Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2024.1012
ICS Advisory | ICSA-24-046-15 Siemens SINEC NMS
16 February 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens SINEC NMS
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2024-23812 CVE-2024-23811 CVE-2024-23810
CVE-2023-46120 CVE-2023-41080 CVE-2023-39418
CVE-2023-39417 CVE-2023-38546 CVE-2023-38545
CVE-2023-38199 CVE-2023-38039 CVE-2023-35945
CVE-2023-34035 CVE-2023-32559 CVE-2023-32558
CVE-2023-32067 CVE-2023-32006 CVE-2023-32005
CVE-2023-32004 CVE-2023-32003 CVE-2023-32002
CVE-2023-31147 CVE-2023-31130 CVE-2023-31124
CVE-2023-30590 CVE-2023-30589 CVE-2023-30588
CVE-2023-30587 CVE-2023-30586 CVE-2023-30585
CVE-2023-30584 CVE-2023-30583 CVE-2023-30582
CVE-2023-30581 CVE-2023-28709 CVE-2023-28322
CVE-2023-28321 CVE-2023-28320 CVE-2023-28319
CVE-2023-27538 CVE-2023-27537 CVE-2023-27536
CVE-2023-27535 CVE-2023-27534 CVE-2023-27533
CVE-2023-27522 CVE-2023-25690 CVE-2023-24998
CVE-2023-3817 CVE-2023-3446 CVE-2023-2975
CVE-2023-2650 CVE-2023-2455 CVE-2023-2454
CVE-2023-1255 CVE-2023-0401 CVE-2023-0286
CVE-2023-0217 CVE-2023-0216 CVE-2023-0215
CVE-2022-4450 CVE-2022-4304 CVE-2022-4203
Original Bulletin:
https://www.cisa.gov/news-events/ics-advisories/icsa-24-046-15
Comment: CVSS (Max): 9.8 CVE-2023-38545 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-24-046-15)
Siemens SINEC NMS
Release Date
February 15, 2024
As of January 10, 2023, CISA will no longer be updating ICS security advisories
for Siemens product vulnerabilities beyond the initial advisory. For the most
up-to-date information on vulnerabilities in this advisory, please see Siemens'
ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
1. EXECUTIVE SUMMARY
o CVSS v3 9.8
o ATTENTION : Exploitable remotely/low attack complexity
o Vendor : Siemens
o Equipment : SINEC NMS
o Vulnerabilities : Out-of-bounds Read, Inadequate Encryption Strength,
Double Free, Use After Free, NULL Pointer Dereference, Improper Input
Validation, Missing Encryption of Sensitive Data, Allocation of Resources
Without Limits or Throttling, Improper Authentication, Inefficient Regular
Expression Complexity, Excessive Iteration, HTTP Request/Response
Smuggling, Injection, Path Traversal, Race Condition, Improper Certificate
Validation, Off-by-one Error, Missing Authorization, Use of Insufficiently
Random Values, Buffer Underflow, Incorrect Permission Assignment for
Critical Resource, Uncontrolled Resource Consumption, Incorrect
Authorization, Type Confusion, Heap-based Buffer Overflow, SQL Injection,
Open Redirect, Unrestricted Upload of File with Dangerous Type, OS Command
Injection
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in a information
dislosure, authentication bypass, unauthorized modification, arbitrary code
execution, or denial of service.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following network management systems are affected:
o SINEC NMS: All versions prior to V2.0 SP1
3.2 Vulnerability Overview
3.2.1 OUT-OF-BOUNDS READ CWE-125
A read buffer overrun can be triggered in X.509 certificate verification,
specifically in name constraint checking. Note that this occurs after
certificate chain signature verification and requires either a CA to have
signed the malicious certificate or for the application to continue certificate
verification despite failure to construct a path to a trusted issuer. The read
buffer overrun might result in a crash which could lead to a denial-of-service
condition. In theory it could also result in the disclosure of private memory
contents (such as private keys, or sensitive plaintext) although we are not
aware of any working exploit leading to memory contents disclosure as of the
time of release of this advisory. In a TLS client, this can be triggered by
connecting to a malicious server. In a TLS server, this can be triggered if the
server requests client authentication and a malicious client connects.
CVE-2022-4203 has been assigned to this vulnerability. A CVSS v3 base score of
4.9 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:H/
UI:N/S:U/C:N/I:N/A:H ).
3.2.2 INADEQUATE ENCRYPTION STRENGTH CWE-326
A timing based side channel exists in the OpenSSL RSA Decryption implementation
which could be sufficient to recover plaintext across a network in a
Bleichenbacher style attack. To achieve a successful decryption an attacker
would have to be able to send a very large number of trial messages for
decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,
RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by
a client to send an encrypted pre-master secret to the server. An attacker that
has observed a genuine connection between a client and a server could use this
flaw to send trial messages to the server and record the time taken to process
them. After a sufficiently large number of messages, the attacker could recover
the pre-master secret used for the original connection and thus be able to
decrypt the application data sent over that connection.
CVE-2022-4304 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/
UI:N/S:U/C:N/I:H/A:N ).
3.2.3 DOUBLE FREE CWE-415
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data.
If the function succeeds, then the "name_out", "header" and "data" arguments
are populated with pointers to buffers containing the relevant decoded data.
