwBlockSericceSmm driver does not properly validate input parameters for a software SMI routine, leading to memory corruption of arbitrary addresses including SMRAM, and possible arbitrary code execution.

CVE-2022-35895 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

3.2.19 IMPROPER INPUT VALIDATION CWE-20

An issue SMM memory leak vulnerability in SMM driver (SMRAM was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An attacker can dump SMRAM contents via the software SMI provided by the FvbServicesRuntimeDxe driver to read the contents of SMRAM, leading to information disclosure.

CVE-2022-35896 has been assigned to this vulnerability. A CVSS v3 base score of 6.0 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).

3.2.20 IMPROPER INPUT VALIDATION CWE-20

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM callout vulnerability in the SMM driver FwBlockServiceSmm, creating SMM, leads to arbitrary code execution. An attacker can replace the pointer to the UEFI boot service GetVariable with a pointer to malware, and then generate a software SMI.

CVE-2022-36338 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).

3.2.21 IMPROPERLY IMPLEMENTED SECURITY CHECK FOR STANDARD CWE-358

An attacker who has physical access or administrative rights to a target device could install an affected boot policy which could bypass security boot.

CVE-2023-24932 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.22 IMPROPER INPUT VALIDATION CWE-20

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. Due to insufficient input validation, an attacker can tamper with a runtime-accessible EFI variable to cause a dynamic BAR setting to overlap SMRAM.

CVE-2023-27373 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).

3.2.23 PLAINTEXT STORAGE OF A PASSWORD CWE-256

An issue was discovered in SysPasswordDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. System password information could optionally be stored in cleartext, which might lead to possible information disclosure.

CVE-2023-31041 has been assigned to this vulnerability. A CVSS v3 base score of 5.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Water and Wastewater
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens ProductCERT reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has released BIOS update V1.0.212N for the affected products and recommends updating to the latest version.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-957369 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

September 14, 2023: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 8.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: Pavilion8
Vulnerability: Improper Authentication

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to retrieve other user’s sessions data.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Rockwell Automation Pavilion8, a model predictive control software, are affected:

Pavilion8: versions v5.17.00 and v5.17.01

3.2 Vulnerability Overview

3.2.1 IMPROPER AUTHENTICATION CWE-287

The JMX Console within the Pavilion is exposed to application users and does not require authentication. If exploited, a malicious user could retrieve other application users’ session data and or log users out of their sessions.

CVE-2023-29463 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported these vulnerabilities to CISA.

4. MITIGATIONS

Rockwell Automation recommends customers apply the following mitigations:

Update to v5.20

Rockwell Automation encourages customers using the affected software are encouraged to apply the risk mitigations, if possible and to implement the suggested security best practices to minimize the risk of vulnerability.

If customers are unable to update to v5.20, please follow the instructions below to disable the vulnerability in v5.17.

Open the web.xml file in your Pavilion8® installation folder set during installation and go to “ConsolecontainerwebappsROOTWEB-INF;” by default this would be under “C:PavilionConsolecontainerwebappsROOTWEB-INF.”
Search for the text “jmx-console-action-handler” and delete the below lines from web.xml file:
/servlet/
/servlet-name/ jmx-console-action-handler</servlet-name/
/servlet-class/com.pav.jboss.jmx.HtmlAdaptorServlet</servlet-class/
/servlet/
/servlet-mapping/
/servlet-name/ jmx-console-action-handler</servlet-name/
/url-pattern /jmx-console/HtmlAdaptor</url-pattern/
/servlet-mapping/
Save the changes and close the file.
Restart Pavilion8 Console Service.
Logout and log back into the console and navigate to the URL http:// FQDN /jmx-console to confirm you are getting the error message “HTTP Status 404 – Not Found.”

