Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.0272
Advisory (icsa-23-017-03) Siemens SINEC INS
18 January 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens SINEC INS
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2022-45094 CVE-2022-45093 CVE-2022-45092
CVE-2022-35256 CVE-2022-35255 CVE-2022-32222
CVE-2022-32215 CVE-2022-32213 CVE-2022-32212
CVE-2022-2274 CVE-2022-2097 CVE-2022-2068
CVE-2022-1292
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-23-017-03
Comment: CVSS (Max): 9.9 CVE-2022-45092 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-23-017-03)
Siemens SINEC INS
Original release date: January 17, 2023
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
As of January 10, 2023, CISA will no longer be updating ICS security advisories
for Siemens product vulnerabilities beyond the initial advisory. For the most
up-to-date information on vulnerabilities in this advisory, please see Siemens'
ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
1. EXECUTIVE SUMMARY
o CVSS v3 9.9
o ATTENTION: Exploitable remotely/low attack complexity
o Vendor: Siemens
o Equipment: SINEC INS
o Vulnerabilities: OS Command Injection, Inadequate Encryption Strength,
Out-of-bounds Write, HTTP Request Smuggling, Inadequate Encryption
Strength, Use of Insufficiently Random Values, Authentication Bypass by
Spoofing, Path Traversal, Command Injection
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to
read and write arbitrary files from the file system of the affected component
and to ultimately execute arbitrary code on the device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports these vulnerabilities affect the following network services
application:
o SINEC INS: versions prior to V1.0 SP2 Update 1
3.2 VULNERABILITY OVERVIEW
3.2.1 OS COMMAND INJECTION CWE-78
In addition to the c_rehash shell command injection identified in
CVE-2022-1292, code review found further circumstances where the c_rehash
script does not properly sanitize shell metacharacters to prevent command
injection. When CVE-2022-1292 was fixed, code review did not discover other
places in the script where the file names of hashed certificates were possibly
passed to a command executed through the shell. This script is distributed by
some operating systems in a manner where it is automatically executed. On such
operating systems, an attacker could execute arbitrary commands with the
privileges of the script. Use of the c_rehash script is considered obsolete and
should be replaced by the OpenSSL rehash command line tool.
CVE-2022-2068 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:H/I:H/A:H ).
3.2.2 OS COMMAND INJECTION CWE-78
An OS command injection vulnerability exists in Node.js versions <14.20.0,
<16.16.0, <18.5.0 due to an insufficient IsAllowedHost check that could easily
be bypassed because IsIPAddress does not properly check if an IP address is
invalid before making DBS requests allowing rebinding attacks.
CVE-2022-32212 has been assigned to this vulnerability. A CVSS v3 base score of
8.1 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/
UI:N/S:U/C:H/I:H/A:H ).
3.2.3 INADEQUATE ENCRYPTION STRENGTH CWE-326
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimized
implementation will not encrypt the entirety of the data under some
circumstances. This could reveal sixteen bytes of unwritten data preexisting in
the memory. "In place" encryption could reveal sixteen bytes of the plaintext.
Because OpenSSL does not support OCB based cipher suites for TLS and DTLS, they
are both unaffected.
CVE-2022-2097 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:L/I:N/A:N ).
3.2.4 OUT-OF-BOUNDS WRITE CWE-787
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation
for X86_64 CPUs supporting the AVX512IFMA instructions. This issue leads to
incorrect RSA implementation with 2048-bit private keys on such machines, and
memory corruption will happen during the computation. Due to memory corruption,
an attacker could trigger remote code execution on the machine performing the
computation. This issue affects SSL/TLS servers or other servers using 2048-bit
RSA private keys running on machines supporting AVX512IFMA instructions of the
X86_64 architecture.
CVE-2022-2274 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:H/I:H/A:H ).
3.2.5 HTTP REQUEST SMUGGLING CWE-444
The llhttp parser <v14.20.1, <v16.17.1, and <v18.9.1 in the http module in
Node.js do not correctly parse and validate transfer-encoding headers and could
lead to HTTP request smuggling (HRS).
CVE-2022-32213 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:L/I:L/A:N ).
3.2.6 HTTP REQUEST SMUGGLING CWE-444
The llhttp parser <v14.20.1, <v16.17.1, and <v18.9.1 in the http module in
Node.js do not correctly handle multi-line transfer-encoding headers. This
could lead to HTTP request smuggling (HRS).
CVE-2022-32215 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:L/I:L/A:N ).
3.2.7 INADEQUATE ENCRYPTION STRENGTH CWE-326
A cryptographic vulnerability exists on Node.js on Linux in versions 18.x prior
to 18.40.0, which allows a default path for openssl.cnf that could be
accessible by a non-admin user under some circumstances, instead of /etc/ssl,
as was the case in versions prior to the upgrade to OpenSSL 3.
CVE-2022-32222 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:L/A:N ).
3.2.8 USE OF INSUFFICIENTLY RANDOM VALUES CWE-330
Node.js makes calls to EntropySource() in SecretKeyGenTraits::DoKeyGen() in src
/crypto/crypto_keygen.cc. However, it does not check the return value; it
assumes EntropySource() always succeeds, but it can (and sometimes will) fail.
CVE-2022-35255 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:H/I:N/A:N ).
3.2.9 AUTHENTICATION BYPASS BY SPOOFING CWE-290
The llhttp parser in the http module in Node.js v18.7.0 does not correctly
handle header fields that are not terminated with CLRF. This could result in
HRS.
CVE-2022-35256 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:H/I:H/A:H ).
3.2.10 PATH TRAVERSAL CWE-22
An authenticated remote attacker with access to the affected product's
web-based management (443/TCP) could potentially read and write arbitrary files
to and from the device's file system. An attacker could leverage this to
trigger remote code execution on the affected component.
CVE-2022-45092 has been assigned to this vulnerability. A CVSS v3 base score of
9.9 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/
UI:N/S:C/C:H/I:H/A:H ).
3.2.11 PATH TRAVERSAL CWE-22
An authenticated remote attacker with access to the web-based management (443/
TCP) of the affected product, as well as with access to the secure file
transfer protocol (SFTP) server of the affected product (22/TCP), could
potentially read and write arbitrary files to and from the device's file
system. An attacker could leverage this to trigger remote code execution on the
affected component.
CVE-2022-45093 has been assigned to this vulnerability. A CVSS v3 base score of
8.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:L/
UI:N/S:C/C:H/I:H/A:H ).
3.2.12 COMMAND INJECTION CWE-77
An authenticated remote attacker with access to the affected product's
web-based management (443/TCP) could potentially inject commands into the
affected product's DHCPD configuration. An attacker could leverage this to
trigger remote code execution on the affected component.
CVE-2022-45094 has been assigned to this vulnerability. A CVSS v3 base score of
8.4 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:A/AC:L/PR:H/
UI:N/S:C/C:H/I:H/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Multiple
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens released V1.0 SP2 Update 1 for SINEC INS and recommends updating to the
latest version.
Siemens identified the following specific workarounds and mitigations users can
apply to reduce risk:
o CVE-2022-45094: Disable the DHCP service of the affected product, if not
required.
o CVE-2022-45093: Disable the SFTP service of the affected product, if not
required.
As a general security measure, Siemens recommends protecting network access to
devices with appropriate mechanisms. To operate the devices in a protected IT
environment, Siemens recommends configuring the environment according to
Siemens' operational guidelines for industrial security and following the
recommendations in the product manuals. Siemens has published additional
information on industrial security .
For further inquiries on security vulnerabilities in Siemens products, users
should contact Siemens ProductCERT .
For more information, see the associated Siemens security advisory SSA-332410
in HTML and CSAF .
CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. Specifically, users should:
o Ensure the least-privilege user principle is followed.
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from business networks.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber
defense best practices are available for reading and download, including
Improving Industrial Control Systems Cybersecurity with Defense-in-Depth
Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage at cisa.gov/ics in the technical information paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing suspected malicious activity should follow established
internal procedures and report findings to CISA for tracking and correlation
against other incidents.
CISA also recommends users take the following measures to protect themselves
from social engineering attacks:
o Do not click web links or open attachments in unsolicited email messages.
o Refer to Recognizing and Avoiding Email Scams for more information on
avoiding email scams.
o Refer to Avoiding Social Engineering and Phishing Attacks for more
information on social engineering attacks.
No known public exploits specifically target these vulnerabilities. These
vulnerabilities are exploitable remotely. These vulnerabilities have a low
attack complexity.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY8dV+skNZI30y1K9AQhV7hAAgbsKJ/ALozNncORN/cNrAQS0Uh+5mz0F
DypcWXdiC1WHLq1Z0h+3MHKnyQB4yBgqfLPSGHtBpUFx4xoReMIZDdOYWE9Y4CV2
nOIyPpLNSDcCxZV7qAFDZcCK5clU7I675NPuGGn86zNyLlF794Fawo/o5N/rt2r5
8H4kR6uCtPxow5Ba7Ajnf86dBGCzIDX1W7VgXWQmi883ktc4gaWmhpb2oABqtL4y
lNMsN137EN9K6bXuu63RmPhMPM8Hv7ljAcVP3/5hTUqWwqmLexDFGe8u9xlnjPCS
47CMqZiFfrXDMd9NK1VN4RGV62fODTQvgMG0GNRvt6U+Q36Rcyy5HNPB8OwG6Qlz
sT+DAZMlk87I1CX18zZHKaWLi9P0wNBKAqCMD7dn6+nSbLN5giOpzy9JxXdkHvco
Tfr4nd3nOLbwsymIFshwC+9w0jL2TYpg17gQfaZ796gh87tR/q8s2Uf9yS0phe0t
PZWK0yMcvZxT7WcyF7DWntxGszR0uaeDbS0xpj8eD06UQNvSu4TRaLnJGKupgab3
zBso/S296a7gIucDNb/8JgNSHLkmEcj2Kh50Vw+yjWvHkGvpPSXLLhtKnEZqE1E/
MzUvSqSvj0d49qDknzP0sTGhUIkLu4aSqkX1xhhMZZ7TEKfNyB9CchT1dWEmzCNk
Xa3w4vSSgtI=
=UD9U
-----END PGP SIGNATURE-----