As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

1. EXECUTIVE SUMMARY

CVSS v3 9.9
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SIMATIC PCS 7, SIMATIC S7-PM, SIMATIC STEP 7 V5
Vulnerability: Improper Control of Generation of Code (‘Code Injection’)

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow remote users with low privileges to use embedded functions of the database (local or in a network share) that have impact on the server.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products from Siemens are affected: 

SIMATIC PCS 7: All versions
SIMATIC S7-PM: All versions
SIMATIC STEP 7 V5: All versions prior to V5.7

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER CONTROL OF GENERATION OF CODE (‘CODE INJECTION’) CWE-94

The affected product contains a database management system that could allow remote users with low privileges to use embedded functions of the database (local or in a network share) that have impact on the server. An attacker with network access to the server network could leverage these embedded functions to run code with elevated privileges in the database management system’s server.

CVE-2023-25910 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been assigned. The CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

If only one Engineering System is in use, consider changing to “Single terminal system” mode in the “Configure SIMATIC Workspace/Workstation” application, under the “Workstation Configuration” tab. Restart the computer. More details can be found in the following FAQ: https://support.industry.siemens.com/cs/ww/en/view/109821340/
SIMATIC STEP 7 V5: Update to V5.7 or later version
SIMATIC PCS 7: Currently no fix is available
SIMATIC S7-PM: Currently no fix is planned
SIMATIC S7-PM: Switch to “Single terminal system” (as described in the section Workarounds and Mitigations). Alternatively, consider migrating the STEP 7 project to the latest version of TIA Portal and uninstall S7-PM

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-968170 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploits specifically target this vulnerability.

​​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

1. EXECUTIVE SUMMARY

​CVSS v3 7.2
​ATTENTION: Low attack complexity
​Vendor: Siemens
​Equipment: SICAM A8000 Devices
​Vulnerabilities: Command Injection, Use of Hard-coded Credentials, Exposed Dangerous Method or Function

2. RISK EVALUATION

​Successful exploitation of these vulnerabilities could allow an attacker, with direct physical access, to crack the root password to login to the device or remotely execute arbitrary code with root privileges. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following products from Siemens are affected:

​CP-8031 MASTER MODULE (6MF2803-1AA00): All versions prior to CPCI85 V05
​CP-8050 MASTER MODULE (6MF2805-0AA00): All versions prior to CPCI85 V05

3.2 VULNERABILITY OVERVIEW

3.2.1 ​IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

​The web interface of affected devices is vulnerable to command injection due to missing server-side input sanitation. This could allow an authenticated privileged remote attacker to execute arbitrary code with root privileges.

​CVE-2023-33919 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated. The CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.2 ​USE OF HARD-CODED CREDENTIALS CWE-798

​The affected devices contain the hash of the root password in a hard-coded form, which could be exploited for UART console login to the device. An attacker with direct physical access could exploit this vulnerability.

​CVE-2023-33920 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated. The CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.3 ​EXPOSED DANGEROUS METHOD OR FUNCTION CWE-749

​The affected devices contain an exposed UART console login interface. An attacker with direct physical access could try to brute force or crack the root password to login to the device.

​CVE-2023-33921 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated. The CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors

​COUNTRIES/AREAS DEPLOYED: Worldwide

​COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

​SEC Consult Vulnerability Lab, on behalf of Netz Niederösterreich GmbH, EVN Gruppe reported these vulnerabilities to Siemens.

4. MITIGATIONS

​Siemens recommends updating the following products to the latest version:

​CP-8050 MASTER MODULE (6MF2805-0AA00): Update to CPCI85 V05 or later version
​CP-8031 MASTER MODULE (6MF2803-1AA00): Update to CPCI85 V05 or later version

​Operators of critical power systems (e.g., TSOs or DSOs) worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. It is therefore recommended that the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid’s reliability can thus be minimized by virtue of the grid design. Siemens strongly recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens strongly recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment. As a general security measure Siemens strongly recommends protecting network access with appropriate mechanisms (e.g., firewalls, segmentation, VPN). It is advised to configure the environment according to our operational guidelines to run the devices in a protected IT environment.

​Recommended security guidelines can be found at: https://www.siemens.com/gridsecurity.

​For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT.

​As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

​Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

​For more information see the associated Siemens security advisory SSA-731916 in HTML and CSAF.

​CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​No known public exploits specifically target these vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 9.8 
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Advantech
Equipment: WebAccess/SCADA
Vulnerability: Untrusted Pointer Dereference

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker gaining remote file system access and achieving remote command execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Advantech WebAccess/SCADA, a browser-based SCADA software package, are affected:

WebAccess/SCADA: All versions prior to 9.1.4

3.2 VULNERABILITY OVERVIEW

3.2.1 UNTRUSTED POINTER DEREFERENCE CWE-822

All versions prior to 9.1.4 of Advantech WebAccess/SCADA are vulnerable to use of untrusted pointers. The RPC arguments the client sent client could contain raw memory pointers for the server to use as-is. This could allow an attacker to gain access to the remote file system and the ability to execute commands and overwrite files.

CVE-2023-1437 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Chemical, Energy, Water and Wastewater
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Florent Saudel reported this vulnerability to CISA.

4. MITIGATIONS

Advantech recommends all affected users update their products to the latest patch. This vulnerability was fixed in Version 9.1.4.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

1. EXECUTIVE SUMMARY

CVSS v3 3.9
ATTENTION: Exploitable from an adjacent network
Vendor: Siemens
Equipment: SIMATIC Products
Vulnerability: Use of Obsolete Function

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to obtain unauthorized access to product control and data.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products from Siemens are affected:

SIMATIC NET PC Software V14: All versions
SIMATIC NET PC Software V15: All versions
SIMATIC PCS 7 V8.2: All versions
SIMATIC PCS 7 V9.0: All versions
SIMATIC PCS 7 V9.1: All versions
SIMATIC WinCC: All versions prior to V8.0
SINAUT Software ST7sc: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 USE OF OBSOLETE FUNCTION CWE-477

Before SIMATIC WinCC V8, legacy OPC services (OPC DA (Data Access), OPC HDA (Historical Data Access), and OPC AE (Alarms & Events)) were used per default. These services were designed on top of the Windows ActiveX and DCOM mechanisms, and do not implement state-of-the-art security mechanisms for authentication and encryption of contents.

CVE-2023-28829 has been assigned to this vulnerability. A CVSS v3 base score of 3.9 has been calculated. The CVSS vector string is (CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

SIMATIC WinCC: Update to V8.0 or later
SINATIC NET PC Software: Ensure that only trusted users are part of the SIMATIC Net group
Ensure that only trusted users are part of the SIMATIC HMI group
Disable the legacy OPC DA/HDA/AE services and switch to OPC UA, if possible

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-508677 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

1. EXECUTIVE SUMMARY

CVSS v3 4.6
ATTENTION: Low attack complexity
Vendor: Siemens
Equipment: SIMOTION
Vulnerability: Exposure of Sensitive Information Due to Incompatible Policies

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated attacker to extract confidential technology object (TO) configuration from the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products from Siemens are affected:

SIMOTION C240 (6AU1240-1AA00-0AA0): All versions including V5.4 and later but prior to V5.5 SP1
SIMOTION C240 PN (6AU1240-1AB00-0AA0): All versions including V5.4 and later but prior to V5.5 SP1
SIMOTION D410-2 DP (6AU1410-2AA00-0AA0): All versions including V5.4 and later but prior to V5.5 SP1
SIMOTION D410-2 DP/PN (6AU1410-2AD00-0AA0): All versions including V5.4 and later but prior to V5.5 SP1
SIMOTION D425-2 DP (6AU1425-2AA00-0AA0): All versions including V5.4 and later but prior to V5.5 SP1
SIMOTION D425-2 DP/PN (6AU1425-2AD00-0AA0): All versions including V5.4 and later but prior to V5.5 SP1
SIMOTION D435-2 DP (6AU1435-2AA00-0AA0): All versions including V5.4 and later but prior to V5.5 SP1
SIMOTION D435-2 DP/PN (6AU1435-2AD00-0AA0): All versions including V5.4 and later but prior to V5.5 SP1
SIMOTION D445-2 DP/PN (6AU1445-2AD00-0AA0): All versions including V5.4 and later
SIMOTION D445-2 DP/PN (6AU1445-2AD00-0AA1): All versions including V5.4 and later but prior to V5.5 SP1
SIMOTION D455-2 DP/PN (6AU1455-2AD00-0AA0): All versions including V5.4 and later but prior to V5.5 SP1
SIMOTION P320-4 E (6AU1320-4DE65-3AF0): All versions including V5.4 and later
SIMOTION P320-4 S (6AU1320-4DS66-3AG0): All versions including V5.4 and later

3.2 VULNERABILITY OVERVIEW

3.2.1 EXPOSURE OF SENSITIVE INFORMATION DUE TO INCOMPATIBLE POLICIES CWE-213

When operated with Security Level Low the device does not protect access to certain services relevant for debugging. This could allow an unauthenticated attacker to extract confidential TO configuration from the device.