For more information, see Rockwell Automation’s Security Advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

September 14, 2023: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.0
ATTENTION: Exploitable remotely
Vendor: Siemens
Equipment: WIBU Systems CodeMeter
Vulnerability: Heap-Based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated attacker to escalate privileges or execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

PSS(R)CAPE V14: All versions prior to V14.2023-08-23
PSS(R)CAPE V15: All versions prior to V15.0.22
PSS(R)E V34: All versions prior to V34.9.6
PSS(R)E V35: All versions
PSS(R)ODMS V13.0: All versions
PSS(R)ODMS V13.1: All versions prior to V13.1.12.1
SIMATIC PCS neo V3: All versions
SIMATIC PCS neo V4: All versions
SIMATIC WinCC OA V3.17: All versions
SIMATIC WinCC OA V3.18: All versions
SIMATIC WinCC OA V3.19: All versions prior to V3.19 P006
SIMIT Simulation Platform: All versions
SINEC INS: All versions
SINEMA Remote Connect: All versions

3.2 Vulnerability Overview

3.2.1 HEAP-BASED BUFFER OVERFLOW CWE-122

In CodeMeter Runtime versions up to 7.60b, there is a heap buffer overflow vulnerability which can potentially lead to a remote code execution. Currently, no PoC is known. To exploit the heap overflow, additional protection mechanisms need to be broken. Remote access is only possible if CodeMeter is configured as a server. If CodeMeter is not configured as a server, an attacker would need to log in to the machine where the CodeMeter Runtime is running or trick a user into sending a malicious request to CodeMeter. This might result in an escalation of privilege. (WIBU-230704-01)

CVE-2023-3935 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

PSS(R)CAPE V14, PSS(R)CAPE V15, PSS(R)E V34, PSS(R)E V35, PSS(R)ODMS V13.0, PSS(R)ODMS V13.1, SIMATIC PCS neo V3, SIMATIC PCS neo V4, SIMATIC WinCC OA V3.17, SIMATIC WinCC OA V3.18, SIMATIC WinCC OA V3.19, SIMIT Simulation Platform, SINEC INS, SINEMA Remote Connect: If CodeMeter Runtime is configured as server: Limit remote access to systems where the CodeMeter Runtime network server is running
SIMIT Simulation Platform: Ensure that only trusted persons have access to the system and avoid the configuration of additional local accounts
PSS(R)CAPE V15, PSS(R)E V34, PSS(R)ODMS V13.1: For affected versions: Install WIBU Systems CodeMeter Runtime V7.60c or later version manually to fix the issue: Download the package from
https://www.wibu.com/support/user/user-software.html and follow the installation instructions from WIBU Systems.
SIMATIC PCS neo V3, SINEC INS, SINEMA Remote Connect: Currently no fix is planned
SIMATIC PCS neo V4, SIMATIC WinCC OA V3.17, SIMATIC WinCC OA V3.18: Currently no fix is available
PSS(R)ODMS V13.1: Update to V13.1.12.1 or later version
PSS(R)CAPE V15: Update to V15.0.22 or later version
SIMATIC WinCC OA V3.19: Update to V3.19 P006 or later version
PSS(R)E V34: Update to V34.9.6 or later version
PSS(R)E V35, SIMIT Simulation Platform: Install WIBU Systems CodeMeter Runtime V7.60c or later version manually to fix the issue: Download the package from
https://www.wibu.com/support/user/user-software.html and follow the installation instructions from WIBU Systems.
PSS(R)CAPE V14: CAPE V14 installations installed from material dated 2023-08-23 or later are not affected, as they contain a fixed version of CodeMeter Runtime.

For installations of CAPE V14 using material earlier than 2023-08-23: Install WIBU Systems CodeMeter Runtime V7.60c or later version manually to fix the issue: Download the package from https://www.wibu.com/support/user/user-software.html and follow the installation instructions from WIBU Systems.

PSS(R)ODMS V13.0: Install WIBU Systems CodeMeter Runtime V7.60c or later version manually to fix the issue: Download the package from
https://www.wibu.com/support/user/user-software.html and follow the installation instructions from WIBU Systems.
PSS(R)CAPE V14, PSS(R)CAPE V15, PSS(R)E V34, PSS(R)E V35, PSS(R)ODMS V13.0, PSS(R)ODMS V13.1, SIMATIC PCS neo V3, SIMATIC PCS neo V4, SIMATIC WinCC OA V3.17, SIMATIC WinCC OA V3.18, SIMATIC WinCC OA V3.19, SIMIT Simulation Platform, SINEC INS, SINEMA Remote Connect: If CodeMeter Runtime is configured as client only in the affected product: Ensure that only trusted persons have access to the system and avoid the configuration of additional local accounts

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-240541 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

September 14, 2023: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SIMATIC, SIPLUS Products
Vulnerability: Integer Overflow or Wraparound

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to create a denial-of-service condition by sending a specially crafted certificate.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens products are affected:

SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00): All versions prior to v2.2
SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00): All versions prior to v2.2
SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0): All versions prior to v2.9.7
SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0): All versions from v3.0.1 to v3.0.3
SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0): All versions prior to v2.9.7
SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0): All versions from v3.0.1 to v3.0.3
SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants): All versions prior to v21.9.7
SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants): Versions 30.0.0 and prior
SIMATIC S7-1200 CPU family (incl. SIPLUS variants): All versions
SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SJ01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DJ01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DK03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK02-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK00-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK02-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TK01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UK01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK00-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SK01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DK01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DM03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL02-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL02-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RL00-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RM03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1514SP-2 PN (6ES7514-2DN03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM02-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM02-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RM00-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RN03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TM01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UM01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN02-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN01-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN02-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1517H-3 PN (6ES7517-3HP00-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0):All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1518HF-4 PN (6ES7518-4JP00-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0): All versions prior to v3.0.3
SIMATIC S7-1500 CPU S7-1518-4 PN/DP ODK (6ES7518-4AP00-3AB0):All versions prior to v2.9.7
SIMATIC S7-1500 CPU S7-1518F-4 PN/DP ODK (6ES7518-4FP00-3AB0): All versions prior to v2.9.7
SIMATIC S7-1500 ET 200pro: CPU 1513PRO F-2 PN (6ES7513-2GL00-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 ET 200pro: CPU 1513PRO-2 PN (6ES7513-2PL00-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 ET 200pro: CPU 1516PRO F-2 PN (6ES7516-2GN00-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 ET 200pro: CPU 1516PRO-2 PN (6ES7516-2PN00-0AB0): All versions prior to v2.9.7
SIMATIC S7-1500 Software Controller V2: All versions prior to v21.9.7
SIMATIC S7-1500 Software Controller V3: All versions
SIMATIC S7-PLCSIM Advanced: All versions
SIPLUS ET 200SP CPU 1510SP F-1 PN (6AG1510-1SJ01-2AB0): All versions prior to v2.9.7
SIPLUS ET 200SP CPU 1510SP F-1 PN RAIL (6AG2510-1SJ01-1AB0):All versions prior to v2.9.7
SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-2AB0): All versions prior to v2.9.7
SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-7AB0): All versions prior to v2.9.7
SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-4AB0): All versions prior to v2.9.7
SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-1AB0): All versions prior to v2.9.7
SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-2AB0): All versions prior to v2.9.7
SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-7AB0): All versions prior to v2.9.7
SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-1AB0): All versions prior to v2.9.7
SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-4AB0): All versions prior to v2.9.7
SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-2AB0): All versions prior to v2.9.7
SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-7AB0): All versions prior to v2.9.7
SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-4AB0): All versions prior to v2.9.7
SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-1AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-7AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-7AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK01-1AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK02-1AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK01-4AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK02-4AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK01-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK02-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-7AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-7AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL01-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL02-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM01-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM02-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1515F-2 PN RAIL (6AG2515-2FM02-4AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1515F-2 PN T2 RAIL (6AG2515-2FM01-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1515R-2 PN (6AG1515-2RM00-7AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1515R-2 PN TX RAIL (6AG2515-2RM00-4AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-7AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-7AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1516-3 PN/DP RAIL (6AG2516-3AN02-4AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1516-3 PN/DP TX RAIL (6AG2516-3AN01-4AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN02-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN01-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-2AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-4AB0): All versions prior to v2.9.7
SIPLUS S7-1500 CPU 1517H-3 PN (6AG1517-3HP00-4AB0): All versions prior to v3.0.3
SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0): All versions prior to v3.0.3
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0): All versions prior to v3.0.3
SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0): All versions prior to v3.0.3
SIPLUS S7-1500 CPU 1518HF-4 PN (6AG1518-4JP00-4AB0): All versions prior to v3.0.3

3.2 Vulnerability Overview

3.2.1 INTEGER OVERFLOW OR WRAPAROUND CWE-190

The ANSI C OPC UA SDK contains an integer overflow vulnerability that could cause the application to run into an infinite loop during certificate validation. This could allow an unauthenticated remote attacker to create a denial of service condition by sending a specially crafted certificate.

CVE-2023-28831 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Currently no fix available for the following products:

SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants)
SIMATIC S7-1200 CPU family (incl. SIPLUS variants)
SIMATIC S7-1500 Software Controller V3
SIMATIC S7-PLCSIM Advanced

Apply Update v2.2 or a later version to the following products:

SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00)
SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00)
SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0)

Apply Update v2.9.7 or a later version to the following products:

SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-4AB0)
SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0)
SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SJ01-0AB0)
SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DJ01-0AB0)
SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK01-0AB0)
SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK02-0AB0)
SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK00-0AB0)
SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK01-0AB0)
SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK01-0AB0)
SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK02-0AB0)
SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TK01-0AB0)
SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UK01-0AB0)
SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK00-0AB0)
SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK01-0AB0)
SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SK01-0AB0)
SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DK01-0AB0)
SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL01-0AB0)
SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL02-0AB0)
SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL01-0AB0)
SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL02-0AB0)
SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RL00-0AB0)
SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM01-0AB0)
SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM02-0AB0)
SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM01-0AB0)
SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM02-0AB0)
SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RM00-0AB0)
SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TM01-0AB0)
SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UM01-0AB0)
SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN01-0AB0)
SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN02-0AB0)
SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN01-0AB0)
SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN02-0AB0)
SIMATIC S7-1500 CPU S7-1518-4 PN/DP ODK (6ES7518-4AP00-3AB0)
SIMATIC S7-1500 CPU S7-1518F-4 PN/DP ODK (6ES7518-4FP00-3AB0)
SIMATIC S7-1500 ET 200pro: CPU 1513PRO F-2 PN (6ES7513-2GL00-0AB0)
SIMATIC S7-1500 ET 200pro: CPU 1513PRO-2 PN (6ES7513-2PL00-0AB0)
SIMATIC S7-1500 ET 200pro: CPU 1516PRO F-2 PN (6ES7516-2GN00-0AB0)
SIMATIC S7-1500 ET 200pro: CPU 1516PRO-2 PN (6ES7516-2PN00-0AB0)
SIPLUS ET 200SP CPU 1510SP F-1 PN (6AG1510-1SJ01-2AB0)
SIPLUS ET 200SP CPU 1510SP F-1 PN RAIL (6AG2510-1SJ01-1AB0)
SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-2AB0)
SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-7AB0)
SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-4AB0)
SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-1AB0)
SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-2AB0)
SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-7AB0)
SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-1AB0)
SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-4AB0)
SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-2AB0)
SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-7AB0)
SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-4AB0)
SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-1AB0)
SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-2AB0)
SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-2AB0)
SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-7AB0)
SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-7AB0)
SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK01-1AB0)
SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK02-1AB0)
SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK01-4AB0)
SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK02-4AB0)
SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK01-2AB0)
SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK02-2AB0)
SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-7AB0)
SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-2AB0)
SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-2AB0)
SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-7AB0)
SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL01-2AB0)
SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL02-2AB0)
SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM01-2AB0)
SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM02-2AB0)
SIPLUS S7-1500 CPU 1515F-2 PN RAIL (6AG2515-2FM02-4AB0)
SIPLUS S7-1500 CPU 1515F-2 PN T2 RAIL (6AG2515-2FM01-2AB0)
SIPLUS S7-1500 CPU 1515R-2 PN (6AG1515-2RM00-7AB0)
SIPLUS S7-1500 CPU 1515R-2 PN TX RAIL (6AG2515-2RM00-4AB0)
SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-7AB0)
SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-2AB0)
SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-2AB0)
SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-7AB0)
SIPLUS S7-1500 CPU 1516-3 PN/DP RAIL (6AG2516-3AN02-4AB0)
SIPLUS S7-1500 CPU 1516-3 PN/DP TX RAIL (6AG2516-3AN01-4AB0)
SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN02-2AB0)
SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN01-2AB0)
SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-2AB0)

