Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.6826
ICS Advisory | ICSA-23-320-13 Siemens SIMATIC MV500
17 November 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens SIMATIC MV500
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2023-35788 CVE-2023-3817 CVE-2023-3446
CVE-2023-2975 CVE-2022-44793 CVE-2022-44792
CVE-2022-23219 CVE-2022-23218
Original Bulletin:
https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-13
Comment: CVSS (Max): 9.8 CVE-2022-23219 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-23-320-13)
Siemens SIMATIC MV500
Release Date
November 16, 2023
As of January 10, 2023, CISA will no longer be updating ICS security advisories
for Siemens product vulnerabilities beyond the initial advisory. For the most
up-to-date information on vulnerabilities in this advisory, please see Siemens'
ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
1. EXECUTIVE SUMMARY
o CVSS v3 9.8
o ATTENTION : Exploitable remotely/low attack complexity
o Vendor : Siemens
o Equipment : SIMATIC MV500
o Vulnerabilities : Classic Buffer Overflow, NULL Pointer Dereference,
Improper Authentication, Inefficient Regular Expression Complexity,
Excessive Iteration, Out-of-bounds Write
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to
achieve a denial-of-service condition, arbitrary code execution, or escalate
privileges.
3.1 AFFECTED PRODUCTS
The following products of Siemens, are affected:
o SIMATIC MV500 family: Versions prior to V3.3.5
3.2 Vulnerability Overview
3.2.1 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW')
CWE-120
The deprecated compatibility function svcunix_create in the sunrpc module of
the GNU C Library (aka glibc) through 2.34 copies its path argument on the
stack without validating its length, which may result in a buffer overflow,
potentially resulting in a denial of service or (if an application is not built
with a stack protector enabled) arbitrary code execution.
CVE-2022-23218 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.2 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW')
CWE-120
The deprecated compatibility function clnt_create in the sunrpc module of the
GNU C Library (aka glibc) through 2.34 copies its hostname argument on the
stack without validating its length, which may result in a buffer overflow,
potentially resulting in a denial of service or (if an application is not built
with a stack protector enabled) arbitrary code execution.
CVE-2022-23219 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.3 NULL POINTER DEREFERENCE CWE-476
handle_ipDefaultTTL in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP 5.8
through 5.9.3 has a NULL Pointer Exception bug that can be used by a remote
attacker (who has write access) to cause the instance to crash via a crafted
UDP packet, resulting in denial of service.
CVE-2022-44792 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.4 NULL POINTER DEREFERENCE CWE-476
handle_ipv6IpForwarding in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP 5.4.3
through 5.9.3 has a NULL pointer exception bug that can be used by a remote
attacker to cause the instance to crash via a crafted UDP packet, resulting in
denial of service.
CVE-2022-44793 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.5 IMPROPER AUTHENTICATION CWE-287
The AES-SIV cipher implementation contains a bug that causes it to ignore empty
associated data entries which are unauthenticated as a consequence. Impact
summary: Applications that use the AES-SIV algorithm and want to authenticate
empty data entries as associated data can be misled by removing adding or
reordering such empty entries as these are ignored by the OpenSSL
implementation. We are currently unaware of any such applications. The AES-SIV
algorithm allows for authentication of multiple associated data entries along
with the encryption. To authenticate empty data the application has to call
EVP_EncryptUpdate() (or EVP_CipherUpdate()) with NULL pointer as the output
buffer and 0 as the input buffer length. The AES-SIV implementation in OpenSSL
just returns success for such a call instead of performing the associated data
authentication operation. The empty data thus will not be authenticated. As
this issue does not affect non-empty associated data authentication and we
expect it to be rare for an application to use empty associated data entries
this is qualified as Low severity issue.
CVE-2023-2975 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:L/A:N ).
3.2.6 INEFFICIENT REGULAR EXPRESSION COMPLEXITY CWE-1333
Checking excessively long DH keys or parameters may be very slow. Impact
summary: Applications that use the functions DH_check(), DH_check_ex() or
EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
delays. Where the key or parameters that are being checked have been obtained
from an untrusted source this may lead to a Denial of Service. The function
DH_check() performs various checks on DH parameters. One of those checks
confirms that the modulus ('p' parameter) is not too large. Trying to use a
very large modulus is slow and OpenSSL will not normally use a modulus which is
over 10,000 bits in length. However, the DH_check() function checks numerous
aspects of the key or parameters that have been supplied. Some of those checks
use the supplied modulus value even if it has already been found to be too
large. An application that calls DH_check() and supplies a key or parameters
obtained from an untrusted source could be vulernable to a Denial-of-Service
attack. The function DH_check() is itself called by a number of other OpenSSL
functions. An application calling any of those other functions may similarly be
affected. The other functions affected by this are DH_check_ex() and
EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam
command line applications when using the '-check' option. The OpenSSL SSL/TLS
implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS
providers are not affected by this issue.
CVE-2023-3446 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:L ).
3.2.7 EXCESSIVE ITERATION CWE-834
Checking excessively long DH keys or parameters may be very slow. Impact
summary: Applications that use the functions DH_check(), DH_check_ex() or
EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
delays. Where the key or parameters that are being checked have been obtained
from an untrusted source this may lead to a Denial of Service. The function
DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446
it was discovered that a large q parameter value can also trigger an overly
long computation during some of these checks. A correct q value, if present,
cannot be larger than the modulus p parameter, thus it is unnecessary to
perform these checks if q is larger than p. An application that calls DH_check
() and supplies a key or parameters obtained from an untrusted source could be
vulnerable to a Denial-of-Service attack. The function DH_check() is itself
called by a number of other OpenSSL functions. An application calling any of
those other functions may similarly be affected. The other functions affected
by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the
OpenSSL dhparam and pkeyparam command line applications when using the "-check"
option. The OpenSSL SSL/TLS implementation is not affected by this issue. The
OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
CVE-2023-3817 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:L ).
3.2.8 OUT-OF-BOUNDS WRITE CWE-787
An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the
Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower
classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in
denial of service or privilege escalation.
CVE-2023-35788 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens has identified the following specific workarounds and mitigations users
can apply to reduce risk:
o SIMATIC MV500 family: Update to V3.3.5 or later version
As a general security measure, Siemens recommends protecting network access to
devices with appropriate mechanisms. To operate the devices in a protected IT
environment, Siemens recommends configuring the environment according to
Siemens' operational guidelines for industrial security and following
recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the
Siemens industrial security webpage .
For more information see the associated Siemens security advisory SSA-099606 in
HTML and CSAF .
CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities, such as:
o Minimize network exposure for all control system devices and/or systems,
ensuring they are not accessible from the internet .
o Locate control system networks and remote devices behind firewalls and
isolating them from business networks.
o When remote access is required, use more secure methods, such as Virtual
Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be
updated to the most recent version available, and are only as secure as the
connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several CISA products detailing cyber defense
best practices are available for reading and download, including Improving
Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies .
CISA encourages organizations to implement recommended cybersecurity strategies
for proactive defense of ICS assets .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage at cisa.gov in the technical information paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing suspected malicious activity should follow established
internal procedures and report findings to CISA for tracking and correlation
against other incidents.
CISA also recommends users take the following measures to protect themselves
from social engineering attacks:
o Do not click web links or open attachments in unsolicited email messages.
o Refer to Recognizing and Avoiding Email Scams for more information on
avoiding email scams.
o Refer to Avoiding Social Engineering and Phishing Attacks for more
information on social engineering attacks.
No known public exploitation specifically targeting these vulnerabilities has
been reported to CISA at this time.
5. UPDATE HISTORY
o November 16, 2023: Initial Publication
This product is provided subject to this Notification and this Privacy & Use
policy.
Vendor
Siemens
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZVam+ckNZI30y1K9AQjv4w//Qh2RboDhGQRg6XkdOeKQxdyB3uut5pT1
xqxwesnury+hDRyf+LjOk0j9SvzkYyERCyfT1kfb1E+CgdvZ3eXx+cAh8p6LgnDh
eNIXafdGJye5cozHsNTLWbPsre0AzUaly5xTTir3ji63ovx1yHUoto9NPJDccldX
jugbyTTBj8jswUvaXA6PCvG1Q2+LfXzWbGMqeJUnvTe53gnmuDu2fX1pqEEJoQ9d
7hmN4xm1T8CAupwA19fg9L5GzBfEvXEsrMRNexqp9ky+uMgUpQqfMHTGz5foAZ46
Oo0OMwbdjV19OYoLU7ZxaUlauFJDcJyjmt0L3veIyh0Au9dEdKIoCHVaJ/PfHbE0
7HvdySGGmb1YuJqH65UvH3SGmuNlTilqiE0E/pF3w41Atn7lWPsvZUOGn484V3LB
P8660/fvvdvZKnPPAS8QK9PuA1+ZfehnzTV45SVinI0Itorcs9WZIIOGG/hwn/pe
lRVUXxgzlQpNo0x1xGyIsOZcu6ayvTGIBEsfijTv+X7TdgwpfflMP/ZoqatQsFmK
C4+8hZwsANyMwlFQB8B01OjLxaFFZYthXxczglEsvbcV3ZNrsHOjc86RX/4mrvpp
5LG257MZfxu1JZtiXKkqjhz/ZhglQbwyPzQvnUwglv8Yckbz962/QtKCCKUxYNy7
uwHLYCRassw=
=6jtq
-----END PGP SIGNATURE-----