Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0272 Advisory (icsa-23-017-03) Siemens SINEC INS 18 January 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Siemens SINEC INS Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2022-45094 CVE-2022-45093 CVE-2022-45092 CVE-2022-35256 CVE-2022-35255 CVE-2022-32222 CVE-2022-32215 CVE-2022-32213 CVE-2022-32212 CVE-2022-2274 CVE-2022-2097 CVE-2022-2068 CVE-2022-1292 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-23-017-03 Comment: CVSS (Max): 9.9 CVE-2022-45092 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-23-017-03) Siemens SINEC INS Original release date: January 17, 2023 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 1. EXECUTIVE SUMMARY o CVSS v3 9.9 o ATTENTION: Exploitable remotely/low attack complexity o Vendor: Siemens o Equipment: SINEC INS o Vulnerabilities: OS Command Injection, Inadequate Encryption Strength, Out-of-bounds Write, HTTP Request Smuggling, Inadequate Encryption Strength, Use of Insufficiently Random Values, Authentication Bypass by Spoofing, Path Traversal, Command Injection 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to read and write arbitrary files from the file system of the affected component and to ultimately execute arbitrary code on the device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports these vulnerabilities affect the following network services application: o SINEC INS: versions prior to V1.0 SP2 Update 1 3.2 VULNERABILITY OVERVIEW 3.2.1 OS COMMAND INJECTION CWE-78 In addition to the c_rehash shell command injection identified in CVE-2022-1292, code review found further circumstances where the c_rehash script does not properly sanitize shell metacharacters to prevent command injection. When CVE-2022-1292 was fixed, code review did not discover other places in the script where the file names of hashed certificates were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. CVE-2022-2068 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/ UI:N/S:U/C:H/I:H/A:H ). 3.2.2 OS COMMAND INJECTION CWE-78 An OS command injection vulnerability exists in Node.js versions <14.20.0, <16.16.0, <18.5.0 due to an insufficient IsAllowedHost check that could easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks. CVE-2022-32212 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/ UI:N/S:U/C:H/I:H/A:H ). 3.2.3 INADEQUATE ENCRYPTION STRENGTH CWE-326 AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimized implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of unwritten data preexisting in the memory. "In place" encryption could reveal sixteen bytes of the plaintext. Because OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. CVE-2022-2097 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/ UI:N/S:U/C:L/I:N/A:N ). 3.2.4 OUT-OF-BOUNDS WRITE CWE-787 The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue leads to incorrect RSA implementation with 2048-bit private keys on such machines, and memory corruption will happen during the computation. Due to memory corruption, an attacker could trigger remote code execution on the machine performing the computation. This issue affects SSL/TLS servers or other servers using 2048-bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture. CVE-2022-2274 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/ UI:N/S:U/C:H/I:H/A:H ). 3.2.5 HTTP REQUEST SMUGGLING CWE-444 The llhttp parser <v14.20.1, <v16.17.1, and <v18.9.1 in the http module in Node.js do not correctly parse and validate transfer-encoding headers and could lead to HTTP request smuggling (HRS). CVE-2022-32213 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/ UI:N/S:U/C:L/I:L/A:N ). 3.2.6 HTTP REQUEST SMUGGLING CWE-444 The llhttp parser <v14.20.1, <v16.17.1, and <v18.9.1 in the http module in Node.js do not correctly handle multi-line transfer-encoding headers. This could lead to HTTP request smuggling (HRS). CVE-2022-32215 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/ UI:N/S:U/C:L/I:L/A:N ). 3.2.7 INADEQUATE ENCRYPTION STRENGTH CWE-326 A cryptographic vulnerability exists on Node.js on Linux in versions 18.x prior to 18.40.0, which allows a default path for openssl.cnf that could be accessible by a non-admin user under some circumstances, instead of /etc/ssl, as was the case in versions prior to the upgrade to OpenSSL 3. CVE-2022-32222 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/ UI:N/S:U/C:N/I:L/A:N ). 3.2.8 USE OF INSUFFICIENTLY RANDOM VALUES CWE-330 Node.js makes calls to EntropySource() in SecretKeyGenTraits::DoKeyGen() in src /crypto/crypto_keygen.cc. However, it does not check the return value; it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. CVE-2022-35255 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/ UI:N/S:U/C:H/I:N/A:N ). 3.2.9 AUTHENTICATION BYPASS BY SPOOFING CWE-290 The llhttp parser in the http module in Node.js v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This could result in HRS. CVE-2022-35256 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/ UI:N/S:U/C:H/I:H/A:H ). 3.2.10 PATH TRAVERSAL CWE-22 An authenticated remote attacker with access to the affected product's web-based management (443/TCP) could potentially read and write arbitrary files to and from the device's file system. An attacker could leverage this to trigger remote code execution on the affected component. CVE-2022-45092 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/ UI:N/S:C/C:H/I:H/A:H ). 3.2.11 PATH TRAVERSAL CWE-22 An authenticated remote attacker with access to the web-based management (443/ TCP) of the affected product, as well as with access to the secure file transfer protocol (SFTP) server of the affected product (22/TCP), could potentially read and write arbitrary files to and from the device's file system. An attacker could leverage this to trigger remote code execution on the affected component. CVE-2022-45093 has been assigned to this vulnerability. A CVSS v3 base score of 8.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:L/ UI:N/S:C/C:H/I:H/A:H ). 3.2.12 COMMAND INJECTION CWE-77 An authenticated remote attacker with access to the affected product's web-based management (443/TCP) could potentially inject commands into the affected product's DHCPD configuration. An attacker could leverage this to trigger remote code execution on the affected component. CVE-2022-45094 has been assigned to this vulnerability. A CVSS v3 base score of 8.4 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:A/AC:L/PR:H/ UI:N/S:C/C:H/I:H/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Multiple o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Siemens reported these vulnerabilities to CISA. 4. MITIGATIONS Siemens released V1.0 SP2 Update 1 for SINEC INS and recommends updating to the latest version. Siemens identified the following specific workarounds and mitigations users can apply to reduce risk: o CVE-2022-45094: Disable the DHCP service of the affected product, if not required. o CVE-2022-45093: Disable the SFTP service of the affected product, if not required. As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following the recommendations in the product manuals. Siemens has published additional information on industrial security . For further inquiries on security vulnerabilities in Siemens products, users should contact Siemens ProductCERT . For more information, see the associated Siemens security advisory SSA-332410 in HTML and CSAF . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: o Ensure the least-privilege user principle is followed. o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from business networks. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: o Do not click web links or open attachments in unsolicited email messages. o Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. o Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have a low attack complexity. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY8dV+skNZI30y1K9AQhV7hAAgbsKJ/ALozNncORN/cNrAQS0Uh+5mz0F DypcWXdiC1WHLq1Z0h+3MHKnyQB4yBgqfLPSGHtBpUFx4xoReMIZDdOYWE9Y4CV2 nOIyPpLNSDcCxZV7qAFDZcCK5clU7I675NPuGGn86zNyLlF794Fawo/o5N/rt2r5 8H4kR6uCtPxow5Ba7Ajnf86dBGCzIDX1W7VgXWQmi883ktc4gaWmhpb2oABqtL4y lNMsN137EN9K6bXuu63RmPhMPM8Hv7ljAcVP3/5hTUqWwqmLexDFGe8u9xlnjPCS 47CMqZiFfrXDMd9NK1VN4RGV62fODTQvgMG0GNRvt6U+Q36Rcyy5HNPB8OwG6Qlz sT+DAZMlk87I1CX18zZHKaWLi9P0wNBKAqCMD7dn6+nSbLN5giOpzy9JxXdkHvco Tfr4nd3nOLbwsymIFshwC+9w0jL2TYpg17gQfaZ796gh87tR/q8s2Uf9yS0phe0t PZWK0yMcvZxT7WcyF7DWntxGszR0uaeDbS0xpj8eD06UQNvSu4TRaLnJGKupgab3 zBso/S296a7gIucDNb/8JgNSHLkmEcj2Kh50Vw+yjWvHkGvpPSXLLhtKnEZqE1E/ MzUvSqSvj0d49qDknzP0sTGhUIkLu4aSqkX1xhhMZZ7TEKfNyB9CchT1dWEmzCNk Xa3w4vSSgtI= =UD9U -----END PGP SIGNATURE-----