The caller is responsible for freeing those buffers. It is possible to
construct a PEM file that results in 0 bytes of payload data. In this case
PEM_read_bio_ex() will return a failure code but will populate the header
argument with a pointer to a buffer that has already been freed. If the caller
also frees this buffer then a double free will occur. This will most likely
lead to a crash. This could be exploited by an attacker who has the ability to
supply malicious PEM files for parsing to achieve a denial-of-service
condition. The functions PEM_read_bio() and PEM_read() are simple wrappers
around PEM_read_bio_ex() and therefore these functions are also directly
affected. These functions are also called indirectly by a number of other
OpenSSL functions including PEM_X509_INFO_read_bio_ex() and
SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal
uses of these functions are not vulnerable because the caller does not free the
header argument if PEM_read_bio_ex() returns a failure code. These locations
include the PEM_read_bio_TYPE() functions as well as the decoders introduced in
OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by
this issue.
CVE-2022-4450 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/
UI:N/S:U/C:N/I:N/A:H ).
3.2.4 USE AFTER FREE CWE-416
The public API function BIO_new_NDEF is a helper function used for streaming
ASN.1 data via a BIO. It is primarily used internally by OpenSSL to support the
SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by
end user applications. The function receives a BIO from the caller, prepends a
new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then
returns the new head of the BIO chain to the caller. Under certain conditions,
for example if a CMS recipient public key is invalid, the new filter BIO is
freed and the function returns a NULL result indicating a failure. However, in
this case, the BIO chain is not properly cleaned up and the BIO passed by the
caller still retains internal pointers to the previously freed filter BIO. If
the caller then goes on to call BIO_pop() on the BIO then a use-after-free will
occur. This will most likely result in a crash. This scenario occurs directly
in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be
called and will subsequently call BIO_pop() on the BIO. This internal function
is in turn called by the public API functions PEM_write_bio_ASN1_stream,
PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1,
SMIME_write_CMS and SMIME_write_PKCS7. Other public API functions that may be
impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7,
i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The OpenSSL cms and smime command
line applications are similarly affected.
CVE-2023-0215 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/
UI:N/S:U/C:N/I:N/A:H ).
3.2.5 NULL POINTER DEREFERENCE CWE-476
An invalid pointer dereference on read can be triggered when an application
tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or
d2i_PKCS7_fp() functions. The result of the dereference is an application crash
which could lead to a denial-of-service condition. The TLS implementation in
OpenSSL does not call this function however third party applications might call
these functions on untrusted data.
CVE-2023-0216 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:N/A:H ).
3.2.6 NULL POINTER DEREFERENCE CWE-476
An invalid pointer dereference on read can be triggered when an application
tries to check a malformed DSA public key by the EVP_PKEY_public_check()
function. This will most likely lead to an application crash. This function can
be called on public keys supplied from untrusted sources which could allow an
attacker to cause a denial of service attack. The TLS implementation in OpenSSL
does not call this function but applications might call the function if there
are additional security requirements imposed by standards such as FIPS 140-3.
CVE-2023-0217 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:N/A:H ).
3.2.7 IMPROPER INPUT VALIDATION CWE-20
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but
the public structure definition for GENERAL_NAME incorrectly specified the type
of the x400Address field as ASN1_TYPE. This field is subsequently interpreted
by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an
ASN1_STRING. When CRL checking is enabled (i.e. the application sets the
X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass
arbitrary pointers to a memcmp call, enabling them to read memory contents or
enact a denial of service. In most cases, the attack requires the attacker to
provide both the certificate chain and CRL, neither of which need to have a
valid signature. If the attacker only controls one of these inputs, the other
input must already contain an X.400 address as a CRL distribution point, which
is uncommon. As such, this vulnerability is most likely to only affect
applications which have implemented their own functionality for retrieving CRLs
over a network.
CVE-2023-0286 has been assigned to this vulnerability. A CVSS v3 base score of
7.4 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/
UI:N/S:U/C:H/I:N/A:H ).
3.2.8 NULL POINTER DEREFERENCE CWE-476
A NULL pointer can be dereferenced when signatures are being verified on PKCS7
signed or signed-and-enveloped data. In case the hash algorithm used for the
signature is known to the OpenSSL library, but the implementation of the hash
algorithm is not available, the digest initialization will fail. There is a
missing check for the return value from the initialization function, which
later leads to invalid usage of the digest API, most likely leading to a crash.
The unavailability of an algorithm can be caused by using FIPS enabled
configuration of providers, or more commonly by not loading the legacy
provider. PKCS7 data is processed by the SMIME library calls and also by the
time stamp (TS) library calls. The TLS implementation in OpenSSL does not call
these functions, however third party applications would be affected if they
call these functions to verify signatures on untrusted data.
CVE-2023-0401 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:N/A:H ).
3.2.9 OUT-OF-BOUNDS READ CWE-125
The AES-XTS cipher decryption implementation for 64 bit ARM platform contains a
bug that could cause it to read past the input buffer, leading to a crash.
Applications that use the AES-XTS algorithm on the 64 bit ARM platform can
crash in rare circumstances. The AES-XTS algorithm is usually used for disk
encryption. The AES-XTS cipher decryption implementation for 64 bit ARM
platform will read past the end of the ciphertext buffer if the ciphertext size
is 4 mod 5 in 16byte blocks, e.g. 144 bytes or 1024 bytes. If the memory after
the ciphertext buffer is unmapped, this will trigger a crash which results in a
denial of service. If an attacker can control the size and location of the
ciphertext buffer being decrypted by an application using AES-XTS on 64 bit
ARM, the application is affected. This is fairly unlikely making this issue a
low severity one.
CVE-2023-1255 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/
UI:N/S:U/C:N/I:N/A:H ).
3.2.10 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
schema_element defeats protective search_path changes; it was found that
certain database calls in PostgreSQL could permit an authenticated attacker
with elevated database-level privileges to execute arbitrary code.
CVE-2023-2454 has been assigned to this vulnerability. A CVSS v3 base score of
7.2 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:H/
UI:N/S:U/C:H/I:H/A:H ).
3.2.11 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
Row security policies disregard user ID changes after inlining; PostgreSQL
could permit incorrect policies to be applied in certain cases where
role-specific policies are used and a given query is planned under one role and
then executed under other roles. This scenario can happen under security
definer functions or when a common user and query is planned initially and then
re-used across multiple SET ROLEs. Applying an incorrect policy may permit a
user to complete otherwise-forbidden reads and modifications. This affects only
databases that have used CREATE POLICY to define a row security policy.
CVE-2023-2455 has been assigned to this vulnerability. A CVSS v3 base score of
5.4 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/
UI:N/S:U/C:L/I:L/A:N ).
3.2.12 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770
Processing some specially crafted ASN.1 object identifiers or data containing
them may be very slow. Applications that use OBJ_obj2txt() directly, or use any
of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no
message size limit may experience notable to very long delays when processing
those messages, which may lead to a denial of service. An OBJECT IDENTIFIER is
composed of a series of numbers - sub-identifiers - most of which have no size
limit. OBJ_obj2txt() may be used to translate an ASN.1 OBJECT IDENTIFIER given
in DER encoding form (using the OpenSSL type ASN1_OBJECT) to its canonical
numeric text form, which are the sub-identifiers of the OBJECT IDENTIFIER in
decimal form, separated by periods. When one of the sub-identifiers in the
OBJECT IDENTIFIER is very large (these are sizes that are seen as absurdly
large, taking up tens or hundreds of kBs), the translation to a decimal number
in text may take a very long time. The time complexity is O(square(n)) with 'n'
being the size of the sub-identifiers in bytes. With OpenSSL 3.0, support to
fetch cryptographic algorithms using names / identifiers in string form was
introduced. This includes using OBJECT IDENTIFIERs in canonical numeric text
form as identifiers for fetching algorithms. Such OBJECT IDENTIFIERs may be
received through the ASN.1 structure AlgorithmIdentifier, which is commonly
used in multiple protocols to specify what cryptographic algorithm should be
used to sign or verify, encrypt or decrypt, or digest passed data. Applications
that call OBJ_obj2txt() directly with untrusted data are affected, with any
version of OpenSSL. If the use is for the mere purpose of display, the severity
is considered low. In OpenSSL 3.0 and newer, this affects the subsystems OCSP,
PKCS7/SMIME, CMS, CMP/CRMF or TS. It also impacts anything that processes X.509
certificates, including simple things like verifying its signature. The impact
on TLS is relatively low, because all versions of OpenSSL have a 100 kB limit
on the peer's certificate chain. Additionally, this only impacts clients, or
servers that have explicitly enabled client authentication. In OpenSSL 1.1.1
and 1.0.2, this only affects displaying diverse objects, such as X.509
certificates. This is assumed to not happen in such a way that it would cause a
denial of service, so these versions are considered not affected by this issue
in such a way that it would be cause for concern, and the severity is therefore
considered low.
CVE-2023-2650 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:R/S:U/C:N/I:N/A:H ).
3.2.13 IMPROPER AUTHENTICATION CWE-287
The AES-SIV cipher implementation contains a bug that causes it to ignore empty
associated data entries which are unauthenticated as a consequence.
Applications that use the AES-SIV algorithm and want to authenticate empty data
entries as associated data can be mislead by removing adding or reordering such
empty entries as these are ignored by the OpenSSL implementation. The AES-SIV
algorithm allows for authentication of multiple associated data entries along
with the encryption. To authenticate empty data, the application has to call
EVP_EncryptUpdate() (or EVP_CipherUpdate()) with NULL pointer as the output
buffer and 0 as the input buffer length. The AES-SIV implementation in OpenSSL
just returns success for such a call instead of performing the associated data
authentication operation. The empty data thus will not be authenticated. As
this issue does not affect non-empty associated data authentication and we
expect it to be rare for an application to use empty associated data entries,
this is qualified as low severity issue.
CVE-2023-2975 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:L/A:N ).
3.2.14 INEFFICIENT REGULAR EXPRESSION COMPLEXITY CWE-1333
Checking excessively long DH keys or parameters may be very slow. Applications
that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to
check a DH key or DH parameters may experience long delays. Where the key or
parameters that are being checked have been obtained from an untrusted source
this may lead to a denial of service. The function DH_check() performs various
checks on DH parameters. One of those checks confirms that the modulus ('p'
parameter) is not too large. Trying to use a very large modulus is slow and
OpenSSL will not normally use a modulus which is over 10,000 bits in length.
However, the DH_check() function checks numerous aspects of the key or
parameters that have been supplied. Some of those checks use the supplied
modulus value, even if it has already been found to be too large. An
application that calls DH_check() and supplies a key or parameters obtained
from an untrusted source could be vulnerable to a denial-of-service attack. The
function DH_check() is itself called by a number of other OpenSSL functions. An
application calling any of those other functions may similarly be affected. The
other functions affected by this are DH_check_ex() and EVP_PKEY_param_check().
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
when using the '-check' option. The OpenSSL SSL/TLS implementation is not
affected by this issue. OpenSSL 3.0 and 3.1 FIPS providers are not affected by
this issue.
CVE-2023-3446 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:N/A:L ).
3.2.15 EXCESSIVE ITERATION CWE-834
Checking excessively long DH keys or parameters may be very slow. Applications
that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to
check a DH key or DH parameters may experience long delays. Where the key or
parameters that are being checked have been obtained from an untrusted source
this may lead to a denial of service. The function DH_check() performs various
checks on DH parameters. After fixing CVE-2023-3446, it was discovered that a
large q parameter value can also trigger an overly long computation during some
of these checks. A correct q value, if present, cannot be larger than the
modulus p parameter, thus it is unnecessary to perform these checks if q is
larger than p. An application that calls DH_check() and supplies a key or
parameters obtained from an untrusted source could be vulnerable to a
denial-of-service attack. The function DH_check() is itself called by a number
of other OpenSSL functions. An application calling any of those other functions
may similarly be affected. The other functions affected by this are DH_check_ex
() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and
pkeyparam command line applications when using the "-check" option. The OpenSSL
SSL/TLS implementation is not affected by this issue. OpenSSL 3.0 and 3.1 FIPS
providers are not affected by this issue.
CVE-2023-3817 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:N/A:L ).
3.2.16 INCONSISTENT INTERPRETATION OF HTTP REQUESTS ('HTTP REQUEST/RESPONSE
SMUGGLING') CWE-444
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through
2.4.55 allow a HTTP request smuggling attack. Configurations are affected when
mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in
which a non-specific pattern matches some portion of the user-supplied
request-target (URL) data and is then re-inserted into the proxied
request-target using variable substitution. Request splitting/smuggling could
result in bypass of access controls in the proxy server, proxying unintended
URLs to existing origin servers, and cache poisoning.
CVE-2023-25690 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:H/I:H/A:H ).
3.2.17 INCONSISTENT INTERPRETATION OF HTTP REQUESTS ('HTTP REQUEST/RESPONSE
SMUGGLING') CWE-444
HTTP response smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi
affects Apache HTTP Server from 2.4.30 through 2.4.55. Special characters in
the origin response header can truncate/split the response forwarded to the
client.
CVE-2023-27522 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:H/A:N ).
3.2.18 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A
DOWNSTREAM COMPONENT ('INJECTION') CWE-74
A vulnerability in input validation in curl <8.0 during communication using the
TELNET protocol may allow an attacker to pass on maliciously crafted user name
and "telnet options" during server negotiation. The lack of proper input
scrubbing allows an attacker to send content or perform option negotiation
without the application's intent. This vulnerability could be exploited if an
application allows user input, thereby enabling attackers to execute arbitrary
code on the system.
CVE-2023-27533 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:R/S:U/C:H/I:H/A:H ).
3.2.19 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH
TRAVERSAL') CWE-22
A path traversal vulnerability in curl <8.0.0 SFTP implementation causes the
tilde () character to be wrongly replaced when used as a prefix in the first
path element in addition to its intended use as the first element to indicate a
path relative to the user's home directory. Attackers can exploit this flaw to
bypass filtering or execute arbitrary code by crafting a path like /2/foo while
accessing a server with a specific user.
CVE-2023-27534 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/
UI:N/S:U/C:H/I:H/A:H ).
3.2.20 IMPROPER AUTHENTICATION CWE-287
An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP
connection reuse feature that can result in wrong credentials being used during
subsequent transfers. Previously created connections are kept in a connection
pool for reuse if they match the current setup. However, certain FTP settings
such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER,
CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration
match checks, causing them to match too easily. This could lead to libcurl
using the wrong credentials when performing a transfer, potentially allowing
unauthorized access to sensitive information.
CVE-2023-27535 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/
UI:N/S:U/C:H/I:N/A:N ).
3.2.21 IMPROPER AUTHENTICATION CWE-287
An authentication bypass vulnerability exists in libcurl <8.0.0 in the
connection reuse feature which can reuse previously established connections
with incorrect user permissions due to a failure to check for changes in the
CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/
negotiate/GSSAPI transfers and could potentially result in unauthorized access
to sensitive information. The safest option is to not reuse connections if the
CURLOPT_GSSAPI_DELEGATION option has been changed.
CVE-2023-27536 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/
UI:N/S:U/C:H/I:N/A:N ).
3.2.22 DOUBLE FREE CWE-415
A double-free vulnerability exists in libcurl <8.0.0 when sharing HSTS data
between separate "handles". This sharing was introduced without considerations
for doing this sharing across separate threads but there was no indication of
this fact in the documentation. Due to missing mutexes or thread locks, two
threads sharing the same HSTS data could end up doing a double free or use
after free.
CVE-2023-27537 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/
UI:N/S:U/C:N/I:N/A:H ).
3.2.23 IMPROPER INPUT VALIDATION CWE-20
libcurl reuses a previously created connection even when an SSH related option
has been changed that should prohibit reuse. libcurl keeps previously used
connections in a connection pool for subsequent transfers to reuse if one of
them matches the setup. However, two SSH settings were left out from the
configuration match checks, making them match too easily.
CVE-2023-27538 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:H/A:N ).
3.2.24 USE AFTER FREE CWE-416
A use-after-free vulnerability exists in curl <v8.1.0 in the way libcurl offers
a feature to verify an SSH server's public key using a SHA 256 hash. When this
check fails, libcurl frees the memory for the fingerprint before it returns an
error message containing the (now freed) hash. This flaw risks inserting
sensitive heap-based data into the error message that might be shown to users
or otherwise get leaked and revealed.
CVE-2023-28319 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:H/I:N/A:N ).
3.2.25 CONCURRENT EXECUTION USING SHARED RESOURCE WITH IMPROPER SYNCHRONIZATION
('RACE CONDITION') CWE-362
A denial-of-service vulnerability exists in curl <v8.1.0 in the way libcurl
provides several different backends for resolving host names, selected at build
time. If it is built to use the synchronous resolver, it allows name
resolutions to time-out slow operations using alarm() and siglongjmp(). When
doing this, libcurl used a global buffer that was not mutex protected and a
multi-threaded application might therefore crash or otherwise misbehave.
CVE-2023-28320 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/
UI:N/S:U/C:N/I:N/A:H ).
3.2.26 IMPROPER CERTIFICATE VALIDATION CWE-295
An improper certificate validation vulnerability exists in curl <v8.1.0 in the
way it supports matching of wildcard patterns when listed as "Subject
Alternative Name" in TLS server certificates. curl can be built to use its own
name matching function for TLS rather than one provided by a TLS library. This
private wildcard matching function would match IDN (International Domain Name)
hosts incorrectly and could, as a result, accept patterns that otherwise should
mismatch. IDN hostnames are converted to puny code before used for certificate
checks. Puny coded names always start with xn-- and should not be allowed to
pattern match, but the wildcard check in curl could still check for x*, which
would match even though the IDN name most likely contained nothing even
resembling an x.
CVE-2023-28321 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/
UI:N/S:U/C:N/I:H/A:N ).
3.2.27 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP
(S) transfers. libcurl might erroneously use the read callback
(CURLOPT_READFUNCTION) to ask for data to send, even when the
CURLOPT_POSTFIELDS option has been set, if the same handle previously was used
to issue a PUT request which used that callback. This flaw may surprise the
application and cause it to misbehave and either send the wrong data or use
memory after free or similar in the second transfer. The problem exists in the
logic for a reused handle when it is (expected to be) changed from a PUT to a
POST.
CVE-2023-28322 has been assigned to this vulnerability. A CVSS v3 base score of
3.7 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/
UI:N/S:U/C:L/I:N/A:N ).
3.2.28 OFF-BY-ONE ERROR CWE-193
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to
11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If
non-default HTTP connector settings were used such that the maxParameterCount
could be reached using query string parameters and a request was submitted that
supplied exactly maxParameterCount parameters in the query string, the limit
for uploaded request parts could be bypassed with the potential for a denial of
service to occur.
CVE-2023-28709 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:N/A:H ).
3.2.29 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
The use of proto in process.mainModule. proto .require() can bypass the policy
mechanism and require modules outside of the policy.json definition. This
vulnerability affects all users using the experimental policy mechanism in all
active release lines: v16, v18 and, v20. Please note that at the time this CVE
was issued, the policy was an experimental feature of Node.js
CVE-2023-30581 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:H/A:N ).
3.2.30 IMPROPER INPUT VALIDATION CWE-20
A vulnerability in Node.js affects users of the experimental permission model
when the --allow-fs-read flag is used with a non-* argument. This flaw arises
from an inadequate permission model that fails to restrict file watching
through the fs.watchFile API. As a result, malicious actors can monitor files
that they do not have explicit read access to.
CVE-2023-30582 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:H/I:N/A:N ).
3.2.31 IMPROPER INPUT VALIDATION CWE-20
fs.openAsBlob() can bypass the experimental permission model when using the
file system read restriction with the --allow-fs-read flag in Node.js. This
vulnerability arises from a missing check in the fs.openAsBlob() API.
CVE-2023-30583 has been assigned to this vulnerability. A CVSS v3 base score of
6.2 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/
UI:N/S:U/C:H/I:N/A:N ).
3.2.32 IMPROPER INPUT VALIDATION CWE-20
A vulnerability in the experimental permission model of Node.js leads to
improper handling of path traversal bypass when verifying file permissions.
CVE-2023-30584 has been assigned to this vulnerability. A CVSS v3 base score of
7.7 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/
UI:N/S:U/C:H/I:H/A:N ).
3.2.33 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
A vulnerability has been identified in the Node.js (.msi version) installation
process, specifically affecting Windows users who install Node.js using the
.msi installer. This vulnerability emerges during the repair operation where
the "msiexec.exe" process, running under the NT AUTHORITY\SYSTEM context,
attempts to read the %USERPROFILE% environment variable from the current user's
registry. The issue arises when the path referenced by the %USERPROFILE%
environment variable does not exist. In such cases, the "msiexec.exe" process
attempts to create the specified path in an unsafe manner, potentially leading
to the creation of arbitrary folders in arbitrary locations. The severity of
this vulnerability is heightened by the fact that the %USERPROFILE% environment
variable in the Windows registry can be modified by standard (or
"non-privileged") users. Consequently, unprivileged actors, including malicious
entities or trojans, can manipulate the environment variable key to deceive the
privileged "msiexec.exe" process. This manipulation can result in the creation
of folders in unintended and potentially malicious locations.
CVE-2023-30585 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:H/A:N ).
3.2.34 MISSING AUTHORIZATION CWE-862
A privilege escalation vulnerability exists in Node.js 20 that allows loading
arbitrary OpenSSL engines when the experimental permission model is enabled,
which can bypass and/or disable the permission model. However, the
crypto.setEngine() API can be used to bypass the permission model when called
with a compatible OpenSSL engine. The OpenSSL engine can, for example, disable
the permission model in the host process by manipulating the process's stack
memory to locate the permission model Permission::enabled_ in the host
process's heap memory. Please note that at the time this CVE was issued, the
permission model was an experimental feature of Node.js.
CVE-2023-30586 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:H/A:N ).
3.2.35 IMPROPER INPUT VALIDATION CWE-20
A vulnerability in Node.js allows for bypassing restrictions set by the
- --experimental-permission flag using the built-in inspector module
(node:inspector). By exploiting the Worker class's ability to create an
"internal worker" with the kIsInternal Symbol, attackers can modify the
isInternal value when an inspector is attached within the Worker constructor
before initializing a new WorkerImpl.
CVE-2023-30587 has been assigned to this vulnerability. A CVSS v3 base score of
6.2 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/
UI:N/S:U/C:N/I:H/A:N ).
3.2.36 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
When an invalid public key is used to create an x509 certificate using the
crypto.X509Certificate() API, a non-expect termination occurs making it
susceptible to denial-of-service attacks when the attacker could force
interruptions of application processing, as the process terminates when
accessing public key info of provided certificates from user code. The current
context of the users will be gone, and that will cause a denial-of-service
scenario. This vulnerability affects all active Node.js versions v16, v18, and,
v20.
CVE-2023-30588 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:N/A:L ).
3.2.37 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
The llhttp parser in the http module in Node v20.2.0 does not strictly use the
CRLF sequence to delimit HTTP requests. This can lead to HTTP request
smuggling. The CR character (without LF) is sufficient to delimit HTTP header
fields in the llhttp parser. According to RFC7230 section 3, only the CRLF
sequence should delimit each header-field. This impacts all Node.js active
versions: v16, v18, and, v20
CVE-2023-30589 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:H/A:N ).
3.2.38 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
The generateKeys() API function returned from crypto.createDiffieHellman() only
generates missing (or outdated) keys. It only generates a private key if none
has been set yet, but the function is also needed to compute the corresponding
public key after calling setPrivateKey(). However, the documentation says this
API call: "Generates private and public Diffie-Hellman key values". The
documented behavior is very different from the actual behavior, and this
difference could easily lead to security issues in applications that use these
APIs as the DiffieHellman may be used as the basis for application-level
security, implications are consequently broad.
CVE-2023-30590 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:H/A:N ).
3.2.39 USE OF INSUFFICIENTLY RANDOM VALUES CWE-330
c-ares is an asynchronous resolver library. When cross-compiling c-ares and
using the autotools build system, CARES_RANDOM_FILE will not be set, as seen
when cross-compiling aarch64 android. This will downgrade to using rand() as a
fallback which could allow an attacker to take advantage of the lack of entropy
by not using a CSPRNG. This issue was patched in version 1.19.1.
CVE-2023-31124 has been assigned to this vulnerability. A CVSS v3 base score of
3.7 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/
UI:N/S:U/C:N/I:L/A:N ).
3.2.40 BUFFER UNDERWRITE ('BUFFER UNDERFLOW') CWE-124
c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable
to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2"
was found to cause an issue. c-ares only uses this function internally for
configuration purposes which would require an administrator to configure such
an address via ares_set_sortlist(). However, users may externally use
ares_inet_net_pton() for other purposes and thus be vulnerable to more severe
issues. This issue has been fixed in 1.19.1.
CVE-2023-31130 has been assigned to this vulnerability. A CVSS v3 base score of
4.1 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:H/
UI:N/S:U/C:N/I:N/A:H ).
3.2.41 USE OF INSUFFICIENTLY RANDOM VALUES CWE-330
c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom()
are unavailable, c-ares uses rand() to generate random numbers used for DNS
query ids. This is not a CSPRNG, and it is also not seeded by srand() so will
generate predictable output. Input from the random number generator is fed into
a non-compilant RC4 implementation and may not be as strong as the original RC4
implementation. No attempt is made to look for modern OS-provided CSPRNGs like
arc4random() that is widely available. This issue has been fixed in version
1.19.1.
CVE-2023-31147 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/
UI:N/S:U/C:N/I:H/A:N ).
3.2.42 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
The use of Module._load() can bypass the policy mechanism and require modules
outside of the policy.json definition for a given module. This vulnerability
affects all users using the experimental policy mechanism in all active release
lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued,
the policy was an experimental feature of Node.js.
CVE-2023-32002 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:H/I:H/A:H ).
3.2.43 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH
TRAVERSAL') CWE-22
fs.mkdtemp() and fs.mkdtempSync() can be used to bypass the permission model
check using a path traversal attack. This flaw arises from a missing check in
the fs.mkdtemp() API and could allow a malicious actor to create an arbitrary
directory. This vulnerability affects all users using the experimental
permission model in Node.js 20. Please note that at the time this CVE was
issued, the permission model was an experimental feature of Node.js.
CVE-2023-32003 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:L/A:N ).
3.2.44 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH
TRAVERSAL') CWE-22
A vulnerability has been discovered in Node.js version 20, specifically within
the experimental permission model. This flaw relates to improper handling of
buffers in file system APIs causing a traversal path to bypass when verifying
file permissions. This vulnerability affects all users using the experimental
permission model in Node.js 20. Please note that at the time this CVE was
issued, the permission model was an experimental feature of Node.js.
CVE-2023-32004 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/
UI:N/S:U/C:H/I:H/A:H ).
3.2.45 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732
A vulnerability has been identified in Node.js version 20 affecting users of
the experimental permission model when the --allow-fs-read flag is used with a
non-* argument. This flaw arises from an inadequate permission model that fails
to restrict file stats through the fs.statfs API. As a result, malicious actors
can retrieve stats from files that they do not have explicit read access to.
This vulnerability affects all users using the experimental permission model in
Node.js 20. Please note that at the time this CVE was issued, the permission
model was an experimental feature of Node.js.
CVE-2023-32005 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:L/I:N/A:N ).
3.2.46 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
The use of module.constructor.createRequire() in Node.js can bypass the policy
mechanism and require modules outside of the policy.json definition for a given
module. This vulnerability affects all users using the experimental policy
mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that
at the time this CVE was issued, the policy was an experimental feature of
Node.js.
CVE-2023-32006 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/
UI:N/S:U/C:H/I:H/A:H ).
3.2.47 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
c-ares asynchronous resolver library is vulnerable to denial of service. If a
target resolver sends a query, the attacker forges a malformed UDP packet with
a length of 0 and returns them to the target resolver. The target resolver
erroneously interprets the 0 length as a graceful shutdown of the connection.
This issue has been patched in version 1.19.1.
CVE-2023-32067 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:N/A:H ).
3.2.48 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH
TRAVERSAL') CWE-22
The use of the deprecated API process.binding() can bypass the permission model
through path traversal. This vulnerability affects all users using the
experimental permission model in Node.js 20.x. Please note that at the time
this CVE was issued, the permission model was an experimental feature of
Node.js.
CVE-2023-32558 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:H/A:N ).
3.2.49 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
A privilege escalation vulnerability exists in the experimental policy
mechanism in all active Node.js release lines: 16.x, 18.x and, 20.x. The use of
the deprecated API process.binding() can bypass the policy mechanism by
requiring internal modules and eventually take advantage of process.binding
('spawn_sync') to run arbitrary code outside of the limits defined in a
policy.json file. Please note that at the time this CVE was issued, the policy
was an experimental feature of Node.js.
CVE-2023-32559 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:L/
UI:N/S:U/C:H/I:H/A:H ).
3.2.50 INCORRECT AUTHORIZATION CWE-863
Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5, and 6.1 prior
to 6.1.2 could be susceptible to authorization rule misconfiguration if the
application uses requestMatchers(String) and multiple servlets, one of them
being Spring MVC's DispatcherServlet. DispatcherServlet is a Spring MVC
component that maps HTTP endpoints to methods on @Controller-annotated classes.
Specifically, an application is vulnerable when all of the following are true:
* Spring MVC is on the classpath * Spring Security is securing more than one
servlet in a single application (one of them being Spring MVC's
DispatcherServlet) * The application uses requestMatchers(String) to refer to
endpoints that are not Spring MVC endpoints. An application is not vulnerable
if any of the following are true: * The application does not have Spring MVC on
the classpath * The application secures no servlets other than Spring MVC's
DispatcherServlet * The application uses requestMatchers(String) only for
Spring MVC endpoints.
CVE-2023-34035 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:L/A:N ).
3.2.51 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy's
HTTP/2 codec may leak a header map and bookkeeping structures upon receiving
RST_STREAM immediately followed by the GOAWAY frames from an upstream server.
In nghttp2, cleanup of pending requests due to receipt of the GOAWAY frame
skips de-allocation of the bookkeeping structure and pending compressed header.
The error return [code path] is taken if connection is already marked for not
sending more requests due to GOAWAY frame. The clean-up code is right after the
return statement, causing memory leak, leading to denial of service through
memory exhaustion. This vulnerability was patched in versions(s) 1.26.3,
1.25.8, 1.24.9, 1.23.11.
CVE-2023-35945 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:N/A:H ).
3.2.52 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770
When curl retrieves an HTTP response, it stores the incoming headers so that
they can be accessed later via the libcurl headers API. However, curl did not
have a limit in how many or how large headers it would accept in a response,
allowing a malicious server to stream an endless series of headers and
eventually cause curl to run out of heap memory.
CVE-2023-38039 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:N/A:H ).
3.2.53 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE ('TYPE CONFUSION') CWE-843
coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does not detect
multiple Content-Type request headers on some platforms. This might allow
attackers to bypass a WAF with a crafted payload, aka "Content-Type confusion"
between the WAF and the backend application. This occurs when the web
application relies on only the last Content-Type header. Other platforms may
reject the additional Content-Type header or merge conflicting headers, leading
to detection as a malformed header.
CVE-2023-38199 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:H/I:H/A:H ).
3.2.54 HEAP-BASED BUFFER OVERFLOW CWE-122
This flaw makes curl overflow a heap-based buffer in the SOCKS5 proxy
handshake. When curl is asked to pass along the host name to the SOCKS5 proxy
to allow that to resolve the address instead of it getting done by curl itself,
the maximum length that host name can be is 255 bytes. If the host name is
detected to be longer than 255 bytes, curl switches to local name resolving and
instead passes the resolved address only to the proxy. Due to a bug, the local
variable that means "let the host resolve the name" could get the wrong value
during a slow SOCKS5 handshake, and contrary to the intention, copy the too
long host name to the target buffer instead of copying just the resolved
address there.
CVE-2023-38545 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:R/S:U/C:H/I:H/A:H ).
3.2.55 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
This flaw allows an attacker to insert cookies at will into a running program
using libcurl. If the specific series of conditions are met libcurl performs
transfers. In its API, an application creates "easy handles" that are the
individual handles for single transfers. libcurl provides a function call that
duplicates an easy handle called curl_easy_duphandle . If a transfer has
cookies enabled when the handle is duplicated, the cookie-enable state is also
cloned - but without cloning the actual cookies. If the source handle did not
read any cookies from a specific file on disk, the cloned version of the handle
would instead store the file name as none (using the four ASCII letters, no
quotes). Subsequent use of the cloned handle that does not explicitly set a
source to load cookies from would then inadvertently load cookies from a file
named none - if such a file exists and is readable in the current directory of
the program using libcurl, if using the correct file format.
CVE-2023-38546 has been assigned to this vulnerability. A CVSS v3 base score of
3.7 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/
UI:N/S:U/C:N/I:L/A:N ).