CVE-2023-27465 has been assigned to this vulnerability. A CVSS v3 base score of 4.6 has been calculated. The CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Update to V5.5 SP1 or later if possible.
Restrict physical access to the device and avoid using Security Level Low (e.g., Service Selector Switch) in position 8, with simotion.ini or the PSTATE program – see Section 3.5 of SIMOTION IT – SIMOTION IT Diagnostics and Configuration Manual) in production environments.

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-482956 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Siemens
Equipment: SIMATIC WinCC V7
Vulnerability: Incorrect Permission Assignment for Critical Resource

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a local attacker to inject arbitrary code and escalate privileges if a non-default installation path was chosen during installation.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products from Siemens are affected: 

SIMATIC WinCC: All versions prior to V7.5.2.13

3.2 VULNERABILITY OVERVIEW

3.2.1 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732

Affected applications fail to set proper access rights for their installation folder if a non-default installation path was chosen during installation.  This could allow an authenticated local attacker to inject arbitrary code and escalate privileges.

CVE-2023-30897 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned. The CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

SIMATIC WinCC: Update to V7.5.2.13 or later version.
Always use the default installation path when installing SIMATIC WinCC V7.
After installation to a non-default folder, ensure that the access permissions of that folder are equal to the permissions of the Program Files folder.
Harden the application server to prevent local access by untrusted personnel.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-914026 in HTML and CSAF. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

1. EXECUTIVE SUMMARY

CVSS v3 9.8 
ATTENTION: Exploitable remotely / low attack complexity
Vendor: Siemens
Equipment: SIMATIC S7-1500 TM MFP
Vulnerabilities: Improper Input Validation, Out-of-bounds Read, Use After Free, Out-of-bounds Write, Infinite Loop, Reachable Assertion, Off-by-one Error, Incorrect Default Permissions, Double Free, Improper Handling of Exceptional Conditions, Integer Overflow or Wraparound, NULL Pointer Dereference, Release of Invalid Pointer or Reference, Race Condition, Improper Restriction of Operations within the Bounds of a Memory Buffer, Non-exit on Failed Initialization, Missing Encryption of Sensitive Data, Classic Buffer Overflow, Uncontrolled Resource Consumption

2. RISK EVALUATION

Successful exploitation of these vulnerabilities may lead to denial of service, arbitrary code execution, information leakage, disclosure of sensitive data, or privilege escalation.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports these vulnerabilities affect the BIOS of the following SIMATIC S7-1500 products:

SIMATIC S7-1500 TM MFP – BIOS: all versions

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER INPUT VALIDATION CWE-20

The iconv program in the GNU C library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.

CVE-2016-10228 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.2 OUT-OF-BOUNDS READ CWE-125

The iconv feature in the GNU C library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.

CVE-2019-25013 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.3 USE AFTER FREE CWE-416

A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.

CVE-2020-1752 has been assigned to this vulnerability. A CVSS v3 base score of 7.0 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.4 OUT-OF-BOUNDS WRITE CWE-787

The GNU C library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.

CVE-2020-10029 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.2.5 LOOP WITH UNREACHABLE EXIT CONDITION (‘INFINITE LOOP’) CWE-835

The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228.

CVE-2020-27618 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.2.6 REACHABLE ASSERTION CWE-617

The iconv function in the GNU C library (aka glibc or libc6) 2.30 to 2.32, when converting UCS4 text containing an irreversible character, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.

CVE-2020-29562 has been assigned to this vulnerability. A CVSS v3 base score of 4.8 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).

3.2.7 REACHABLE ASSERTION CWE-617

The iconv function in the GNU C library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.

CVE-2021-3326 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.8 OUT-OF-BOUNDS READ CWE-125

A flaw was found in glibc. The realpath() function can mistakenly return an unexpected value, potentially leading to information leakage and disclosure of sensitive data.

CVE-2021-3998 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.9 OFF-BY-ONE ERROR CWE-193

A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.

CVE-2021-3999 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.10 INCORRECT DEFAULT PERMISSIONS CWE-276

A flaw was found in the permissions of a log file created by kexec-tools. This flaw allows a local unprivileged user to read this file and leak kernel internal information from a previous panic. The highest threat from this vulnerability is to confidentiality. This flaw affects kexec-tools shipped by Fedora versions prior to 2.0.21-8 and RHEL versions prior to 2.0.20-47.

CVE-2021-20269 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

3.2.11 DOUBLE FREE CWE-415

The nameserver caching daemon (nscd) in the GNU C library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or denial of service on the local system. This is related to netgroupcache.c.

CVE-2021-27645 has been assigned to this vulnerability. A CVSS v3 base score of 2.5 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L).

3.2.12 IMPROPER HANDLING OF EXCEPTIONAL CONDITIONS CWE-755

Decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.

CVE-2021-28831 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.13 USE AFTER FREE CWE-416

The mq_notify function in the GNU C library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.

CVE-2021-33574 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.14 INTEGER OVERFLOW OR WRAPAROUND CWE-190

The wordexp function in the GNU C library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.

CVE-2021-35942 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).

3.2.15 NULL POINTER DEREFERENCE CWE-476

In librt in the GNU C library (aka glibc) through 2.34, sysdeps/unix/sysv/linux/mq_notify.c mishandles certain NOTIFY_REMOVED data, leading to a NULL pointer dereference. NOTE: this vulnerability was introduced as a side effect of the CVE-2021-33574 fix.

CVE-2021-38604 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.16 NULL POINTER DEREFERENCE CWE-476

A NULL pointer dereference in Busybox’s man applet leads to denial of service when a section name is supplied but no page argument is given.

CVE-2021-42373 has been assigned to this vulnerability. A CVSS v3 base score of 5.1 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.17 OUT-OF-BOUNDS READ CWE-125

Out-of-bounds heap read in Busybox’s unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that internally supports LZMA compression.

CVE-2021-42374 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H).

3.2.18 IMPROPER INPUT VALIDATION CWE-20

An incorrect handling of a special element in Busybox’s ash applet leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for denial of service under rare conditions of filtered command input.

CVE-2021-42375 has been assigned to this vulnerability. A CVSS v3 base score of 4.1 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

3.2.19 NULL POINTER DEREFERENCE CWE-476

A NULL pointer dereference in Busybox’s hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a x03 delimiter character. This may be used for denial of service under very rare conditions of filtered command input.

CVE-2021-42376 has been assigned to this vulnerability. A CVSS v3 base score of 4.1 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

3.2.20 RELEASE OF INVALID POINTER OR REFERENCE CWE-763

An attacker-controlled pointer free in Busybox’s hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.

CVE-2021-42377 has been assigned to this vulnerability. A CVSS v3 base score of 6.4 has been calculated. the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

3.2.21 USE AFTER FREE CWE-416

Use-after-free in Busybox’s awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function.

CVE-2021-42378 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.22 USE AFTER FREE CWE-416

Use-after-free in Busybox’s awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function.

CVE-2021-42379 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.23 USE AFTER FREE CWE-416

Use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function.

CVE-2021-42380 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.24 USE AFTER FREE CWE-416

Use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function.

CVE-2021-42381 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.25 USE AFTER FREE CWE-416

Use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function.

CVE-2021-42382 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.26 USE AFTER FREE CWE-416

Use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function.

CVE-2021-42383 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.27 USE AFTER FREE CWE-416

Use-after-free in Busybox’s awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function.

CVE-2021-42384 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.28 USE AFTER FREE CWE-416

Use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function.

CVE-2021-42385 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.29 USE AFTER FREE CWE-416

Use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function.

CVE-2021-42386 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.30 USE AFTER FREE CWE-416

A use-after-free flaw was found in the Linux kernel’s pipes functionality in how a user performs manipulations with the pipe post_one_notification() after free_pipe_info() that is already called. This flaw allows a local user to crash or potentially escalate their privileges on the system.

CVE-2022-1882 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.31 USE AFTER FREE CWE-416

A use-after-free flaw was found in the Linux kernel’s POSIX CPU timers functionality in the way a user creates and then deletes the timer in the non-leader thread of the program. This flaw allows a local user to crash or potentially escalate their privileges on the system.

CVE-2022-2585 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.32 IMPROPER INPUT VALIDATION CWE-20

The network packet scheduler implementation in the Linux kernel does not properly remove all references to a route filter before freeing it in some situations. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code.

CVE-2022-2588 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.33 OUT-OF-BOUNDS READ CWE-125

An out-of-bounds memory read flaw was found in the Linux kernel’s BPF subsystem in how a user calls the bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a local user to gain unauthorized access to data.

CVE-2022-2905 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

3.2.34 CONCURRENT EXECUTION USING SHARED RESOURCE WITH IMPROPER SYNCHRONIZATION (‘RACE CONDITION’) CWE-362

A race condition was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket.

CVE-2022-3028 has been assigned to this vulnerability. A CVSS v3 base score of 7.0 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.35 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119

A vulnerability classified as problematic has been found in the Linux kernel. This affects the function fib_nh_match of the file net/ipv4/fib_semantics.c of the component IPv4 Handler. The manipulation leads to out-of-bounds read. It is possible to initiate the attack remotely. It is recommended to apply a patch to fix this issue.

CVE-2022-3435 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

3.2.36 USE AFTER FREE CWE-416

A flaw was found in the Linux kernel’s networking code. A use-after-free was found in the way the sch_sfb enqueue function used the socket buffer (SKB) cb field after the same SKB had been enqueued (and freed) into a child qdisc. This flaw allows a local, unprivileged user to crash the system, causing a denial of service.

CVE-2022-3586 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.2.37 OUT-OF-BOUNDS WRITE CWE-787

A stack overflow flaw was found in the Linux kernel’s SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system.

CVE-2022-4378 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.38 NON-EXIT ON FAILED INITIALIZATION CWE-455

A flaw of incorrect access control in the Linux kernel USB core subsystem was found in the way a user attaches a USB device. A local user could use this flaw to crash the system.

CVE-2022-4662 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.2.39 USE AFTER FREE CWE-416

In binder_inc_ref_for_node of binder.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android, Versions: Android kernel, Android ID: A-239630375, References: Upstream kernel.

CVE-2022-20421 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.40 CONCURRENT EXECUTION USING SHARED RESOURCE WITH IMPROPER SYNCHRONIZATION (‘RACE CONDITION’) CWE-362 

In emulation_proc_handler of armv8_deprecated.c, there is a possible way to corrupt memory due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android, Versions: Android kernel, Android ID: A-237540956, References: Upstream kernel 

CVE-2022-20422 has been assigned to this vulnerability. A CVSS v3 base score of 7.0 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). 

3.2.41 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311

Improper isolation of shared resources in some Intel processors may allow a privileged user to potentially enable information disclosure via local access.

CVE-2022-21233 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

3.2.42 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120

The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.

CVE-2022-23218 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.43 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120

The deprecated compatibility function clnt_create in the sunrpc module of the GNU C library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.

CVE-2022-23219 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.44 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311

BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record’s value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal’s colors.

CVE-2022-28391 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.45 USE AFTER FREE CWE-416

A use-after-free in Busybox 1.35-x’s awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.

CVE-2022-30065 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.46 CONCURRENT EXECUTION USING SHARED RESOURCE WITH IMPROPER SYNCHRONIZATION (‘RACE CONDITION’) CWE-362

An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs.

CVE-2022-39188 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.2.47 UNCONTROLLED RESOURCE CONSUMPTION CWE-400

An issue was discovered in net/netfilter/nf_tables_api.c in the Linux kernel before 5.19.6. A denial of service can occur upon binding to an already bound chain.

CVE-2022-39190 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.2.48 USE AFTER FREE CWE-416

An issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader.c has a race condition with a resultant use-after-free.

CVE-2022-40307 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.2.49 USE AFTER FREE CWE-416

mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via a stale TLB because an rmap lock is not held during a PUD move.

CVE-2022-41222 has been assigned to this vulnerability. A CVSS v3 base score of 7.0 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.50 USE AFTER FREE CWE-416

mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse.

CVE-2022-42703 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.2.51 INTEGER OVERFLOW OR WRAPAROUND CWE-190

A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow local privilege escalation to the root user via arbitrary code execution.

CVE-2023-0179 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.52 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311

A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash.

CVE-2023-0394 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated. The CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.2.53 OUT-OF-BOUNDS WRITE CWE-787

A memory corruption flaw was found in the Linux kernel’s human interface device (HID) subsystem in how a user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system.

CVE-2023-1073 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated. The CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens is preparing updates and recommends countermeasures for products where updates are not, or not yet available. Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

Only build and run applications from trusted sources.

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security, and to follow the recommendations in the product manuals. Additional information on industrial security by Siemens can be found at: https://www.siemens.com/industrialsecurity.

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories. 

For more information see the associated Siemens security advisory SSA-831302 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity.

​​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

1. EXECUTIVE SUMMARY

​CVSS v3 9.8
​ATTENTION: Exploitable remotely / low attack complexity
​Vendor: Siemens
​Equipment: SINAMICS MV (medium voltage) products
​Vulnerabilities: Out-of-bounds Write, Out-of-bounds Read, Use After Free, Improper Authentication, OS Command Injection, Improper Certificate Validation, Improper Resource Shutdown or Release, Allocation of Resources Without Limits or Throttling, Incorrect Default Permissions, Improper Validation of Syntactic Correctness of Input, Improper Input Validation

2. RISK EVALUATION

​Successful exploitation of these vulnerabilities could lead to information leaks, denial of service, code execution, or grant access to an external user.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​Siemens reports that the following SINAMICS MV (medium voltage) products integrate the SCALANCE S615 device which contains these vulnerabilities:

​SINAMICS GL150: all versions produced between Oct 2021 and May 2023 with the C68 option.
​SINAMICS PERFECT HARMONY GH180 6SR5: all versions produced between Oct 2021 and May 2023 with installed SCALANCE S615 device.
​SINAMICS SL150: all versions produced between Oct 2021 and May 2023 with the C68 option.

3.2 VULNERABILITY OVERVIEW

3.2.1 ​OUT-OF-BOUNDS WRITE CWE-787

​Zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

​CVE-2018-25032 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.2 ​OUT-OF-BOUNDS READ CWE-125

​An out-of-bounds heap read in Busybox’s unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that internally supports LZMA compression.

​CVE-2021-42374 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H).

3.2.3 ​USE AFTER FREE CWE-416

​Use-after-free in Busybox’s awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function.

​CVE-2021-42378 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.4 USE AFTER FREE CWE-416

​Use-after-free in Busybox’s awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function.

​CVE-2021-42379 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.5 ​USE AFTER FREE CWE-416

​Use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function.

​CVE-2021-42380 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.6 ​USE AFTER FREE CWE-416

​Use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function.

​CVE-2021-42381 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.7 USE AFTER FREE CWE-416

​Use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function.

​CVE-2021-42382 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.8 ​USE AFTER FREE CWE-416

​Use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function.

​CVE-2021-42383 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.9 USE AFTER FREE CWE-416

​Use-after-free in Busybox’s awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function.

​CVE-2021-42384 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.10 ​USE AFTER FREE CWE-416

​Use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function.

​CVE-2021-42385 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.11 ​USE AFTER FREE CWE-416

​Use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function.

​CVE-2021-42386 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.12 ​IMPROPER AUTHENTICATION CWE-287 

​OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.

​CVE-2022-0547 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.13 USE AFTER FREE CWE-416

​A flaw was found in the Linux kernel. This flaw allows an attacker to crash the Linux kernel by simulating amateur radio from the user space, resulting in a null-ptr-deref vulnerability and a use-after-free vulnerability.

​CVE-2022-1199 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.14 ​IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

​The c_rehash script does not properly sanitize shell metacharacters to prevent command injection.

​CVE-2022-1292 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.15 IMPROPER CERTIFICATE VALIDATION CWE-295

​Under certain circumstances, the command line OCSP verify function reports successful verification when the verification in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result.

​CVE-2022-1343 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

3.2.16 ​IMPROPER RESOURCE SHUTDOWN OR RELEASE CWE-404

​The used OpenSSL version improperly reuses memory when decoding certificates or keys. This can lead to a process termination and denial of service for long lived processes.

​CVE-2022-1473 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.17 USE AFTER FREE CWE-416

​valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.

​CVE-2022-23308 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.18 ​ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770

​A malicious server can serve excessive amounts of “Set-Cookie:” headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies makes subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error. This denial state might remain for as long as the same cookies are kept, match and haven’t expired. Due to cookie matching rules, a server on “foo.example.com” can set cookies that also would match for “bar.example.com”, making it possible for a “sister server” to effectively cause a denial of service for a sibling site on the same second level domain using this method.

​CVE-2022-32205 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L).

3.2.19 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770

​Curl < 7.84.0 supports “chained” HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with different algorithms. The number of acceptable “links” in this “decompression chain” was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps. The use of such a decompression chain could result in a “malloc bomb”, making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

​CVE-2022-32206 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H).

3.2.20 ​INCORRECT DEFAULT PERMISSIONS CWE-276

​When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name. In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.

​CVE-2022-32207 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.21 OUT-OF-BOUNDS WRITE CWE-787

​When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a man-in-the-middle attack to go unnoticed and even allows it to inject data to the client.

​CVE-2022-32208 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.22 ​IMPROPER VALIDATION OF SYNTACTIC CORRECTNESS OF INPUT CWE-1286

​When curl is used to retrieve and parse cookies from a HTTP(S) server, it accepts cookies using control codes that when later are sent back to a HTTP server might make the server return 400 responses. Effectively allowing a “sister site” to deny service to all siblings.

​CVE-2022-35252 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.23 ​IMPROPER INPUT VALIDATION CWE-20

​nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len.

​CVE-2022-36946 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Chemical, Energy, Food and Agriculture, Water and Wastewater Systems

​COUNTRIES/AREAS DEPLOYED: Worldwide

​COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

​Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

​Siemens recommends updating the firmware of the integrated SCALANCE S615 device to the latest version. Siemens recommends specific countermeasures for products where the firmware update is not, or not yet applied:

​Update the firmware of the integrated SCALANCE S615 device to V7.2 or later version.

​Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

​Restrict physical access to the affected drives, also to their Ethernet Port included on the front of the control door.
​Disconnect any direct network connection to the integrated SCALANCE S615 device.

​As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens’ operational guidelines for industrial security, and to follow the recommendations in the product manuals. Additional information on industrial security by Siemens can be found at: https://www.siemens.com/industrialsecurity

​For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories 

​As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

​Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

​For more information see the associated Siemens security advisory SSA-942865 in HTML and CSAF.

​ 

​CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

1. EXECUTIVE SUMMARY

CVSS v3 6.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: SUBNET Solutions Inc.
Equipment: PowerSYSTEM Center
Vulnerabilities: Cross-site Scripting, Authentication Bypass by Capture-replay

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to upload malicious scripts or perform a denial-of-service type attack.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of SUBNET PowerSYSTEM Center, a multi-function management platform, are affected:

PowerSYSTEM Center: 2020 U10 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

SUBNET PowerSYSTEM Center versions 2020 U10 and prior contain a cross-site scripting vulnerability that may allow an attacker to inject malicious code into report header graphic files that could propagate out of the system and reach users who are subscribed to email notifications.

CVE-2023-32659 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:L). 

3.2.2 AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294

SUBNET PowerSYSTEM Center versions 2020 U10 and prior are vulnerable to replay attacks which may result in a denial-of-service condition or a loss of data integrity.

CVE-2023-29158 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Canada

3.4 RESEARCHER

SUBNET Solutions reported these vulnerabilities to CISA.

4. MITIGATIONS

SUBNET Solutions has fixed these issues by enabling a file integrity check on uploaded images and anti-forgery tokens to prevent replay attacks. The fix was introduced in PowerSYSTEM Center update 12 as well as Update 8+Hotfix (both identified by release number 5.12.2305.10101, which can be located in Settings à Overview à Version).

SUBNET Solutions recommends users to follow the following workarounds:

Users should verify that SVG files do not contain HTML elements or scripts and validate that JPG and PNG files are not SVG files.
Users should verify network security rules to ensure that outbound connections to the internet are not possible.
If the above cannot be performed or notifications are not required, disable email notifications for reports from PowerSYSTEM Center.
Monitor user activity and ensure application control rules only allow preauthorized executables to run.
Deny users to run other executables on client access servers (PowerSYSTEM Center front end access point).

CISA recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Siemens
Equipment: Solid Edge
Vulnerability: Out-of-bounds Read

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute code in the context of the current process.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products from Siemens are affected:

Solid Edge SE2023: All versions prior to V223.0 Update 5

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS READ CWE-125

Open Design Alliance Drawings SDK (versions before 2024.1) is vulnerable to an out-of-bounds read when reading a DWG file. This could allow an attacker to execute code in the context of the current process.

CVE-2023-26495 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned. The CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Solid Edge SE2023: Update to V223.0 Update 5 or later version
Solid Edge SE2023: Avoid opening untrusted files from unknown sources in Solid Edge

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact Siemens.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-975766 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.