Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.1695 ICS Advisory | ICSA-23-080-07 Siemens SCALANCE Third-Party 22 March 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Siemens SCALANCE Third-Party Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2022-23395 CVE-2021-42386 CVE-2021-42385 CVE-2021-42384 CVE-2021-42383 CVE-2021-42382 CVE-2021-42381 CVE-2021-42380 CVE-2021-42379 CVE-2021-42378 CVE-2021-42377 CVE-2021-42376 CVE-2021-42375 CVE-2021-42374 CVE-2021-42373 CVE-2018-25032 CVE-2018-12886 Original Bulletin: https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-07 Comment: CVSS (Max): 8.1 CVE-2018-12886 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-23-080-07) Siemens SCALANCE Third-Party Release Date March 21, 2023 As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global) . 1. EXECUTIVE SUMMARY o CVSS v3 8.1 o ATTENTION: Exploitable remotely o Vendor: Siemens o Equipment: Various third-party components used in SCALANCE W-700 devices o Vulnerabilities: Generation of Error Message Containing Sensitive Information, Out-of-bounds Write, NULL Pointer Dereference, Out-of-bounds Read, Improper Input Validation, Release of Invalid Pointer or Reference, Use After Free, Prototype Pollution 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition or disclose sensitive data. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following software from Siemens is affected: o SCALANCE WAM763-1 (6GK5763-1AL00-7DA0): All versions prior to v2.0 o SCALANCE WAM766-1 (EU) (6GK5766-1GE00-7DA0): All versions prior to v2.0 o SCALANCE WAM766-1 (US) (6GK5766-1GE00-7DB0): All versions prior to v2.0 o SCALANCE WAM766-1 EEC (EU) (6GK5766-1GE00-7TA0): All versions prior to v2.0 o SCALANCE WAM766-1 EEC (US) (6GK5766-1GE00-7TB0): All versions prior to v2.0 o SCALANCE WUM763-1 (6GK5763-1AL00-3DA0): All versions prior to v2.0 o SCALANCE WUM763-1 (6GK5763-1AL00-3AA0): All versions prior to v2.0 o SCALANCE WUM766-1 (EU) (6GK5766-1GE00-3DA0): All versions prior to v2.0 o SCALANCE WUM766-1 (US) (6GK5766-1GE00-3DB0): All versions prior to v2.0 3.2 VULNERABILITY OVERVIEW 3.2.1 GENERATION OF ERROR MESSAGE CONTAINING SENSITIVE INFORMATION CWE-209 Stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, fstack-protector-strong, and fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against. CVE-2018-12886 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/C:H/ I:H/A:H ). 3.2.2 OUT-OF-BOUNDS WRITE CWE-787 Zlib versions before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. CVE-2018-25032 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:N/ I:N/A:H ). 3.2.3 NULL POINTER DEREFERENCE CWE-476 A NULL pointer dereference in Busybox's man applet leads to a denial-of-service condition when a section name is supplied but no page argument is given. CVE-2021-42373 has been assigned to this vulnerability. A CVSS v3 base score of 5.1 has been assigned; the CVSS vector string is ( AV:L/AC:H/PR:N/UI:N/S:U/C:N/ I:N/A:H ). 3.2.4 OUT-OF-BOUNDS READ CWE-125 An out-of-bounds heap read in Busybox's unlzma applet leads to an information leak and a denial-of-service condition when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that internally supports LZMA compression. CVE-2021-42374 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/C:L/ I:N/A:H ). 3.2.5 IMPROPER INPUT VALIDATION CWE-20 An incorrect handling of a special element in Busybox's ash applet leads to a denial-of-service condition when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This could be used for a denial-of-service attack under rare conditions of filtered command input. CVE-2021-42375 has been assigned to this vulnerability. A CVSS v3 base score of 4.1 has been assigned; the CVSS vector string is ( AV:L/AC:H/PR:H/UI:N/S:U/C:N/ I:N/A:H ). 3.2.6 NULL POINTER DEREFERENCE CWE-476 A NULL pointer dereference in Busybox's hush applet leads to a denial-of-service condition when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for a denial-of-service attack under very rare conditions of filtered command input. CVE-2021-42376 has been assigned to this vulnerability. A CVSS v3 base score of 4.1 has been assigned; the CVSS vector string is ( AV:L/AC:H/PR:H/UI:N/S:U/C:N/ I:N/A:H ). 3.2.7 RELEASE OF INVALID POINTER OR REFERENCE CWE-763 An attacker-controlled pointer free in Busybox's hush applet leads to a denial-of-service condition and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This could be used for remote code execution under rare conditions of filtered command input. CVE-2021-42377 has been assigned to this vulnerability. A CVSS v3 base score of 6.4 has been assigned; the CVSS vector string is ( AV:L/AC:H/PR:H/UI:N/S:U/C:H/ I:H/A:H ). 3.2.8 USE AFTER FREE CWE-416 A use-after-free in Busybox's awk applet leads to a denial-of-service condition and possibly code execution when processing a crafted awk pattern in the getvar_i function. CVE-2021-42378 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been assigned; the CVSS vector string is ( AV:N/AC:H/PR:H/UI:N/S:U/C:H/ I:H/A:H ). 3.2.9 USE AFTER FREE CWE-416 A use-after-free in Busybox's awk applet leads to a denial-of-service condition and possibly code execution when processing a crafted awk pattern in the next_input_file function. CVE-2021-42379 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been assigned; the CVSS vector string is ( AV:N/AC:H/PR:H/UI:N/S:U/C:H/ I:H/A:H ). 3.2.10 USE AFTER FREE CWE-416 A use-after-free in awk leads to a denial-of-service condition and possibly code execution when processing a crafted awk pattern in the clrvar function. CVE-2021-42380 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been assigned; the CVSS vector string is ( AV:N/AC:H/PR:H/UI:N/S:U/C:H/ I:H/A:H ). 3.2.11 USE AFTER FREE CWE-416 A use-after-free in awk leads to a denial-of-service condition and possibly code execution when processing a crafted awk pattern in the hash_init function. CVE-2021-42381 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been assigned; the CVSS vector string is ( AV:N/AC:H/PR:H/UI:N/S:U/C:H/ I:H/A:H ). 3.2.12 USE AFTER FREE CWE-416 A use-after-free in awk leads to a denial-of-service condition and possibly code execution when processing a crafted awk pattern in the getvar_s function. CVE-2021-42382 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been assigned; the CVSS vector string is ( AV:N/AC:H/PR:H/UI:N/S:U/C:H/ I:H/A:H ). 3.2.13 USE AFTER FREE CWE-416 A use-after-free in awk leads to a denial-of-service condition and possibly code execution when processing a crafted awk pattern in the evaluate function. CVE-2021-42383 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been assigned; the CVSS vector string is ( AV:N/AC:H/PR:H/UI:N/S:U/C:H/ I:H/A:H ). 3.2.14 USE AFTER FREE CWE-416 A use-after-free in Busybox's awk applet leads to a denial-of-service condition and possibly code execution when processing a crafted awk pattern in the handle_special function. CVE-2021-42384 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been assigned; the CVSS vector string is ( AV:N/AC:H/PR:H/UI:N/S:U/C:H/ I:H/A:H ). 3.2.15 USE AFTER FREE CWE-416 A use-after-free in awk leads to a denial-of-service condition and possibly code execution when processing a crafted awk pattern in the evaluate function. CVE-2021-42385 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been assigned; the CVSS vector string is ( AV:N/AC:H/PR:H/UI:N/S:U/C:H/ I:H/A:H ). 3.2.16 USE AFTER FREE CWE-416 A use-after-free in awk leads to a denial-of-service condition and possibly code execution when processing a crafted awk pattern in the nvalloc function. CVE-2021-42386 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been assigned; the CVSS vector string is ( AV:N/AC:H/PR:H/UI:N/S:U/C:H/ I:H/A:H ). 3.2.17 IMPROPERLY CONTROLLED MODIFICATION OF OBJECT PROTOTYPE ATTRIBUTES ('PROTOTYPE POLLUTION') CWE-1321 jQuery Cookie 1.4.1 is affected by prototype pollution, which could lead to DOM cross-site scripting (XSS). CVE-2022-23395 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:C/C:L/ I:L/A:N ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Siemens reported these vulnerabilities to CISA. 4. MITIGATIONS Siemens recommends updating the software to v2.0 or later. As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends users configure the environment according to Siemens' operational guidelines for Industrial Security and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found on the Siemens webpage for Industrial Security . For further inquiries on security vulnerabilities in Siemens products and solutions, users should contact the Siemens ProductCERT . For more information, see the associated Siemens security advisory SSA-565386 in HTML and CSAF . CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. These vulnerabilities have a high attack complexity. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZBpmc8kNZI30y1K9AQijVRAAnZYPJn3b1TcJmuH2n391qd+AuljhzkUy uWFeJrCC8v9KmGLE/ZNoj5gTprPpgVm3b59WR7gwaJmVht1ne20dtSqNMH4o+W4L m7S40dE63j/7eJALgCBdfc3XpQGGr/q66uxeGjk3ajli8MfQR0bbBzLblL/bNo6g qXt50IcfiqXxZIY1ciy7ftFMla03zXnZKkoO3YoGiMswYGJvywMVWqmYPYaIina8 6WbZstKvaoaNH2CtkPSy8PcGNvu7t6kAAkUnQ5yNy/tKiGUklYXXC+0owx0jleYk fa6jar4hqMqQxdIQFgC9askrOtoVaY6Insfc4b2WttDxe5tpmAqKU46+4I1a0K67 F/e94I7Zi8slnCZN1YPVeoxlzAEIkl8HIkXweaj+P6T8MQ3lo7gnhjDKBpDNe4u/ Fngnz5UuOWTxfKfbHOm30YN+hnkEPOCaGQlG0AxNhLDFEdDdM0gqNNQIBn2XTT7Z rvTGQAdWTAkTqijk/eG1GEJ1Tz9BrxL7PIdX6hYMUgE8k7UgBLnbyWwc5mPlwnnf 9M/mWKO+fkAfekQOpwj97ZJePoGBd3mjdf52rnC8AAjkPnJxIcaCD0+CFfEK4od1 zR0oCH8LotcJKJ23O0QNfaAMwEcO2JFhO4fKHzH5W6AP+qzUzl+bLgoQE+e+kXNl ZraPEnC620A= =6op/ -----END PGP SIGNATURE-----