Apply Update V21.9.7 or a later version to the following products:

SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants)
SIMATIC S7-1500 Software Controller V2

Apply Update v3.0.3 or a later version to the following products:

SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0)
SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0)
SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0)
SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DK03-0AB0)
SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0)
SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0)
SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0)
SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0)
SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0)
SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DM03-0AB0)
SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0)
SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0)
SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RM03-0AB0)
SIMATIC S7-1500 CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0)
SIMATIC S7-1500 CPU 1514SP-2 PN (6ES7514-2DN03-0AB0)
SIMATIC S7-1500 CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0)
SIMATIC S7-1500 CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0)
SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0)
SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0)
SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RN03-0AB0)
SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0)
SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0)
SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0)
SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0)
SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0)
SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0)
SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0)
SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0)
SIMATIC S7-1500 CPU 1517H-3 PN (6ES7517-3HP00-0AB0)
SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0)
SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0)
SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0)
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0)
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
SIMATIC S7-1500 CPU 1518HF-4 PN (6ES7518-4JP00-0AB0)
SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0)
SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0)
SIPLUS S7-1500 CPU 1517H-3 PN (6AG1517-3HP00-4AB0)
SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0)
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0)
SIPLUS S7-1500 CPU 1518HF-4 PN (6AG1518-4JP00-4AB0)

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on Siemens industrial security can be found on the Siemens industrial security webpage

For more information, see the associated Siemens security advisory SSA-711309 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically targeting this vulnerability have been reported to CISA at this time.

5. UPDATE HISTORY

September 14, 2023: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 8.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: QMS Automotive
Vulnerabilities: Plaintext Storage of a Password, Cleartext Storage of Sensitive Information in Memory, Generation of Error Message Containing Sensitive Information, Server-generated Error Message Containing Sensitive Information, Improper Verification of Cryptographic Signature, Insecure Storage of Sensitive Information, Cleartext Transmission of Sensitive Information, Improper Access Control, Unrestricted Upload of File with Dangerous Type, Insufficient Session Expiration

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to perform malicious code injection, information disclosure or lead to a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

QMS Automotive: All versions prior to v12.39

3.2 Vulnerability Overview

3.2.1 PLAINTEXT STORAGE OF A PASSWORD CWE-256

User credentials are stored in plaintext in the database without any hashing mechanism. This could allow an attacker to gain access to credentials and impersonate other users.

CVE-2022-43958 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L).

3.2.2 CLEARTEXT STORAGE OF SENSITIVE INFORMATION IN MEMORY CWE-316

User credentials are found in memory as plaintext. An attacker could perform a memory dump, and get access to credentials, and use it for impersonation.

CVE-2023-40724 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L).

3.2.3 GENERATION OF ERROR MESSAGE CONTAINING SENSITIVE INFORMATION CWE-209

The affected application returns inconsistent error messages in response to invalid user credentials during login session. This allows an attacker to enumerate usernames, and identify valid usernames.

CVE-2023-40725 has been assigned to this vulnerability. A CVSS v3 base score of 4.0 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

3.2.4 SERVER-GENERATED ERROR MESSAGE CONTAINING SENSITIVE INFORMATION CWE-550

The affected application server responds with sensitive information about the server. This could allow an attacker to directly access the database.

CVE-2023-40726 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.5 IMPROPER VERIFICATION OF CRYPTOGRAPHIC SIGNATURE CWE-347

The QMS.Mobile module of the affected application uses weak outdated application signing mechanism. This could allow an attacker to tamper the application code.

CVE-2023-40727 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.6 INSECURE STORAGE OF SENSITIVE INFORMATION CWE-922

The QMS.Mobile module of the affected application stores sensitive application data in an external insecure storage. This could allow an attacker to alter content, leading to arbitrary code execution or denial-of-service condition.

CVE-2023-40728 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L).

3.2.7 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

The affected application lacks security control to prevent unencrypted communication without HTTPS. An attacker who managed to gain machine-in-the-middle position could manipulate, or steal confidential information.

CVE-2023-40729 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N).

3.2.8 IMPROPER ACCESS CONTROL CWE-284

The QMS.Mobile module of the affected application lacks sufficient authorization checks. This could allow an attacker to access confidential information, perform administrative functions, or lead to a denial-of-service condition.

CVE-2023-40730 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L).

3.2.9 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

The affected application allows users to upload arbitrary file types. This could allow an attacker to upload malicious files, that could potentially lead to code tampering.

CVE-2023-40731 has been assigned to this vulnerability. A CVSS v3 base score of 5.7 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N).

3.2.10 INSUFFICIENT SESSION EXPIRATION CWE-613

The QMS.Mobile module of the affected application does not invalidate the session token on logout. This could allow an attacker to perform session hijacking attacks.

CVE-2023-40732 has been assigned to this vulnerability. A CVSS v3 base score of 3.9 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

QMS Automotive: Update to V12.39 or later version. The patch is available upon request from customer support.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-147266 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

September 14, 2023: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Hitachi Energy
Equipment: Lumada Asset Performance Management (APM) Edge
Vulnerabilities: Use After Free, Double Free, Type Confusion, Observable Discrepancy

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition or disclosure of sensitive information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Hitachi products are affected:

Lumada APM Edge: Versions 4.0 and prior
Lumada APM Edge: Version 6.3

3.2 Vulnerability Overview

3.2.1 USE AFTER FREE CWE-416

The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash.

CVE-2023-0215 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ).

3.2.2 DOUBLE FREE CWE-415

The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the “name” (e.g. “CERTIFICATE”), any header data and the payload data. If the function succeeds then the “name_out”, “header” and “data” arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been
freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial-of-service attack.

CVE-2022-4450 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.3 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE (‘TYPE CONFUSION’) CWE-843

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial-of-service.

CVE-2023-0286 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H).

3.2.4 OBSERVABLE DISCREPANCY CWE-203

A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.

CVE-2022-4304 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported this vulnerability to CISA.

4. MITIGATIONS

Hitachi Energy has fixed the vulnerabilities for Lumada APM in version 6.5.0.2 and later and recommends users update their systems to the appropriate version. Lumada APM Edge versions 4.0 and prior are no longer supported and are considered End-of-Life.

Hitachi Energy reported that Lumada APM Edge relies on the HAProxy service (a pre-requisite component) as an API gateway, so it must be exposed to the end-users via network. For Lumada APM Edge to be accessible to the end-users, it is crucial for this service, which also utilizes OpenSSL libraries, to be updated along with its underlying operating system.

Recommended security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network. Such practices include that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed, have security updates applied to installed software components and others that must be evaluated case by case. Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.

For more information, see Hitachi Energy advisory 8DBD000169.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should:

When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

September 12, 2023: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 5.9
ATTENTION: Low attack complexity
Vendor: Fujitsu Software
Equipment: Infrastructure Manager
Vulnerability: Cleartext Storage of Sensitive Information

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in an attacker retrieving the password for the proxy server that is configured in ISM from the maintenance data.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Infrastructure Manager are affected:

Infrastructure Manager: Advanced Edition V2.8.0.060
Infrastructure Manager: Advanced Edition for PRIMEFLEX V2.8.0.060
Infrastructure Manager: Essential Edition V2.8.0.060

3.2 Vulnerability Overview

3.2.1 Cleartext Storage of Sensitive Information CWE-312

An issue was discovered in Fujitsu Software Infrastructure Manager (ISM) before 2.8.0.061. The ismsnap component (in this specific case at /var/log/fujitsu/ServerViewSuite/ism/FirmwareManagement/FirmwareManagement.log) allows insecure collection and storage of authorization credentials in cleartext. That occurs when users perform any ISM Firmware Repository Address setup test (Test the Connection), or regularly authorize against an already configured remote firmware repository site, as set up in ISM Firmware Repository Address. A privileged attacker is therefore able to potentially gather the associated ismsnap maintenance data, in the same manner as a trusted party allowed to export ismsnap data from ISM. The preconditions for an ISM installation to be generally vulnerable are that the Download Firmware (Firmware Repository Server) function is enabled and configured, and that the character (backslash) is used in a user credential (i.e., user/ID or password) of the remote proxy host / firmware repository server.

CVE-2023-39903 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Fujitsu Technology Solutions GmbH and the Fujitsu PSIRT (Europe) reported the vulnerability to MITRE and Fujitsu Limited. Fujitsu Limited and JPCERT/CC reported this vulnerability to CISA.

4. MITIGATIONS

Fujitsu Software recommends updating the software to version V2.8.0.061, which has been released to fix this vulnerability.

Fujitsu Software recommends, as a workaround, using a user ID and/or a password for the proxy server not including “” (backslash) character, when downloading firmware.

Fujitsu Software recommends, as a workaround, storing the maintenance data in a trusted location, and deleting when unnecessary.

JPCERT/CC published JVN#38847224 regarding this issue.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

September 12, 2023: Initial Publication

1. EXECUTIVE SUMMARY

CVSS v3 9.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Dover Fueling Solutions
Equipment: MAGLINK LX – Web Console Configuration
Vulnerabilities: Authentication Bypass using an Alternate Path or Channel, Improper Access Control, Path Traversal

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to gain full access to the system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of MAGLINK LX Web Console Configuration are affected:

MAGLINK LX Web Console Configuration: version 2.5.1
MAGLINK LX Web Console Configuration: version 2.5.2
MAGLINK LX Web Console Configuration: version 2.5.3
MAGLINK LX Web Console Configuration: version 2.6.1
MAGLINK LX Web Console Configuration: version 2.11
MAGLINK LX Web Console Configuration: version 3.0
MAGLINK LX Web Console Configuration: version 3.2
MAGLINK LX Web Console Configuration: version 3.3

3.2 Vulnerability Overview

3.2.1 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL CWE-288

The affected product is vulnerable to authentication bypass that could allow an unauthorized attacker to obtain user access by leveraging the MAGLINK LX Web Console.

CVE-2023-41256 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

3.2.2 IMPROPER ACCESS CONTROL CWE-284

The affected product could allow a guest user to elevate to admin privileges by leveraging the MAGLINK LX Web Console.

CVE-2023-36497 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.3 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

The affected product is vulnerable to a path traversal attack, which could allow an attacker to access files stored on the system.

CVE-2023-38256 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Certified in the EU and UK, but may also be found Worldwide.
COMPANY HEADQUARTERS LOCATION: United States of America

3.4 RESEARCHER

Soufian El Yadmani of Darktrace / CSIRT.global reported these vulnerabilities to CISA.

4. MITIGATIONS

In 2023, Dover Fueling Solutions announced end-of-life for MAGLINK LX 3 and released MAGLINK LX 4. However, MAGLINK LX 3 version 3.4.2.2.6 and MAGLINK LX 4 fixes these vulnerabilities.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

September 07, 2023: Initial Publication