3.2.56 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND ('SQL
INJECTION') CWE-89
In the extension script, an SQL injection vulnerability was found in PostgreSQL
if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting
construct (dollar quoting, '', or ""). If an administrator has installed files
of a vulnerable, trusted, non-bundled extension, an attacker with
database-level CREATE privilege can execute arbitrary code as the bootstrap
superuser.
CVE-2023-39417 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/
UI:N/S:U/C:H/I:H/A:H ).
3.2.57 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
A vulnerability was found in PostgreSQL with the use of the MERGE command,
which fails to test new rows against row security policies defined for UPDATE
and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies
do not forbid, a user could store such rows.
CVE-2023-39418 has been assigned to this vulnerability. A CVSS v3 base score of
4.3 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/
UI:N/S:U/C:N/I:L/A:N ).
3.2.58 URL REDIRECTION TO UNTRUSTED SITE ('OPEN REDIRECT') CWE-601
Open redirect vulnerability in FORM authentication feature affects Apache
Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from
9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. The vulnerability is
limited to the ROOT (default) web application.
CVE-2023-41080 has been assigned to this vulnerability. A CVSS v3 base score of
6.1 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:R/S:C/C:L/I:L/A:N ).
3.2.59 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
The RabbitMQ Java client library allows Java and JVM-based applications to
connect to and interact with RabbitMQ nodes. maxBodyLength was not used when
receiving Message objects. Attackers could send a very large message causing a
memory overflow and triggering an OOM Error. Users of RabbitMQ may suffer from
denial-of-service attacks from the RabbitMQ Java client which will ultimately
exhaust the memory of the consumer. This vulnerability was patched in version
5.18.0.
CVE-2023-46120 has been assigned to this vulnerability. A CVSS v3 base score of
4.9 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:H/
UI:N/S:U/C:N/I:N/A:H ).
3.2.60 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND ('SQL
INJECTION') CWE-89
The affected application is vulnerable to SQL injection. This could allow an
unauthenticated remote attacker to execute arbitrary SQL queries on the server
database.
CVE-2024-23810 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:A/AC:L/PR:N/
UI:N/S:U/C:H/I:H/A:H ).
3.2.61 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434
The affected application allows users to upload arbitrary files via TFTP. This
could allow an attacker to upload malicious firmware images or other files that
could potentially lead to remote code execution.
CVE-2024-23811 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:A/AC:L/PR:N/
UI:N/S:U/C:H/I:H/A:H ).
3.2.62 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS
COMMAND INJECTION') CWE-78
The affected application incorrectly neutralizes special elements when creating
a report which could lead to command injection.
CVE-2024-23812 has been assigned to this vulnerability. A CVSS v3 base score of
8.0 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:A/AC:L/PR:L/
UI:N/S:U/C:H/I:H/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens has released update V2.0 SP1 for SINEC NMS and recommends to update to
the latest version.
As a general security measure, Siemens recommends protecting network access to
devices with appropriate mechanisms. To operate the devices in a protected IT
environment, Siemens recommends configuring the environment according to
Siemens' operational guidelines for industrial security and following
recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the
Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-943925 in
HTML and CSAF .
CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. CISA reminds organizations to perform
proper impact analysis and risk assessment prior to deploying defensive
measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several CISA products detailing cyber defense
best practices are available for reading and download, including Improving
Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies .
CISA encourages organizations to implement recommended cybersecurity strategies
for proactive defense of ICS assets .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage at cisa.gov in the technical information paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing suspected malicious activity should follow established
internal procedures and report findings to CISA for tracking and correlation
against other incidents.
No known public exploitation specifically targeting these vulnerabilities has
been reported to CISA at this time.
5. UPDATE HISTORY
o February 15, 2024: Initial Publication
This product is provided subject to this Notification and this Privacy & Use
policy.
Vendor
Siemens
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZc7QEckNZI30y1K9AQjVtRAAjP2kUCfIAkrd7wubtbq2nEmyd5K4Onhc
s6fJvDVb5DhZKm1rr+892fPatD+h3LPuy38dC+ITKhk/uR94TxSAt1g9zSVSWEr3
UbU/a7yNJyOmvUENADdkhQSsEUwo0WXcadPVey+SNYjNI+PGOnGyh+Om/pQJmqzA
WofvKt0m20S8W6DFKt5BLeXVFtOqvCwCy2sezACa6a0TUOe0aJ/oeGPpIba7UeFs
oWGB8+cv5brcWImoBJnUpXNtCiG/aROf6REzluFBEDs3VvUc+1JNn3iLLdruGxwL
jwC1tRVdz2CO5AA2tzSnMJG66rdMyZXy/dnvCPcH+HJnhclLZnVvqmVD3PmQDM/E
he0ZoqJTvYkIS/uzq75taix2Z1j8l0rnle8/H9H4SBr+ozjFm98Am2l+q0E4bn+K
Qr/jJsZ8ZEJyDcnmn1ZG5W1Tf24iUPimnJH/DAPdKkmfkbYbXCokmc2bhwuwHfxx
c35tnDZP7PiDOHueYeXmxFTCWecIDAzyQCTppgBPf8Mzzh9OWVMreJJCBzhuz0HI
QdRsTZu3dSCG16QwMManqwo9AuqqNyZZOLXumNj8K/FbiQdU2wQZmZIW8JD3QuOS
kEKJZdPlk+78ymMWs1/vHwfnUGH1zq6zlC6DDZ4cVgL3UeXcZvJ033cCyLKc3zSF
Qc0YhFCa92g=
=mEFg
-----END PGP SIGNATURE-----