1. EXECUTIVE SUMMARY

CVSS v3 9.9
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SCALANCE LPE9403
Vulnerabilities: Command Injection, Creation of Temporary File with Insecure Permissions, Path Traversal, Heap-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation these vulnerabilities could allow an attacker to gain access to the device as root or create a denial-of-service condition. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products from Siemens are affected: 

SCALANCE LPE9403 (6GK5998-3GS00-2AC2): Versions prior to 2.1

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

The web-based management of affected devices does not properly validate user input, making it susceptible to command injection. This could allow an authenticated remote attacker to access the underlying operating system as root.

CVE-2023-27407 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.2.2 CREATION OF TEMPORARY FILE WITH INSECURE PERMISSIONS CWE-378

The `i2c` mutex file is created with the permissions bits of `-rw-rw-rw-.` This file is used as a mutex for multiple applications interacting with i2c. This could allow an authenticated attacker with access to the secure shell (SSH) interface on the affected device to interfere with the integrity of the mutex and the data it protects. 

CVE-2023-27408 has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

3.2.3 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

A path traversal vulnerability was found in the `deviceinfo` binary via the `mac` parameter. This could allow an authenticated attacker with access to the SSH interface on the affected device to read the contents of any file named `address.`

CVE-2023-27409 has been assigned to this vulnerability. A CVSS v3 base score of 2.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N).

3.2.4 HEAP-BASED BUFFER OVERFLOW CWE-122

A heap-based buffer overflow vulnerability was found in the `edgebox_web_app` binary. The binary will crash if supplied with a backup password longer than 255 characters. This could allow an authenticated privileged attacker to cause a denial-of-service condition.

CVE-2023-27410 has been assigned to this vulnerability. A CVSS v3 base score of 2.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workaround/mitigation users can apply to reduce risk: 

SCALANCE LPE9403 (6GK5998-3GS00-2AC2): Update to V2.1 or later version.

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for Industrial Security, and following the recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens Industrial Security webpage.

For further inquiries on security vulnerabilities in Siemens products, users should contact the Siemens ProductCERT.

For more information, see the associated Siemens security advisory SSA-325383 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: 

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploits specifically target these vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 9.4
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: Kinetix 5500 EtherNet/IP Servo Drive
Vulnerabilities: Improper Access Control

2. RISK EVALUATION

Successful exploitation of this vulnerability could create a denial-of-service condition or allow attackers unauthorized access to the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Kinetix 5500 EtherNet/IP Servo Drive, an industrial control router, are affected:

Kinetix 5500 devices manufactured between May 2022 and January 2023: Version 7.13

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER ACCESS CONTROL CWE-284

Rockwell Automation Kinetix 5500 devices manufactured between May 2022 and January 2023 running Version 7.13 have telnet and file transfer protocol (FTP) ports open by default. This could allow an attacker access to the device.

CVE-2023-1834 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater, Chemical, Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation recommends users upgrade the firmware of their affected devices to version 7.14 or later.

Rockwell Automation recommends users follow their security best practices.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

1. EXECUTIVE SUMMARY

CVSS v3 9.8 
ATTENTION: Exploitable remotely/low attack complexity
Vendor: SDG Technologies
Equipment: PnPSCADA
Vulnerabilities: SQL Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to interact with the database and retrieve critical data.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of SDG PnPSCADA products are affected:

PnPSCADA (cross platforms): v2.*

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND (‘SQL INJECTION’) CWE-89

The PnPSCADA system, a product of SDG Technologies CC, is afflicted by a critical unauthenticated error-based PostgreSQL Injection vulnerability. Present within the hitlogcsv.jsp endpoint, this security flaw permits unauthenticated attackers to engage with the underlying database seamlessly and passively. Consequently, malicious actors could gain access to vital information, such as Industrial Control System (ICS) and OT data, alongside other sensitive records like SMS and SMS Logs. The unauthorized database access exposes compromised systems to potential manipulation or breach of essential infrastructure data, highlighting the severity of this vulnerability.

CVE-2023-1934 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: South Africa

3.4 RESEARCHER

Momen Eldawakhly of Samurai Digital Security Ltd reported this vulnerability to CISA.

4. MITIGATIONS

SDG PnpSCADA is aware of the issue and is currently developing a fix. For more information, contact PnpSCADA by email.

The following workarounds are recommended to help reduce the risk:

Use prepared statements to help prevent SQL injections.
Avoid making assets publicly accessible.
Restrict public access: As a primary mitigation, it is crucial for all PnPSCADA users to avoid exposing their SCADA systems to the internet. By implementing proper network segmentation and isolating the SCADA system from public networks, users can significantly reduce the risk of unauthorized access and exploitation.
Implement strong access controls: Ensure that proper authentication and authorization mechanisms are in place to limit access to sensitive components of the SCADA system. This includes implementing role-based access control and regular audits of user privileges.
Monitor and log activity: Continuously monitor and log all activities within the SCADA environment. This helps with detecting any potential unauthorized access or attempts to exploit the vulnerability, enabling timely response and mitigation.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize a VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.

1. EXECUTIVE SUMMARY

CVSS v3 10.0 
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Teltonika
Equipment: Remote Management System and RUT model routers
Vulnerabilities: Observable Response Discrepancy, Improper Authentication, Server-Side Request Forgery, Cross-site Scripting, Inclusion of Web Functionality from an Untrusted Source, External Control of System of Configuration Setting, OS Command Injection

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could expose sensitive device information and device credentials, enable remote code execution, expose connected devices managed on the network, and allow impersonation of legitimate devices.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Teltonika products are affected:

Remote Management System (RMS): Versions prior to 4.10.0 (affected by CVE-2023-32346, CVE-2023-32347, CVE-2023-32348, CVE-2023-2587, CVE-2023-2588)
Remote Management System (RMS): Versions prior to 4.14.0 (affected by CVE-2023-2586)
RUT model routers: Version 00.07.00 through 00.07.03.4 (affected by CVE-2023-32349)
RUT model routers: Version 00.07.00 through 00.07.03 (affected by CVE-2023-32350)

3.2 VULNERABILITY OVERVIEW

3.2.1 OBSERVABLE RESPONSE DISCREPANCY CWE-204

Teltonika’s Remote Management System versions prior to 4.10.0 contain a function that allows users to claim their devices. This function returns information based on whether the serial number of a device has already been claimed, the MAC address of a device has already been claimed, or whether the attempt to claim a device was successful. An attacker could exploit this to create a list of the serial numbers and MAC addresses of all devices cloud-connected to the Remote Management System.

CVE-2023-32346 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

3.2.2 IMPROPER AUTHENTICATION CWE-287

Teltonika’s Remote Management System versions prior to 4.10.0 use device serial numbers and MAC addresses to identify devices from the user perspective for device claiming and from the device perspective for authentication. If an attacker obtained the serial number and MAC address of a device, they could authenticate as that device and steal communication credentials of the device. This could allow an attacker to enable arbitrary command execution as root by utilizing management options within the newly registered devices.

CVE-2023-32347 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.3 SERVER-SIDE REQUEST FORGERY (SSRF) CWE-918

Teltonika’s Remote Management System versions prior to 4.10.0 contain a virtual private network (VPN) hub feature for cross-device communication that uses OpenVPN. It connects new devices in a manner that allows the new device to communicate with all Teltonika devices connected to the VPN. The OpenVPN server also allows users to route through it. An attacker could route a connection to a remote server through the OpenVPN server, enabling them to scan and access data from other Teltonika devices connected to the VPN.

CVE-2023-32348 has been assigned to this vulnerability. A CVSS v3 base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N).

3.2.4 IMPROPER AUTHENTICATION CWE-287

Teltonika’s Remote Management System versions 4.14.0 is vulnerable to an unauthorized attacker registering previously unregistered devices through the RMS platform. If the user has not disabled the “RMS management feature” enabled by default, then an attacker could register that device to themselves. This could enable the attacker to perform different operations on the user’s devices, including remote code execution with ‘root’ privileges (using the ‘Task Manager’ feature on RMS).

CVE-2023-2586 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.5 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

Teltonika’s Remote Management System versions prior to 4.10.0 contain a cross-site scripting (XSS) vulnerability in the main page of the web interface. An attacker with the MAC address and serial number of a connected device could send a maliciously crafted JSON file with an HTML object to trigger the vulnerability. This could allow the attacker to execute scripts in the account context and obtain remote code execution on managed devices.

CVE-2023-2587 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.6 INCLUSION OF WEB FUNCTIONALITY FROM AN UNTRUSTED SOURCE CWE-830

Teltonika’s Remote Management System versions prior to 4.10.0 have a feature allowing users to access managed devices’ local secure shell (SSH)/web management services over the cloud proxy. A user can request a web proxy and obtain a URL in the Remote Management System cloud subdomain. This URL could be shared with others without Remote Management System authentication . An attacker could exploit this vulnerability to create a malicious webpage that uses a trusted and certified domain. An attacker could initiate a reverse shell when a victim connects to the malicious webpage, achieving remote code execution on the victim device.

CVE-2023-2588 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.7 EXTERNAL CONTROL OF SYSTEM OR CONFIGURATION SETTING CWE-15

Versions 00.07.00 through 00.07.03.4 of Teltonika’s RUT router firmware contain a packet dump utility that contains proper validation for filter parameters. However, variables for validation checks are stored in an external configuration file. An authenticated attacker could use an exposed UCI configuration utility to change these variables and enable malicious parameters in the dump utility, which could result in arbitrary code execution.

CVE-2023-32349 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.8 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

Versions 00.07.00 through 00.07.03 of Teltonika’s RUT router firmware contain an operating system (OS) command injection vulnerability in a Lua service. An attacker could exploit a parameter in the vulnerable function that calls a user-provided package name by instead providing a package with a malicious name that contains an OS command injection payload.

CVE-2023-32350 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Water and Wastewater, Energy, Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Lithuania

3.4 RESEARCHER

Roni Gavrilov of Otorio and Claroty Team82 reported these vulnerabilities to Teltonika and CISA. 

4. MITIGATIONS

Teltonika recommends users update their devices to the latest versions.

RMS services have already been updated to versions, which fix these vulnerabilities.
Users can download the latest version of their respective RUT routers by navigating to the appropriate device on Teltonika’s website.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploits specifically target these vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 8.4
ATTENTION: Exploitable remotely/low attack complexity
Vendor: BirdDog
Equipment: STUDIO R3, 4K QUAD, MINI, A300 EYES
Vulnerabilities: Cross-Site Request Forgery, Use of Hard-Coded Credentials

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to remotely execute code or obtain unauthorized access to the product.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following BirdDog camera and encoder versions are affected:

4K QUAD:  Versions 4.5.181 and 4.5.196
MINI: Version 2.6.2
A300 EYES: Version 3.4
STUDIO R3: Version 3.6.4

3.2 VULNERABILITY OVERVIEW

3.2.1 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

The affected products have a CSRF vulnerability that could allow an attacker to execute code and upload malicious files.

CVE-2023-2505 has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N).

3.2.2 USE OF HARD-CODED CREDENTIALS CWE-798

Files present on firmware images could allow an attacker to gain unauthorized access as a root user using hard-coded credentials.

CVE-2023-2504 has been assigned to this vulnerability. A CVSS v3 base score of 8.4 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Australia

3.4 RESEARCHER

Alan Cao reported these vulnerabilities to CISA.

4. MITIGATIONS

BirdDog has released a firmware patch for this issue and users are encouraged to update their devices by going to BirdDog’s download page here.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Siemens
Equipment: Solid Edge
Vulnerabilities: NULL Pointer Dereference, Out-of-bounds Read, Improper Restriction of Operations within the Bounds of a Memory Buffer

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code or crash the application.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens products are affected:

Solid Edge SE2023: All versions prior to V223.0 Update 3
Solid Edge SE2023: All versions prior to V223.0 Update 2

3.2 VULNERABILITY OVERVIEW

3.2.1 NULL POINTER DEREFERENCE CWE-476 

STEPTools v18SP1 ifcmesh library (v18.1) is affected due to a null pointer dereference, which could allow an attacker to deny application usage when reading a specially constructed file, resulting in an application crash. 

CVE-2023-0973 has been assigned to this vulnerability. A CVSS v3 base score of 2.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L). 

3.2.2 OUT-OF-BOUNDS READ CWE-125 

Affected applications contain an out-of-bounds read past the end of an allocated buffer while parsing a specially crafted OBJ file. This vulnerability could allow an attacker to disclose sensitive information. 

CVE-2023-30985 has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N). 

3.2.3 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119 

Affected applications contain a memory corruption vulnerability while parsing specially crafted STP files. This could allow an attacker to execute code in the context of the current process. 

CVE-2023-30986 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Trend Micro Zero Day Initiative reported these vulnerabilities to Siemens.

4. MITIGATIONS

Siemens identified the following specific workarounds and mitigations users can apply to reduce risk: 

Solid Edge SE2023: Update to V223.0 Update 3 or later version.
Solid Edge SE2023: Update to V223.0 Update 2 or later version.
Avoid opening untrusted files from unknown sources in Solid Edge.

For further inquiries on security vulnerabilities in Siemens products, users should contact Siemens.  

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals. 

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage. 

For more information, see the associated Siemens security advisory SSA-932528 in HTML and CSAF. 

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: 

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

These vulnerabilities are not exploitable remotely. 

1. EXECUTIVE SUMMARY

CVSS v3 7.2 
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SIMATIC Cloud Connect 7
Vulnerabilities: Improper Neutralization of Special Elements used in a Command (‘Command Injection’), Use of Hard-coded Password, Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Missing Standardized Error Handling Mechanism, Exposure of Sensitive Information to an Unauthorized Actor, Files or Directories Accessible to External Parties

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products from Siemens are affected: 

SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00): All versions V2.0 to V2.1
SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00): All versions prior to V2.1
SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00): All versions V2.0 to V2.1
SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00): All versions prior to V2.1

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77 

The web-based management of affected devices does not properly validate user input, making it susceptible to command injection. This could allow an authenticated privileged remote attacker to execute arbitrary code with root privileges. 

CVE-2023-28832 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). 

3.2.2 USE OF HARD-CODED PASSWORD CWE-259 

The affected device uses a hard-coded password to protect the diagnostic files. This could allow an authenticated attacker to access protected data. 

CVE-2023-29103 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). 

3.2.3 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22 

The filename in the upload feature of the web-based management of the affected device is susceptible to a path traversal vulnerability. This could allow an authenticated privileged remote attacker to overwrite any file the Linux user `ccuser` has write access to, or to download any file the Linux user `ccuser` has read-only access to. 

CVE-2023-29104 has been assigned to this vulnerability. A CVSS v3 base score of 6.0 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H). 

3.2.4 MISSING STANDARDIZED ERROR HANDLING MECHANISM CWE-544 

The affected device is vulnerable to a denial-of-service condition while parsing a random (non-JSON) MQTT payload. This could allow an attacker who can manipulate the communication between the MQTT broker and the affected device to cause a denial-of-service condition. 

CVE-2023-29105 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.2.5 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200 

The export endpoint is accessible via REST application programming interface (API) without authentication. This could allow an unauthenticated remote attacker to download the files available via the endpoint. 

CVE-2023-29106 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). 

3.2.6 FILES OR DIRECTORIES ACCESSIBLE TO EXTERNAL PARTIES CWE-552 

The export endpoint discloses some undocumented files. This could allow an unauthenticated remote attacker to gain access to additional information resources. 

CVE-2023-29107 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). 

3.2.7 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22 

The filename in the upload feature of the web-based management of the affected device is susceptible to a path traversal vulnerability. This could allow an authenticated privileged remote attacker to write any file with the extension `.db`. 

CVE-2023-29128 has been assigned to this vulnerability. A CVSS v3 base score of 3.8 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA. 

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk: 

SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00): Update to V2.1 or later
SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00): Update to V2.1 or later
SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00): Update to V2.1 or later
SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00): Update to V2.1 or later

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals. 

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage. 

For further inquiries on security vulnerabilities in Siemens products, users should contact the Siemens ProductCERT. 

For more information, see the associated Siemens security advisory SSA-555292 in HTML and CSAF. 

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: 

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

No known public exploits specifically target these vulnerabilities.  

1. EXECUTIVE SUMMARY

CVSS v3 8.4 
ATTENTION: Exploitable from adjacent network/low attack complexity
Vendor: Siemens
Equipment: SCALANCE W1750D
Vulnerabilities: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to disclose sensitive information or steal the unsuspecting user’s session. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products from Siemens are affected: 

SCALANCE W1750D (JP) (6GK5750-2HX01-1AD0): All versions
SCALANCE W1750D (ROW) (6GK5750-2HX01-1AA0): All versions
SCALANCE W1750D (USA) (6GK5750-2HX01-1AB0): All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER INPUT VALIDATION CWE-20

The IEEE 802.11 specifications through 802.11ax allow physically proximate attackers to intercept (possibly cleartext) target-destined frames by spoofing a target’s MAC address, sending Power Save frames to the access point, and then sending other frames to the access point (e.g., authentication frames or re-association frames) to remove the target’s original security context. This interception occurs because the specifications do not require an access point to purge its’ transmit queue before removing a client’s pairwise encryption key.

CVE-2022-47522 has been assigned to this vulnerability. A CVSS v3 base score of 8.4 has been assigned. the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA. 

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk: 

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to their Operational Guidelines for Industrial Security and following recommendations in the product manuals. 

Additional information on industrial security by Siemens can be found on the Siemens Industrial Security website. 

For further inquiries on security vulnerabilities in Siemens products, visit Siemens ProductCERT. 

For more information, see the associated Siemens security advisory SSA-516174 in HTML and CSAF. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: 

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.

1. EXECUTIVE SUMMARY

CVSS v3 9.8 
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: Third-party components libexpat and libcurl in SINEC NMS
Vulnerabilities: Expected Behavior Violation, Improper Validation of Syntactic Correctness of Input, Stack-based Buffer Overflow, Use After Free, Double Free, Cleartext Transmission of Sensitive Information

2. RISK EVALUATION

Successful exploitation these vulnerabilities could allow an attacker to impact SINEC NMS confidentiality, integrity, and availability. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products are affected:

Third-Party components used in SINEC NMS: All versions prior to V1.0.3.1

3.2 VULNERABILITY OVERVIEW

3.2.1 EXPECTED BEHAVIOR VIOLATION CWE-440

When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send—even when the `CURLOPT_POSTFIELDS` option has been set—if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. 

CVE-2022-32221 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). 

3.2.2 IMPROPER VALIDATION OF SYNTACTIC CORRECTNESS OF INPUT CWE-1286 

When curl is used to retrieve and parse cookies from a HTTP(S) server, it accepts cookies using control codes that, when later sent back to a HTTP server, might cause the server to return 400 responses, effectively allowing a “sister site” to deny service to all “siblings.” 

CVE-2022-35252 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.2.3 STACK-BASED BUFFER OVERFLOW CWE-121

Curl could be directed to parse a `.netrc` file for credentials. If that file ends in a line with 4095 consecutive non-white space letters and no newline, curl would first read past the end of the stack-based buffer and, if the read works, write a zero byte beyond its boundary. This could  cause a segfault or similar, but circumstances might also cause different outcomes. If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, then this flaw could be used to cause denial-of-service condition. 

CVE-2022-35260 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H). 

3.2.4 USE AFTER FREE CWE-416

Libexpat before 2.4.9 has a use-after-free vulnerability in the doContent function in xmlparse.c. 

CVE-2022-40674 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 

3.2.5 USE AFTER FREE CWE-416

Curl can be asked to tunnel almost all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations using an appropriate HTTP error response code. When denied to tunnel the specific protocols SMB or TELNET, curl could use a heap-allocated struct after freed in its transfer shutdown code path. 

CVE-2022-43552 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.2.6 USE AFTER FREE CWE-416

In libexpat through 2.4.9, there is a use after free vulnerability caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. 

CVE-2022-43680 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.2.7 DOUBLE FREE CWE-415

Curl before 7.86.0 has a double free vulnerability. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, such as 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. 

CVE-2022-42915 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.2.8 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

In curl before 7.86.0, the HSTS check could be bypassed by tricking it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26. 

CVE-2022-42916 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). 

3.2.9 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319 

A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed by tricking it into using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion, such as using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E). Then, in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the information IDN encoded but look for it IDN decoded. 

CVE-2022-43551 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA. 

4. MITIGATIONS

Siemens has identified the following specific workaround/mitigation users can apply to reduce risk: 

SINEC NMS: Update to V1.0.3.1 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals. 

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage. 

For more information, see the associated Siemens security advisory SSA-892048 in HTML and CSAF. 

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

No known public exploits specifically target these vulnerabilities. 

1. EXECUTIVE SUMMARY

CVSS v3 9.9 
ATTENTION: Exploitable remotely/low attack complexity
Vendor:  Siemens
Equipment: Siveillance Video
Vulnerabilities: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute code on the affected system. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports these vulnerabilities affect the following IP video management software: 

Siveillance Video 2020 R2: all versions prior to V20.2 HotfixRev14
Siveillance Video 2020 R3: all versions prior to V20.3 HotfixRev12
Siveillance Video 2021 R1: all versions prior to V21.1 HotfixRev12
Siveillance Video 2021 R2: all versions prior to V21.2 HotfixRev8
Siveillance Video 2022 R1: all versions prior to V22.1 HotfixRev7
Siveillance Video 2022 R2: all versions prior to V22.2 HotfixRev5
Siveillance Video 2022 R3: all versions prior to V22.3 HotfixRev2
Siveillance Video 2023 R1: all versions prior to V23.1 HotfixRev1

3.2 VULNERABILITY OVERVIEW

3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502 

The Event Server component of affected Siemens Siveillance Video applications deserializes data without sufficient validations. This could allow an authenticated remote attacker to execute code on the affected system. 

CVE-2023-30898 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). 

3.2.2 DESERIALIZATION OF UNTRUSTED DATA CWE-502 

The Management Server component of affected Siemens Siveillance Video applications deserializes data without sufficient validations. This could allow an authenticated remote attacker to execute code on the affected system. 

CVE-2023-30899 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications, Commercial Facilities

COUNTRIES/AREAS DEPLOYED: Worldwide

COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Milestone PSIRT reported these vulnerabilities to Siemens. 

4. MITIGATIONS

Siemens has released updates for several affected products and recommends updating to the latest versions. The provided cumulative hotfix releases include the fixes for both Event Server (ES) and Management Server (MS). Ensure to apply the fixes on all relevant deployed servers: 

Siveillance Video 2020 R2: Update to V20.2 HotfixRev14 or later version
Siveillance Video 2020 R3: Update to V20.3 HotfixRev12 or later version
Siveillance Video 2021 R1: Update to V21.1 HotfixRev12 or later version
Siveillance Video 2021 R2: Update to V21.2 HotfixRev8 or later version
Siveillance Video 2022 R1: Update to V22.1 HotfixRev7 or later version
Siveillance Video 2022 R2: Update to V22.2 HotfixRev5 or later version
Siveillance Video 2022 R3: Update to V22.3 HotfixRev2 or later version
Siveillance Video 2023 R1: Update to V23.1 HotfixRev1 or later version

As a general security measure Siemens strongly recommends protecting network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices to run the devices in a protected IT environment. 

For additional information regarding this vulnerability, see the related Milestone security advisory.

For further inquiries on security vulnerabilities in Siemens products, users should contact the Siemens ProductCERT.  

For more information, see the associated Siemens security advisory SSA-789345 in HTML and CSAF. 

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: 

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity.