Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7. (CVSS:0.0) (Last Update:2023-02-03)
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7. (CVSS:0.0) (Last Update:2023-02-03)
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SCALANCE X-200, X-200IRT, and X-300 Switch Families
Vulnerabilities: Integer Overflow or Wraparound
Successful exploitation of these vulnerabilities could lead to memory corruption.
Siemens reports these vulnerabilities affect the following SCALANCE Switch Family products:
SCALANCE X200-4P IRT (6GK5200-4AH00-2BA3): All versions prior to V5.5.2
SCALANCE X201-3P IRT (6GK5201-3BH00-2BA3): All versions prior to V5.5.2
SCALANCE X201-3P IRT PRO (6GK5201-3JR00-2BA6): All versions prior to V5.5.2
SCALANCE X202-2IRT (6GK5202-2BB00-2BA3): All versions prior to V5.5.2
SCALANCE X202-2IRT (6GK5202-2BB10-2BA3): All versions prior to V5.5.2
SCALANCE X202-2P IRT (6GK5202-2BH00-2BA3): All versions prior to V5.5.2
SCALANCE X202-2P IRT PRO (6GK5202-2JR00-2BA6): All versions prior to V5.5.2
SCALANCE X204-2 (6GK5204-2BB10-2AA3): All versions prior to V5.2.6
SCALANCE X204-2FM (6GK5204-2BB11-2AA3): All versions prior to V5.2.6
SCALANCE X204-2LD (6GK5204-2BC10-2AA3): All versions prior to V5.2.6
SCALANCE X204-2LD TS (6GK5204-2BC10-2CA2): All versions prior to V5.2.6
SCALANCE X204-2TS (6GK5204-2BB10-2CA2): All versions prior to V5.2.6
SCALANCE X204IRT (6GK5204-0BA00-2BA3): All versions prior to V5.5.2
SCALANCE X204IRT (6GK5204-0BA10-2BA3): All versions prior to V5.5.2
SCALANCE X204IRT PRO (6GK5204-0JA00-2BA6): All versions prior to V5.5.2
SCALANCE X206-1 (6GK5206-1BB10-2AA3): All versions prior to V5.2.6
SCALANCE X206-1LD (6GK5206-1BC10-2AA3): All versions prior to V5.2.6
SCALANCE X208 (6GK5208-0BA10-2AA3): All versions prior to V5.2.6
SCALANCE X208PRO (6GK5208-0HA10-2AA6): All versions prior to V5.2.6
SCALANCE X212-2 (6GK5212-2BB00-2AA3): All versions prior to V5.2.6
SCALANCE X212-2LD (6GK5212-2BC00-2AA3): All versions prior to V5.2.6
SCALANCE X216 (6GK5216-0BA00-2AA3): All versions prior to V5.2.6
SCALANCE X224 (6GK5224-0BA00-2AA3): All versions prior to V5.2.6
SCALANCE X302-7 EEC (230V, coated) (6GK5302-7GD00-3GA3): All versions
SCALANCE X302-7 EEC (230V) (6GK5302-7GD00-3EA3): All versions
SCALANCE X302-7 EEC (24V, coated) (6GK5302-7GD00-1GA3): All versions
SCALANCE X302-7 EEC (24V) (6GK5302-7GD00-1EA3): All versions
SCALANCE X302-7 EEC (2x 230V, coated) (6GK5302-7GD00-4GA3): All versions
SCALANCE X302-7 EEC (2x 230V) (6GK5302-7GD00-4EA3): All versions
SCALANCE X302-7 EEC (2x 24V, coated) (6GK5302-7GD00-2GA3): All versions
SCALANCE X302-7 EEC (2x 24V) (6GK5302-7GD00-2EA3): All versions
SCALANCE X304-2FE (6GK5304-2BD00-2AA3): All versions
SCALANCE X306-1LD FE (6GK5306-1BF00-2AA3): All versions
SCALANCE X307-2 EEC (230V, coated) (6GK5307-2FD00-3GA3): All versions
SCALANCE X307-2 EEC (230V) (6GK5307-2FD00-3EA3): All versions
SCALANCE X307-2 EEC (24V, coated) (6GK5307-2FD00-1GA3): All versions
SCALANCE X307-2 EEC (24V) (6GK5307-2FD00-1EA3): All versions
SCALANCE X307-2 EEC (2x 230V, coated) (6GK5307-2FD00-4GA3): All versions
SCALANCE X307-2 EEC (2x 230V) (6GK5307-2FD00-4EA3): All versions
SCALANCE X307-2 EEC (2x 24V, coated) (6GK5307-2FD00-2GA3): All versions
SCALANCE X307-2 EEC (2x 24V) (6GK5307-2FD00-2EA3): All versions
SCALANCE X307-3 (6GK5307-3BL00-2AA3): All versions
SCALANCE X307-3 (6GK5307-3BL10-2AA3): All versions
SCALANCE X307-3LD (6GK5307-3BM00-2AA3): All versions
SCALANCE X307-3LD (6GK5307-3BM10-2AA3): All versions
SCALANCE X308-2 (6GK5308-2FL00-2AA3): All versions
SCALANCE X308-2 (6GK5308-2FL10-2AA3): All versions
SCALANCE X308-2LD (6GK5308-2FM00-2AA3): All versions
SCALANCE X308-2LD (6GK5308-2FM10-2AA3): All versions
SCALANCE X308-2LH (6GK5308-2FN00-2AA3): All versions
SCALANCE X308-2LH (6GK5308-2FN10-2AA3): All versions
SCALANCE X308-2LH+ (6GK5308-2FP00-2AA3): All versions
SCALANCE X308-2LH+ (6GK5308-2FP10-2AA3): All versions
SCALANCE X308-2M (6GK5308-2GG00-2AA2): All versions
SCALANCE X308-2M (6GK5308-2GG10-2AA2): All versions
SCALANCE X308-2M PoE (6GK5308-2QG00-2AA2): All versions
SCALANCE X308-2M PoE (6GK5308-2QG10-2AA2): All versions
SCALANCE X308-2M TS (6GK5308-2GG00-2CA2): All versions
SCALANCE X308-2M TS (6GK5308-2GG10-2CA2): All versions
SCALANCE X310 (6GK5310-0FA00-2AA3): All versions
SCALANCE X310 (6GK5310-0FA10-2AA3): All versions
SCALANCE X310FE (6GK5310-0BA00-2AA3): All versions
SCALANCE X310FE (6GK5310-0BA10-2AA3): All versions
SCALANCE X320-1 FE (6GK5320-1BD00-2AA3): All versions
SCALANCE X320-1-2LD FE (6GK5320-3BF00-2AA3): All versions
SCALANCE X408-2 (6GK5408-2FD00-2AA2): All versions
SCALANCE XF201-3P IRT (6GK5201-3BH00-2BD2): All versions prior to V5.5.2
SCALANCE XF202-2P IRT (6GK5202-2BH00-2BD2): All versions prior to V5.5.2
SCALANCE XF204 (6GK5204-0BA00-2AF2): All versions prior to V5.2.6
SCALANCE XF204-2 (6GK5204-2BC00-2AF2): All versions prior to V5.2.6
SCALANCE XF204-2BA IRT (6GK5204-2AA00-2BD2): All versions prior to V5.5.2
SCALANCE XF204IRT (6GK5204-0BA00-2BF2): All versions prior to V5.5.2
SCALANCE XF206-1 (6GK5206-1BC00-2AF2): All versions prior to V5.2.6
SCALANCE XF208 (6GK5208-0BA00-2AF2): All versions prior to V5.2.6
SCALANCE XR324-12M (230V, ports on front) (6GK5324-0GG00-3AR2): All versions
SCALANCE XR324-12M (230V, ports on front) (6GK5324-0GG10-3AR2): All versions
SCALANCE XR324-12M (230V, ports on rear) (6GK5324-0GG00-3HR2): All versions
SCALANCE XR324-12M (230V, ports on rear) (6GK5324-0GG10-3HR2): All versions
SCALANCE XR324-12M (24V, ports on front) (6GK5324-0GG00-1AR2): All versions
SCALANCE XR324-12M (24V, ports on front) (6GK5324-0GG10-1AR2): All versions
SCALANCE XR324-12M (24V, ports on rear) (6GK5324-0GG00-1HR2): All versions
SCALANCE XR324-12M (24V, ports on rear) (6GK5324-0GG10-1HR2): All versions
SCALANCE XR324-12M TS (24V) (6GK5324-0GG00-1CR2): All versions
SCALANCE XR324-12M TS (24V) (6GK5324-0GG10-1CR2): All versions
SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front) (6GK5324-4GG00-3ER2): All versions
SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front) (6GK5324-4GG10-3ER2): All versions
SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG00-3JR2): All versions
SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG10-3JR2): All versions
SCALANCE XR324-4M EEC (24V, ports on front) (6GK5324-4GG00-1ER2): All versions
SCALANCE XR324-4M EEC (24V, ports on front) (6GK5324-4GG10-1ER2): All versions
SCALANCE XR324-4M EEC (24V, ports on rear) (6GK5324-4GG00-1JR2): All versions
SCALANCE XR324-4M EEC (24V, ports on rear) (6GK5324-4GG10-1JR2): All versions
SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front) (6GK5324-4GG00-4ER2): All versions
SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front) (6GK5324-4GG10-4ER2): All versions
SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG00-4JR2): All versions
SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG10-4JR2): All versions
SCALANCE XR324-4M EEC (2x 24V, ports on front) (6GK5324-4GG00-2ER2): All versions
SCALANCE XR324-4M EEC (2x 24V, ports on front) (6GK5324-4GG10-2ER2): All versions
SCALANCE XR324-4M EEC (2x 24V, ports on rear) (6GK5324-4GG00-2JR2): All versions
SCALANCE XR324-4M EEC (2x 24V, ports on rear) (6GK5324-4GG10-2JR2): All versions
SCALANCE XR324-4M PoE (230V, ports on front) (6GK5324-4QG00-3AR2): All versions
SCALANCE XR324-4M PoE (230V, ports on rear) (6GK5324-4QG00-3HR2): All versions
SCALANCE XR324-4M PoE (24V, ports on front) (6GK5324-4QG00-1AR2): All versions
SCALANCE XR324-4M PoE (24V, ports on rear) (6GK5324-4QG00-1HR2): All versions
SCALANCE XR324-4M PoE TS (24V, ports on front) (6GK5324-4QG00-1CR2): All versions
SIPLUS NET SCALANCE X202-2P IRT (6AG1202-2BH00-2BA3): All versions prior to V5.5.2
SIPLUS NET SCALANCE X308-2 (6AG1308-2FL10-4AA3): All versions
3.2.1 INTEGER OVERFLOW OR WRAPAROUND CWE-190
In Wind River VxWorks, the memory allocator has a possible overflow in calculating the memory block’s size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.
