Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.2981
Advisory (icsa-22-167-09) Siemens SCALANCE LPE9403
Third-Party Vulnerabilities
17 June 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens SCALANCE LPE9403
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2022-0847 CVE-2021-41103 CVE-2021-41092
CVE-2021-41091 CVE-2021-41089 CVE-2021-39293
CVE-2021-36221 CVE-2021-33910 CVE-2021-33196
CVE-2021-20317 CVE-2020-27304
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-167-09
Comment: CVSS (Max): 9.8 CVE-2020-27304 (CVSSv3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.1#CVSSv3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-167-09)
Siemens SCALANCE LPE9403 Third-Party Vulnerabilities
Original release date: June 16, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 9.8
o ATTENTION: Exploitable remotely, low attack complexity
o Vendor: Siemens
o Equipment: SCALANCE LPE9403
o Vulnerabilities: Multiple
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could cause crashes and
unrestricted file access, impacting the product's confidentiality, integrity,
and availability.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of SCALANCE LPE9403 (Local Processing Engine), a
processing power extension for the SCALANCE family of products, are affected:
o All versions prior to v2.0
o The vulnerabilities exist within the third-party components CivetWeb,
Docker, Linux kernel and system, which are part of the SCALANCE LPE9403.
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH
TRAVERSAL') CWE-22
The CivetWeb web library does not validate uploaded filepaths when running on
an OS other than Windows when using the built-in HTTP form-based file upload
mechanism, via the mg_handle_form_request API. Web applications using the file
upload form handler, as well as those that use parts of the user-controlled
filename in the output path, are susceptible to directory traversal.
CVE-2020-27304 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.2 IMPROPER INITIALIZATION CWE-665
A corrupted timer tree caused the task wakeup to be missing in the
timerqueue_add function in lib/timerqueue.c. This flaw allows a local attacker
with special user privileges to cause a denial-of-service condition, slowing
and eventually stopping the system while running OSP.
CVE-2021-20317 has been assigned to this vulnerability. A CVSS v3 base score of
4.4 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:H/UI:N/S:U/
C:N/I:N/A:H ).
3.2.3 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770
The use of alloca function with an uncontrolled size in function
unit_name_path_escape allows a local attacker, able to mount a filesystem on a
very long path, to crash systemd and the whole system by allocating a large
space in the stack.
CVE-2021-33910 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:L/UI:N/S:U/
C:N/I:N/A:H ).
3.2.4 CONCURRENT EXECUTION USING SHARED RESOURCE WITH IMPROPER SYNCHRONIZATION
('RACE CONDITION') CWE-362
A race condition vulnerability exists in Go. The incoming requests' bodies are
not closed after the handler panic, which could lead to a Reverse Proxy crash.
CVE-2021-36221 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/
C:N/I:N/A:H ).
3.2.5 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770
The fix for CVE-2021-33196 can be bypassed by crafted inputs. As a result, the
NewReader and OpenReader functions in archive/zip can still cause a panic or an
unrecoverable fatal error when reading an archive that claims to contain a
large number of files, regardless of its actual size.
CVE-2021-39293 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).
3.2.6 IMPROPER PRESERVATION OF PERMISSIONS CWE-281
A vulnerability exists in Moby (Docker Engine) where attempting to copy files
using docker cp into a specially crafted container can result in UNIX file
permission changes for existing files in the host's filesystem, widening access
to others. This does not directly allow files to be read, modified, or executed
without an additional cooperating process.
CVE-2021-41089 has been assigned to this vulnerability. A CVSS v3 base score of
2.8 has been calculated; the CVSS vector string is ( AV:L/AC:H/PR:L/UI:N/S:C/
C:L/I:N/A:N ).
3.2.7 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732
A vulnerability exists in Moby (Docker Engine) where the data directory
contains subdirectories with insufficiently restricted permissions, allowing
otherwise unprivileged Linux users to traverse directory contents and execute
programs.
CVE-2021-41091 has been assigned to this vulnerability. A CVSS v3 base score of
6.3 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:L/UI:N/S:C/
C:L/I:L/A:L ).
3.2.8 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200
A vulnerability exists in the Docker CLI where running docker login
my-private-registry.example.com with a misconfigured configuration file would
result in any provided credentials being sent to registry-1.docker.io rather
than the intended private registry.
CVE-2021-41092 has been assigned to this vulnerability. A CVSS v3 base score of
5.4 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:H/UI:R/S:C/
C:H/I:N/A:N ).
3.2.9 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH
TRAVERSAL') CWE-22
A vulnerability exists in container where container root directories and some
plugins have insufficiently restricted permissions, allowing otherwise
unprivileged Linux users to traverse directory contents and execute programs.
CVE-2021-41103 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:N/S:U/
C:L/I:L/A:L ).
3.2.10 IMPROPER PRESERVATION OF PERMISSIONS CWE-281
A vulnerability exists in the "flags" member of the new pipe buffer structure
in the Linux kernel and could contain stale values. An unprivileged local user
could use this to write to pages in the page cache backed by read only files
and as such escalate their privileges on the system.
CVE-2022-0847 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:L/UI:N/S:U/
C:H/I:H/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Multiple sectors
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens recommends users of the affected product update to Version 2.0 or
later.
As a general security measure, Siemens recommends protecting network access to
devices with appropriate mechanisms. To operate the devices in a protected IT
environment, Siemens recommends configuring the environment according to
Siemens' operational guidelines for industrial security and following
recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the
Siemens industrial security webpage .
For more information see Siemens Security Advisory SSA-222547
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. CISA reminds organizations to perform
proper impact analysis and risk assessment prior to deploying defensive
measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov/ics Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on cisa.gov/ics in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBYqvjPMkNZI30y1K9AQj/qA//Q8FIPr8lsn5YTzYeMIWUzx76Hz5Jmx8M
eLTapOLdC9FIsrpp6LRUzSB5ZXn8zZ+b1EVvy7z+ek0/qKhZ2NWhXKi4qv/wZnlI
qlwifd0JHg/vXAjweZwYSbvHa5js4o0Mtj7f0tm4rGZWKBXVjdYPKNhDLugdx2bW
xqGoEK0GPZ9LS5vLUfbx21MXW6YaVtCI8cJTANcl1qINEsWEq8BJMZ7bLy2L1+RT
uAnjZYNlc6cuq8ITsfPOz00M6+rfzpEYQgnNysba36xNSGwH8B1IAvpnOsFVNK9Y
tJ5tuHWe7ixSvb1S8kH4YGXPf8aYQrqeSKHNw17/iHsdT0foECQXl+cwH9ZH2Uxn
Ndradni9BzcBs0b6v67lVDGYMKKZAT0PSpHHpBMFy5BC8yF8AhrWJOP1chGYXd1u
NsLRESbblUkNBR3gUZV5H9GCMh5q4fJ9Jskb1MjKBRuvlfM5tj7DCUGek2Dk0bs5
TcRj7HMCNnbgNpnO0TmI+MhJTRk9IYUQjARvwnVLhBUFwLLPjZI6XJtm5EeG3f8E
CS0+tCkr++zM65eweLbXjt4y3gEunP0ovd3xiC4CNlGg+vOmuFr4ehKSBTqYVwDl
fwwUPJasCeIqLtVUJXFBDYo+15rO/+Pn4A89z6fcDFYiat6m5MOR8i/NPLuuuljX
IB0c+ud6xoo=
=dvpD
-----END PGP SIGNATURE-----