CVE-2020-28895 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
3.2.2 INTEGER OVERFLOW OR WRAPAROUND CWE-190
In Wind River VxWorks, the memory allocator has a possible integer overflow in calculating a memory block’s size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.
CVE-2020-35198 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany
Siemens reported these vulnerabilities to CISA.
Siemens has released a new firmware version for SCALANCE X-200 and X-200 IRT switches that address “Bad Alloc” vulnerabilities in the underlying operating system and recommends updating to the latest versions. Siemens recommends countermeasures for products where updates are not, or not yet available:
Update to V5.2.6 or later version.
Update to V5.5.2 or later version.
As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and to follow the recommendations in the product manuals. Additional information on industrial security by Siemens can be found on the Siemens Industrial Security web page.
For further inquiries on security vulnerabilities in Siemens products and solutions, users should contact the Siemens ProductCERT.
For more information, see the associated Siemens security advisory SSA-813746 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity.
CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Mitsubishi Electric India
Equipment: GC-ENET-COM
Vulnerability: Signal Handler Race Condition
Successful exploitation of this vulnerability could lead to a communication error and may result in a denial-of-service condition.
The following versions of Mitsubishi Electric India Ethernet communication Extension unit GC-ENET-COM, are affected:
Mitsubishi Electric India GC-ENET-COM: Models with the beginning serial number 16XXXXXXXXX.
3.2.1 SIGNAL HANDLER RACE CONDITION CWE-364
A vulnerability exists in the Ethernet communication Extension unit (GC-ENET-COM) of GOC35 series due to a signal handler race condition. If a malicious attacker sends a large number of specially crafted packets, communication errors could occur and could result in a denial-of-service condition when GC-ENET-COM is configured as a Modbus TCP Server.
CVE-2023-1285 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: India
Faruk Kazi and Parul Sindhwad of COE-CNDS lab, VJTI, Mumbai India, reported these vulnerabilities to Mitsubishi Electric India.
Mitsubishi Electric India has released the following countermeasure/mitigation:
The firmware of Extension unit GC-ENET-COM where the first 2 digits of the 11-digit serial number starting with “17” have been fixed. The firmware update in Extension unit GC-ENET-COM is only available from the vendor. Users should contact a local Mitsubishi Electric India representative.
Mitsubishi Electric India recommends users take the following mitigations to minimize the risk of attackers exploiting this vulnerability if the mentioned countermeasures cannot be implemented.
Use a firewall, virtual private network (VPN), etc. to prevent unauthorized access when internet access is required.
Locate control system networks and remote devices behind firewalls and isolate them from the business network to restrict access from untrusted networks and hosts.
Restrict physical access to your computer and network equipment on the same network.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target this vulnerability.
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: CPCI85 Firmware of SICAM A8000 Devices
Vulnerability: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution.
The following software from Siemens is affected:
CP-8031 MASTER MODULE (6MF2803-1AA00): All versions prior to CPCI85 V05
CP-8050 MASTER MODULE (6MF2805-0AA00): All versions prior to CPCI85 V05
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77
Affected devices are vulnerable to command injection via the web server port 443/TCP if the parameter “Remote Operation” is enabled; this parameter is disabled by default. This vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution on the device.
CVE-2023-28489 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany
Steffen Robertz, Gerhard Hechenberger, Stefan Viehböck, Christian Hager, and Gorazd Jank from SEC Consult Vulnerability Lab on behalf of Netz Niederösterreich GmbH, EVN Gruppe reported this vulnerability to Siemens.
Siemens has released updates for the affected products and recommends updating to the latest versions:
CP-8050 MASTER MODULE (6MF2805-0AA00): Update to CPCI85 V05 or later.
CP-8031 MASTER MODULE (6MF2803-1AA00): Update to CPCI85 V05 or later.
Siemens has identified the following specific workarounds and mitigations userscan apply to reduce the risk:
Limit access to the web server on port 80/TCP and 443/TCP with an external firewall.
Operators of critical power systems (e.g. TSOs or DSOs) worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. Siemens recommends that the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid’s reliability can thus be minimized by virtue of the grid design. Siemens recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product.
Siemens recommends that operators:
Apply provided security updates using the corresponding tooling and documented procedures made available with the product.
Automatically apply security updates across multiple product instances. If supported by the product, operators may use an automated means to apply the security updates across multiple product instances may be used.
Validate any security update before being applied. It is recommended to perform the update process under the supervision of trained staff in the target environment.
Protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN) as a general security measure.
Recommended security guidelines can be found at the Siemens web page for Grid Security.
For more information, see the associated Siemens security advisory SSA-472454 in HTML and CSAF.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target this vulnerability.
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: Industrial Products
Vulnerabilities: Use After Free, Deadlock, Allocation of Resources Without Limits or Throttling
Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition.
The following software from Siemens is affected:
SIMATIC CP 1242-7 V2 (6GK7242-7KX31-0XE0): All versions
SIMATIC CP 1243-1 (6GK7243-1BX30-0XE0): All versions
SIMATIC CP 1243-1 DNP3 (incl. SIPLUS variants): All versions
SIMATIC CP 1243-1 IEC (incl. SIPLUS variants): All versions
SIMATIC CP 1243-7 LTE EU (6GK7243-7KX30-0XE0): All versions
SIMATIC CP 1243-7 LTE US (6GK7243-7SX30-0XE0): All versions
SIMATIC CP 1243-8 IRC (6GK7243-8RX30-0XE0): All versions
SIMATIC CP 1542SP-1 (6GK7542-6UX00-0XE0): All versions
SIMATIC CP 1542SP-1 IRC (6GK7542-6VX00-0XE0): All versions
SIMATIC CP 1543SP-1 (6GK7543-6WX00-0XE0): All versions
SIMATIC CP 443-1 (6GK7443-1EX30-0XE0): All versions prior to V3.3
SIMATIC CP 443-1 (6GK7443-1EX30-0XE1): All versions prior to V3.3
SIMATIC CP 443-1 Advanced (6GK7443-1GX30-0XE0): All versions prior to V3.3
SIMATIC IPC DiagBase: All versions
SIMATIC IPC DiagMonitor: All versions
SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL (6AG2542-6VX00-4XE0): All versions
SIPLUS ET 200SP CP 1543SP-1 ISEC (6AG1543-6WX00-7XE0): All versions
SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL (6AG2543-6WX00-4XE0): All versions
SIPLUS NET CP 1242-7 V2 (6AG1242-7KX31-7XE0): All versions
SIPLUS NET CP 443-1 (6AG1443-1EX30-4XE0): All versions prior to V3.3
SIPLUS NET CP 443-1 Advanced (6AG1443-1GX30-4XE0): All versions prior to V3.3
SIPLUS S7-1200 CP 1243-1 (6AG1243-1BX30-2AX0): All versions
SIPLUS S7-1200 CP 1243-1 RAIL (6AG2243-1BX30-1XE0): All versions
SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0): All versions prior to V2.3.6
TIM 1531 IRC (6GK7543-1MX00-0XE0): All versions prior to V2.3.6
3.2.1 USE AFTER FREE CWE-416
The webserver of the affected products contains a vulnerability that may lead to a denial-of-service condition. An attacker could cause a denial-of-service condition, which would lead to a restart of the webserver of the affected product.
CVE-2022-43716 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
3.2.2 DEADLOCK CWE-833
The webserver of the affected products contains a vulnerability that could lead to a denial-of-service condition. An attacker could cause a denial-of-service condition of the webserver of the affected product.
CVE-2022-43767 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
3.2.3 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770
The webserver of the affected products contains a vulnerability that may lead to a denial-of-service condition. An attacker could cause a denial-of-service condition of the webserver of the affected product.
CVE-2022-43768 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany
Siemens reported these vulnerabilities to CISA.
Siemens has released updates for several affected products and recommends updating to the latest versions. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet, available:
SIMATIC CP 443-1 (6GK7443-1EX30-0XE0): Update to V3.3 or later version
SIMATIC CP 443-1 (6GK7443-1EX30-0XE1): Update to V3.3 or later version
SIMATIC CP 443-1 Advanced (6GK7443-1GX30-0XE0): Update to V3.3 or later version
SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0): Update to V2.3.6 or later version
TIM 1531 IRC (6GK7543-1MX00-0XE0): Update to V2.3.6 or later version
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:
Restrict access to the web interface of the affected products—if deactivation unsupported by the product.
Deactivate the webserver if not required and if deactivation is supported by the product.
As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ Operational Guidelines for Industrial Security and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found on the Siemens webpage for Industrial Security.
For further inquiries on security vulnerabilities in Siemens’ products and solutions, users should contact the Siemens ProductCERT.
For more information, see the associated Siemens security advisory SSA-566905 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploits specifically target these vulnerabilities.
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SIPROTEC 5 Devices
Vulnerability: NULL Pointer Dereference
Successful exploitation of this vulnerability could cause a denial-of-service condition of the target device.
The following software from Siemens is affected:
SIPROTEC 5 6MD85 (CP200): All versions (v)
SIPROTEC 5 6MD85 (CP300): All versions prior to v9.40
SIPROTEC 5 6MD86 (CP200): All versions
SIPROTEC 5 6MD86 (CP300): All versions prior to v9.40
SIPROTEC 5 6MD89 (CP300): All versions
SIPROTEC 5 6MU85 (CP300): All versions prior to v9.40
SIPROTEC 5 7KE85 (CP200): All versions
SIPROTEC 5 7KE85 (CP300): All versions prior to v9.40
SIPROTEC 5 7SA82 (CP100): All versions
SIPROTEC 5 7SA82 (CP150): All versions prior to v9.40
SIPROTEC 5 7SA84 (CP200): All versions
SIPROTEC 5 7SA86 (CP200): All versions
SIPROTEC 5 7SA86 (CP300): All versions prior to v9.40
SIPROTEC 5 7SA87 (CP200): All versions
SIPROTEC 5 7SA87 (CP300): All versions prior to v9.40
SIPROTEC 5 7SD82 (CP100): All versions
SIPROTEC 5 7SD82 (CP150): All versions prior to v9.40
SIPROTEC 5 7SD84 (CP200): All versions
SIPROTEC 5 7SD86 (CP200): All versions
SIPROTEC 5 7SD86 (CP300): All versions prior to v9.40
SIPROTEC 5 7SD87 (CP200): All versions
SIPROTEC 5 7SD87 (CP300): All versions prior to v9.40
SIPROTEC 5 7SJ81 (CP100): All versions
SIPROTEC 5 7SJ81 (CP150): All versions prior to v9.40
SIPROTEC 5 7SJ82 (CP100): All versions
SIPROTEC 5 7SJ82 (CP150): All versions prior to v9.40
SIPROTEC 5 7SJ85 (CP200): All versions
SIPROTEC 5 7SJ85 (CP300): All versions prior to v9.40
SIPROTEC 5 7SJ86 (CP200): All versions
SIPROTEC 5 7SJ86 (CP300): All versions prior to v9.40
SIPROTEC 5 7SK82 (CP100): All versions
SIPROTEC 5 7SK82 (CP150): All versions prior to v9.40
SIPROTEC 5 7SK85 (CP200): All versions
SIPROTEC 5 7SK85 (CP300): All versions prior to v9.40
SIPROTEC 5 7SL82 (CP100): All versions
SIPROTEC 5 7SL82 (CP150): All versions prior to v9.40
SIPROTEC 5 7SL86 (CP200): All versions
SIPROTEC 5 7SL86 (CP300): All versions prior to v9.40
SIPROTEC 5 7SL87 (CP200): All versions
SIPROTEC 5 7SL87 (CP300): All versions prior to v9.40
SIPROTEC 5 7SS85 (CP200): All versions
SIPROTEC 5 7SS85 (CP300): All versions prior to v9.40
SIPROTEC 5 7ST85 (CP200): All versions
SIPROTEC 5 7ST85 (CP300): All versions
SIPROTEC 5 7ST86 (CP300): All versions prior to v9.40
SIPROTEC 5 7SX82 (CP150): All versions prior to v9.40
SIPROTEC 5 7SX85 (CP300): All versions prior to v9.40
SIPROTEC 5 7UM85 (CP300): All versions prior to v9.40
SIPROTEC 5 7UT82 (CP100): All versions
SIPROTEC 5 7UT82 (CP150): All versions prior to v9.40
SIPROTEC 5 7UT85 (CP200): All versions
SIPROTEC 5 7UT85 (CP300): All versions prior to v9.40
SIPROTEC 5 7UT86 (CP200): All versions
SIPROTEC 5 7UT86 (CP300): All versions prior to v9.40
SIPROTEC 5 7UT87 (CP200): All versions
SIPROTEC 5 7UT87 (CP300): All versions prior to v9.40
SIPROTEC 5 7VE85 (CP300): All versions prior to v9.40
SIPROTEC 5 7VK87 (CP200): All versions
SIPROTEC 5 7VK87 (CP300): All versions prior to v9.40
SIPROTEC 5 7VU85 (CP300): All versions prior to v9.40
SIPROTEC 5 Communication Module ETH-BA-2EL: All versions prior to v9.40
SIPROTEC 5 Communication Module ETH-BB-2FO: All versions prior to v9.40
SIPROTEC 5 Communication Module ETH-BD-2FO: All versions prior to v9.40
SIPROTEC 5 Compact 7SX800 (CP050): All versions prior to v9.40
3.2.1 NULL POINTER DEREFERENCE CWE-476
Affected devices lack proper validation of HTTP request parameters of the hosted web service. An unauthenticated remote attacker could send specially crafted packets that could cause a denial-of-service condition of the target device.
CVE-2023-28766 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany
Turek Witold from Polskie Sieci Elektroenergetyczne S.A reported this vulnerability to Siemens.
Siemens has released updates for several affected products and recommends updating to the latest versions. Siemens recommends specific countermeasures for products where updates are not, or not yet, available:
SIPROTEC 5 6MD85 (CP300): Update to v9.40 or later
SIPROTEC 5 6MD86 (CP300): Update to v9.40 or later
SIPROTEC 5 6MU85 (CP300): Update to v9.40 or later
SIPROTEC 5 7KE85 (CP300): Update to v9.40 or later
SIPROTEC 5 7SA82 (CP150): Update to v9.40 or later
SIPROTEC 5 7SA86 (CP300): Update to v9.40 or later
SIPROTEC 5 7SA87 (CP300): Update to v9.40 or later
SIPROTEC 5 7SD82 (CP150): Update to v9.40 or later
SIPROTEC 5 7SD86 (CP300): Update to v9.40 or later
SIPROTEC 5 7SD87 (CP300): Update to v9.40 or later
SIPROTEC 5 7SJ81 (CP150): Update to v9.40 or later
SIPROTEC 5 7SJ82 (CP150): Update to v9.40 or later
SIPROTEC 5 7SJ85 (CP300): Update to v9.40 or later
SIPROTEC 5 7SJ86 (CP300): Update to v9.40 or later
SIPROTEC 5 7SK82 (CP150): Update to v9.40 or later
SIPROTEC 5 7SK85 (CP300): Update to v9.40 or later
SIPROTEC 5 7SL82 (CP150): Update to v9.40 or later
SIPROTEC 5 7SL86 (CP300): Update to v9.40 or later
SIPROTEC 5 7SL87 (CP300): Update to v9.40 or later
SIPROTEC 5 7SS85 (CP300): Update to v9.40 or later
SIPROTEC 5 7ST86 (CP300): Update to v9.40 or later
SIPROTEC 5 7SX82 (CP150): Update to v9.40 or later
SIPROTEC 5 7SX85 (CP300): Update to v9.40 or later
SIPROTEC 5 7UM85 (CP300): Update to v9.40 or later
SIPROTEC 5 7UT82 (CP150): Update to v9.40 or later
SIPROTEC 5 7UT85 (CP300): Update to v9.40 or later
SIPROTEC 5 7UT86 (CP300): Update to v9.40 or later
SIPROTEC 5 7UT87 (CP300): Update to v9.40 or later
SIPROTEC 5 7VE85 (CP300): Update to v9.40 or later
SIPROTEC 5 7VK87 (CP300): Update to v9.40 or later
SIPROTEC 5 7VU85 (CP300): Update to v9.40 or later
SIPROTEC 5 Communication Module ETH-BA-2EL: Update to v9.40 or later
SIPROTEC 5 Communication Module ETH-BB-2FO: Update to v9.40 or later
SIPROTEC 5 Communication Module ETH-BD-2FO: Update to v9.40 or later
SIPROTEC 5 Compact 7SX800 (CP050): Update to v9.40 or later
Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk:
Block access to port 4443/TCP e.g. with an external firewall
Worldwide regulations for critical power systems (e.g. TSOs or DSOs) usually require multi-level redundant secondary protection schemes to build resilience into power grids. It is recommended that operators check whether appropriate resilient protection measures are in place to minimize the risk of cyber incidents impacting the grid’s reliability.
Siemens recommends that operators:
Apply provided security updates using the corresponding tooling and documented procedures made available with the product.
Automatically apply security updates across multiple product instances if automation is supported by the product.
Validate any security update before being applied. It is recommended to perform the update process under the supervision of trained staff in the target environment.
Protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN) as a general security measure.
In order to run the devices in a protected IT environment, it is advised to configure the environment according to Siemens operational guidelines.
Recommended security guidelines can be found at Siemens’ grid security page.
For more information, see the associated Siemens security advisory SSA-322980 in HTML and CSAF.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target this vulnerability.
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SCALANCE XCM332
Vulnerabilities: Allocation of Resources Without Limits or Throttling, Use After Free, Concurrent Execution Using Shared Resource with Improper Synchronization (‘Race Condition’), Incorrect Default Permissions, Out-of-bounds Write, and Improper Validation of Syntactic Correctness of Input
Successful exploitation of these vulnerabilities could cause a denial-of-service condition, code execution, data injection, and allow unauthorized access.
The following software from Siemens is affected:
SCALANCE XCM332 (6GK5332-0GA01-2AC2): Versions prior to 2.2
3.2.1 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770
In versions of libtirpc prior to 1.3.3rc1, remote attackers could exhaust the file descriptors of a process using libtirpc due to mishandling of idle TCP connections. This could lead to an svc_run infinite loop without accepting new connections.
CVE-2021-46828 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
3.2.2 USE AFTER FREE CWE-416
Linux Kernel could allow a local attacker to leverage a concurrency use-after-free flaw in the bad_flp_intr function to execute arbitrary code. By executing a specially-crafted program, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial-of-service condition on the system.
CVE-2022-1652 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
3.2.3 CONCURRENT EXECUTION USING SHARED RESOURCE WITH IMPROPER SYNCHRONIZATION (‘RACE CONDITION’) CWE-362
A race condition was found the Linux kernel in perf_event_open() which can be exploited by an unprivileged user to gain root privileges. The bug allows to build several exploit primitives, such as kernel address information leak and arbitrary execution.
CVE-2022-1729 has been assigned to this vulnerability. A CVSS v3 base score of 7.0 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
3.2.4 USE AFTER FREE CWE-416
A use-after-free in Busybox 1.35-x’s awk applet leads to a denial-of-service condition and possible code execution when processing a crafted awk pattern in the copyvar function.
CVE-2022-30065 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
3.2.5 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770
A malicious server can serve excessive amounts of “Set-Cookie:” headers in a HTTP response to curl and curl < 7.84.0, which stores all of them. A sufficiently large amount of cookies could make subsequent HTTP requests to this, or other servers to which the cookies match, create requests larger than the threshold curl uses internally to avoid sending excessively large requests (1048576 bytes), and instead returns an error. This denial state might remain for as long as the same cookies are kept, match, and haven’t expired. Due to cookie matching rules, a server on “foo.example.com” can set cookies that also would match for “bar.example.com”, making it possible for a “sister server” to cause a denial-of-service condition for a sibling site on the same second level domain using this method.
CVE-2022-32205 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L).
3.2.6 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770
Versions of curl < 7.84.0 support “chained” HTTP compression algorithms, where a server response can be compressed multiple times with potentially different algorithms. The number of acceptable “links” in this “decompression chain” was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps; this could result in a “malloc bomb,” making curl spend enormous amounts of allocated heap memory, or trying to, and returning out of memory errors.
CVE-2022-32206 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H).
3.2.7 INCORRECT DEFAULT PERMISSIONS CWE-276
When curl < 7.84.0 saves cookies, alt-svc, and hsts data to local files, it finalizes the operation with a rename from a temporary name to the final target file name, making the operation atomic. In this rename operation, these versions of curl might accidentally widen the permissions for the target file, leaving the updated file accessible to more users than intended.
CVE-2022-32207 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.2.8 OUT-OF-BOUNDS WRITE CWE-787
When curl < 7.84.0 performs file transfer protocol (FTP) transfers secured by krb5, it does not handle message verification failures correctly; it is possible for a machine-in-the-middle attack to go unnoticed and allows injection of data into the client.
CVE-2022-32208 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
3.2.9 IMPROPER VALIDATION OF SYNTACTIC CORRECTNESS OF INPUT CWE-1286
When curl is used to retrieve and parse cookies from a HTTP(S) server, it accepts cookies using control codes that, when are later sent back to a HTTP server, might make the server return 400 responses. This could allow a “sister site” to deny service to all sibling sites.
CVE-2022-35252 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
3.2.10 USE AFTER FREE CWE-416
Versions of libexpat before 2.4.9 have a use-after-free vulnerability in the doContent function in xmlparse.c.
CVE-2022-40674 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany
Siemens reported these vulnerabilities to CISA.
Siemens has released an update for the SCALANCE XCM332 and recommends updating to the latest version:
SCALANCE XCM332 (6GK5332-0GA01-2AC2): Update to V2.2 or later version
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at the Siemens Industrial Security web page.
For further inquiries on security vulnerabilities in Siemens products and solutions, users should contact the Siemens ProductCERT.
For more information see the associated Siemens security advisory SSA-558014 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should:
Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploits specifically target these vulnerabilities.
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
CVSS v3 5.3
ATTENTION: Exploitable remotely/high attack complexity
Vendor: Siemens
Equipment: Polarion ALM
Vulnerability: Improper Restriction of XML External Entity Reference
Successful exploitation of this vulnerability may allow an attacker to potentially disclose confidential data.
The following Siemens Polarion ALM products are affected:
Polarion ALM: all versions prior to V2304.0
3.2.1 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611
The application contains an XML external entity injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem.
CVE-2023-28828 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).
CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany
Cale Anderson reported this vulnerability to Siemens.
Siemens has released an update for Polarion ALM and recommends updating to the latest version (V2304.0), as well as updating specific configurations to mitigate against the vulnerability. The configuration changes to mitigate this vulnerability will be default in Polarion V2304 and later versions.
Siemens recommends setting configurations as listed in SSA-632164 to mitigate against external entity injection in OpenSAML 4.x parser. This will be included by default in Polarion V2304 and later versions.
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following the recommendations in the product manuals. Additional information on industrial security by Siemens can be found at the Siemens Industrial Security web page.
For further inquiries on security vulnerabilities in Siemens products and solutions, users should contact the Siemens ProductCERT.
For more information, see the associated Siemens security advisory SSA-632164 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploits specifically target this vulnerability. This vulnerability is exploitable remotely. This vulnerability has a high attack complexity.
CVSS v3 6.7
ATTENTION: Exploitable with adjacent access
Vendor: Siemens
Equipment: SCALANCE X-200IRT Devices
Vulnerability: Inadequate Encryption Strength
Successful exploitation of this vulnerability could allow an unauthorized attacker in a machine-in-the-middle position to read and modify any data passed over the connection between legitimate clients and the affected device.
The following software from Siemens is affected:
SCALANCE X200-4P IRT (6GK5200-4AH00-2BA3): All versions prior to V5.5.2
SCALANCE X201-3P IRT (6GK5201-3BH00-2BA3): All versions prior to V5.5.2
SCALANCE X201-3P IRT PRO (6GK5201-3JR00-2BA6): All versions prior to V5.5.2
SCALANCE X202-2IRT (6GK5202-2BB00-2BA3): All versions prior to V5.5.2
SCALANCE X202-2IRT (6GK5202-2BB10-2BA3): All versions prior to V5.5.2
SCALANCE X202-2P IRT (6GK5202-2BH00-2BA3): All versions prior to V5.5.2
SCALANCE X202-2P IRT PRO (6GK5202-2JR00-2BA6): All versions prior to V5.5.2
SCALANCE X204IRT (6GK5204-0BA00-2BA3): All versions prior to V5.5.2
SCALANCE X204IRT (6GK5204-0BA10-2BA3): All versions prior to V5.5.2
SCALANCE X204IRT PRO (6GK5204-0JA00-2BA6): All versions prior to V5.5.2
SCALANCE XF201-3P IRT (6GK5201-3BH00-2BD2): All versions prior to V5.5.2
SCALANCE XF202-2P IRT (6GK5202-2BH00-2BD2): All versions prior to V5.5.2
SCALANCE XF204-2BA IRT (6GK5204-2AA00-2BD2): All versions prior to V5.5.2
SCALANCE XF204IRT (6GK5204-0BA00-2BF2): All versions prior to V5.5.2
SIPLUS NET SCALANCE X202-2P IRT (6AG1202-2BH00-2BA3): All versions prior to V5.5.2
3.2.1 INADEQUATE ENCRYPTION STRENGTH CWE-326
The secure shell (SSH) server on affected devices is configured to offer weak ciphers by default. This could allow an unauthorized attacker in a machine-in-the-middle position to read and modify any data passed over the connection between legitimate clients and the affected device.
CVE-2023-29054 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H).
CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany
Siemens reported this vulnerability to CISA.
Siemens has released updates for the affected products and recommends updating to the latest versions:
Update all affected products to V5.5.2 or later.
Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk identified in the vulnerability overview:
Configure the SSH clients to use strong key exchange ciphers.
Add only trusted SSH client public keys to the responding operating system (ROS) and allow access to those clients only.
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.
For more information, see the associated Siemens security advisory SSA-479249 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity.