Protect yourself against future threats.
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2024.2269
ICS Advisory | ICSA-24-102-08 Siemens Telecontrol Server Basic
12 April 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens TeleControl Server Basic
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2023-3446 CVE-2023-21718 CVE-2023-21713
CVE-2023-21705 CVE-2023-21704 CVE-2022-43514
CVE-2022-43513 CVE-2022-40303 CVE-2022-40304
CVE-2023-21528 CVE-2023-21568 CVE-2023-38169
CVE-2023-5678 CVE-2022-44725 CVE-2023-29349
CVE-2023-29356 CVE-2023-32025 CVE-2023-32026
CVE-2023-32027 CVE-2023-32028 CVE-2023-36560
CVE-2023-36049 CVE-2023-0464 CVE-2023-36730
CVE-2023-36728 CVE-2023-36420 CVE-2023-23384
CVE-2023-36417 CVE-2023-36785 CVE-2022-46908
CVE-2023-0466 CVE-2023-0465 CVE-2023-4807
CVE-2023-36899 CVE-2023-36873 CVE-2023-3817
CVE-2023-39615 CVE-2023-29469 CVE-2023-0286
CVE-2023-0215 CVE-2022-4450 CVE-2022-4304
CVE-2023-36794 CVE-2023-36793 CVE-2023-36792
CVE-2023-36788 CVE-2023-28484 CVE-2023-36796
Original Bulletin:
https://www.cisa.gov/news-events/ics-advisories/icsa-24-102-08
Comment: CVSS (Max): 8.8 CVE-2023-38169 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-24-102-08)
Siemens Telecontrol Server Basic
Release Date
April 11, 2024
As of January 10, 2023, CISA will no longer be updating ICS security advisories
for Siemens product vulnerabilities beyond the initial advisory. For the most
up-to-date information on vulnerabilities in this advisory, please see Siemens'
ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
1. EXECUTIVE SUMMARY
o CVSS v3 8.8
o ATTENTION : Exploitable remotely/low attack complexity
o Vendor : Siemens
o Equipment : Telecontrol Server Basic
o Vulnerabilities : Inadequate Encryption Strength, Double Free, Integer
Overflow or Wraparound, External Control of File Name or Path, Path
Traversal, Improper Input Validation, Missing Encryption of Sensitive Data,
Use After Free, Improper Certificate Validation, Inefficient Regular
Expression Complexity, Improper Check for Unusual or Exceptional
Conditions, NULL Pointer Dereference, Improper Restriction of Operations
within the Bounds of a Memory Buffer
2. RISK EVALUATION
Successful exploitation of this vulnerability could
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:
o Siemens TeleControl Server Basic V3: versions prior to V3.1.2
3.2 Vulnerability Overview
3.2.1 INADEQUATE ENCRYPTION STRENGTH CWE-326
A timing-based side channel exists in the OpenSSL RSA decryption implementation
which could be sufficient to recover a plaintext across a network in a
Bleichenbacher style attack. To achieve a successful decryption an attacker
would have to be able to send a very large number of trial messages for
decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,
RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by
a client to send an encrypted pre-master secret to the server. An attacker that
had observed a genuine connection between a client and a server could use this
flaw to send trial messages to the server and record the time taken to process
them. After a sufficiently large number of messages the attacker could recover
the pre-master secret used for the original connection and thus be able to
decrypt the application data sent over that connection.
CVE-2022-4304 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/
UI:N/S:U/C:N/I:H/A:N ).
3.2.2 DOUBLE FREE CWE-415
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data.
If the function succeeds then the "name_out", "header" and "data" arguments are
populated with pointers to buffers containing the relevant decoded data. The
caller is responsible for freeing those buffers. It is possible to construct a
PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex
() will return a failure code but will populate the header argument with a
pointer to a buffer that has already been freed. If the caller also frees this
buffer then a double free will occur. This will most likely lead to a crash.
This could be exploited by an attacker who has the ability to supply malicious
PEM files for parsing to achieve a denial-of-service attack. The functions
PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and
therefore these functions are also directly affected. These functions are also
called indirectly by a number of other OpenSSL functions including
PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also
vulnerable. Some OpenSSL internal uses of these functions are not vulnerable
because the caller does not free the header argument if PEM_read_bio_ex()
returns a failure code. These locations include the PEM_read_bio_TYPE()
functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL
asn1parse command line application is also impacted by this issue.
CVE-2022-4450 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/
UI:N/S:U/C:N/I:N/A:H ).
3.2.3 INTEGER OVERFLOW OR WRAPAROUND CWE-190
An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte
XML document with the XML_PARSE_HUGE parser option enabled, several integer
counters can overflow. This results in an attempt to access an array at a
negative 2GB offset, typically leading to a segmentation fault.
CVE-2022-40303 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:N/A:H ).
3.2.4 DOUBLE FREE CWE-415
An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity
definitions can corrupt a hash table key, potentially leading to subsequent
logic errors. In one case, a double free can be provoked.
CVE-2022-40304 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/
UI:R/S:U/C:H/I:H/A:H ).
3.2.5 EXTERNAL CONTROL OF FILE NAME OR PATH CWE-73
The affected components allow to rename license files with user chosen input
without authentication. This could allow an unauthenticated remote attacker to
rename and move files as SYSTEM user.
CVE-2022-43513 has been assigned to this vulnerability. A CVSS v3 base score of
8.2 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:H/A:L ).
3.2.6 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH
TRAVERSAL') CWE-22
The affected component does not correctly validate the root path on folder
related operations, allowing to modify files and folders outside the intended
root directory. This could allow an unauthenticated remote attacker to execute
file operations of files outside of the specified root folder. Chained with
CVE-2022-43513 this could allow remote code execution.
CVE-2022-43514 has been assigned to this vulnerability. A CVSS v3 base score of
7.7 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/
UI:N/S:U/C:H/I:H/A:L ).
3.2.7 IMPROPER INPUT VALIDATION CWE-20
OPC Foundation Local Discovery Server (LDS) in affected products uses a
hard-coded file path to a configuration file. This allows a normal user to
create a malicious file that is loaded by LDS (running as a high-privilege
user).
CVE-2022-44725 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/
UI:N/S:U/C:H/I:H/A:H ).
3.2.8 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI
script, does not properly implement the azProhibitedFunctions protection
mechanism, and instead allows UDF functions such as WRITEFILE.
CVE-2022-46908 has been assigned to this vulnerability. A CVSS v3 base score of
7.3 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/
UI:N/S:U/C:H/I:H/A:L ).
3.2.9 USE AFTER FREE CWE-416
The public API function BIO_new_NDEF is a helper function used for streaming
ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the
SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by
end user applications. The function receives a BIO from the caller, prepends a
new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then
returns the new head of the BIO chain to the caller. Under certain conditions,
for example if a CMS recipient public key is invalid, the new filter BIO is
freed and the function returns a NULL result indicating a failure. However, in
this case, the BIO chain is not properly cleaned up and the BIO passed by the
caller still retains internal pointers to the previously freed filter BIO. If
the caller then goes on to call BIO_pop() on the BIO then a use-after-free will
occur. This will most likely result in a crash. This scenario occurs directly
in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be
called and will subsequently call BIO_pop() on the BIO. This internal function
is in turn called by the public API functions PEM_write_bio_ASN1_stream,
PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1,
SMIME_write_CMS and SMIME_write_PKCS7. Other public API functions that may be
impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7,
i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The OpenSSL cms and smime command
line applications are similarly affected.
CVE-2023-0215 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/
UI:N/S:U/C:N/I:N/A:H ).
3.2.10 IMPROPER INPUT VALIDATION CWE-20
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but
the public structure definition for GENERAL_NAME incorrectly specified the type
of the x400Address field as ASN1_TYPE. This field is subsequently interpreted
by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an
ASN1_STRING. When CRL checking is enabled (i.e. the application sets the
X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass
arbitrary pointers to a memcmp call, enabling them to read memory contents or
enact a denial of service. In most cases, the attack requires the attacker to
provide both the certificate chain and CRL, neither of which need to have a
valid signature. If the attacker only controls one of these inputs, the other
input must already contain an X.400 address as a CRL distribution point, which
is uncommon. As such, this vulnerability is most likely to only affect
applications which have implemented their own functionality for retrieving CRLs
over a network.
CVE-2023-0286 has been assigned to this vulnerability. A CVSS v3 base score of
7.4 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/
UI:N/S:U/C:H/I:N/A:H ).
3.2.11 IMPROPER CERTIFICATE VALIDATION CWE-295
A security vulnerability has been identified in all supported versions of
OpenSSL related to the verification of X.509 certificate chains that include
policy constraints. Attackers may be able to exploit this vulnerability by
creating a malicious certificate chain that triggers exponential use of
computational resources, leading to a denial-of-service attack on affected
systems. Policy processing is disabled by default but can be enabled by passing
the -policy argument to the command line utilities or by calling the
X509_VERIFY_PARAM_set1_policies() function.
CVE-2023-0464 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:N/A:H ).
3.2.12 IMPROPER CERTIFICATE VALIDATION CWE-295
Applications that use a non-default option when verifying certificates may be
vulnerable to an attack from a malicious certificate authority to circumvent
certain checks. Invalid certificate policies in leaf certificates are silently
ignored by OpenSSL and other certificate policy checks are skipped for that
certificate. A malicious certificate authority could use this to deliberately
assert invalid certificate policies in order to circumvent policy checking on
the certificate altogether. Policy processing is disabled by default but can be
enabled by passing the -policy argument to the command line utilities or by
calling the X509_VERIFY_PARAM_set1_policies() function.
CVE-2023-0465 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:L/A:N ).
3.2.13 IMPROPER CERTIFICATE VALIDATION CWE-295
The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable
the certificate policy check when doing certificate verification. However the
implementation of the function does not enable the check which allows
certificates with invalid or incorrect policies to pass the certificate
verification. As suddenly enabling the policy check could break existing
deployments it was decided to keep the existing behavior of the
X509_VERIFY_PARAM_add0_policy() function. Instead the applications that require
OpenSSL to perform certificate policy check need to use
X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by
calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag
argument. Certificate policy checks are disabled by default in OpenSSL and are
not commonly used by applications.
CVE-2023-0466 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:L/A:N ).
3.2.14 INEFFICIENT REGULAR EXPRESSION COMPLEXITY CWE-1333
Checking excessively long DH keys or parameters may be very slow. Applications
that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to
check a DH key or DH parameters may experience long delays. Where the key or
parameters that are being checked have been obtained from an untrusted source
this may lead to a denial of service. The function DH_check() performs various
checks on DH parameters. One of those checks confirms that the modulus ('p'
parameter) is not too large. Trying to use a very large modulus is slow and
OpenSSL will not normally use a modulus which is over 10,000 bits in length.
However the DH_check() function checks numerous aspects of the key or
parameters that have been supplied. Some of those checks use the supplied
modulus value even if it has already been found to be too large. An application
that calls DH_check() and supplies a key or parameters obtained from an
untrusted source could be vulernable to a denial of service attack. The
function DH_check() is itself called by a number of other OpenSSL functions. An
application calling any of those other functions may similarly be affected. The
other functions affected by this are DH_check_ex() and EVP_PKEY_param_check().
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
when using the '-check' option. The OpenSSL SSL/TLS implementation is not
affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected
by this issue.
CVE-2023-3446 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:N/A:L ).
3.2.15 IMPROPER INPUT VALIDATION CWE-20
The POLY1305 MAC (message authentication code) implementation contains a bug
that might corrupt the internal state of applications on the Windows 64
platform when running on newer X86_64 processors supporting the AVX512-IFMA
instructions. If an application that uses the OpenSSL library an attacker can
influence whether the POLY1305 MAC algorithm is used, the application state
might be corrupted with various application dependent consequences. The
POLY1305 MAC (message authentication code) implementation in OpenSSL does not
save the contents of non-volatile XMM registers on Windows 64 platform when
calculating the MAC of data larger than 64 bytes. Before returning to the
caller, all the XMM registers are set to zero rather than restoring their
previous content. The vulnerable code is used only on newer x86_64 processors
supporting the AVX512-IFMA instructions. The consequences of this kind of
internal application state corruption can be various - from no consequences, if
the calling application does not depend on the contents of non-volatile XMM
registers at all, to the worst consequences, where the attacker could get
complete control of the application process. However given the contents of the
registers are just zeroized so the attacker cannot put arbitrary values inside,
the most likely consequence, if any, would be an incorrect result of some
application dependent calculations or a crash leading to a denial of service.
The POLY1305 MAC algorithm is most frequently used as part of the
CHACHA20-POLY1305 AEAD (authenticated encryption with associated data)
algorithm. The most common usage of this AEAD cipher is with TLS protocol
versions 1.2 and 1.3 and a malicious client can influence whether this AEAD
cipher is used by the server. This implies that server applications using
OpenSSL can be potentially impacted. However we are currently not aware of any
concrete application that would be affected by this issue therefore we consider
this a low severity security issue. As a workaround the AVX512-IFMA
instructions support can be disabled at runtime by setting the environment
variable OPENSSL_ia32cap: OPENSSL_ia32cap=:~0x200000 The FIPS provider is not
affected by this issue.
CVE-2023-4807 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/
UI:N/S:U/C:H/I:H/A:H ).
3.2.16 IMPROPER CHECK FOR UNUSUAL OR EXCEPTIONAL CONDITIONS CWE-754
Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH
keys or parameters may be very slow. Applications that use the functions
DH_generate_key() to generate an X9.42 DH key may experience long delays.
Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or
EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may
experience long delays. Where the key or parameters that are being checked have
been obtained from an untrusted source this may lead to a denial of service.
While DH_check() performs all the necessary checks (as of CVE-2023-3817),
DH_check_pub_key() doesn't make any of these checks, and is therefore
vulnerable for excessively large P and Q parameters. Likewise, while
DH_generate_key() performs a check for an excessively large P, it doesn't check
for an excessively large Q. An application that calls DH_generate_key() or
DH_check_pub_key() and supplies a key or parameters obtained from an untrusted
source could be vulnerable to a denial of service attack. DH_generate_key() and
DH_check_pub_key() are also called by a number of other OpenSSL functions. An
application calling any of those other functions may similarly be affected. The
other functions affected by this are DH_check_pub_key_ex(),
EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the
OpenSSL pkey command line application when using the "-pubcheck" option, as
well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS
implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS
providers are not affected by this issue.
CVE-2023-5678 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:N/A:L ).
3.2.17 IMPROPER INPUT VALIDATION CWE-20
Microsoft SQL Server remote code execution vulnerability.
CVE-2023-21528 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/
UI:N/S:U/C:H/I:H/A:H ).
3.2.18 IMPROPER INPUT VALIDATION CWE-20
Microsoft SQL Server Integration Service (VS extension) remote code execution
vulnerability.
CVE-2023-21568 has been assigned to this vulnerability. A CVSS v3 base score of
7.3 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/
UI:R/S:U/C:H/I:H/A:H ).
3.2.19 IMPROPER INPUT VALIDATION CWE-20
Microsoft ODBC Driver for SQL Server remote code execution vulnerability.
CVE-2023-21704 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/
UI:N/S:U/C:H/I:H/A:H ).
3.2.20 IMPROPER INPUT VALIDATION CWE-20
Microsoft SQL Server remote code execution vulnerability.
CVE-2023-21705 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/
UI:N/S:U/C:H/I:H/A:H ).
3.2.21 IMPROPER INPUT VALIDATION CWE-20
Microsoft SQL Server remote code execution vulnerability.
CVE-2023-21713 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/
UI:N/S:U/C:H/I:H/A:H ).
3.2.22 IMPROPER INPUT VALIDATION CWE-20
Microsoft ODBC Driver for SQL Server remote code execution vulnerability.
CVE-2023-21718 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/
UI:R/S:U/C:H/I:H/A:H ).
3.2.23 IMPROPER INPUT VALIDATION CWE-20
Microsoft SQL Server remote code execution vulnerability.
CVE-2023-23384 has been assigned to this vulnerability. A CVSS v3 base score of
7.3 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:L/I:L/A:L ).
3.2.24 NULL POINTER DEREFERENCE CWE-476
In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a
NULL pointer dereference and subsequently a segmentation fault. This occurs in
xmlSchemaFixupComplexType in xmlschemas.c.
CVE-2023-28484 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:R/S:U/C:N/I:N/A:H ).
3.2.25 IMPROPER INPUT VALIDATION CWE-20
Microsoft ODBC and OLE DB remote code execution vulnerability.
CVE-2023-29349 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/
UI:R/S:U/C:H/I:H/A:H ).
3.2.26 IMPROPER INPUT VALIDATION CWE-20
Microsoft ODBC Driver for SQL Server remote code execution vulnerability.
CVE-2023-29356 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/
UI:R/S:U/C:H/I:H/A:H ).
3.2.27 DOUBLE FREE CWE-415
An issue was discovered in libxml2 before 2.10.4. When hashing empty dict
strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce
non-deterministic values, leading to various logic and memory errors, such as a
double free. This behavior occurs because there is an attempt to use the first
byte of an empty string, and any value is possible (not solely the '\0' value).
CVE-2023-29469 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:R/S:U/C:N/I:N/A:H ).
3.2.28 IMPROPER INPUT VALIDATION CWE-20
Microsoft ODBC Driver for SQL Server remote code execution vulnerability.
CVE-2023-32025 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/
UI:R/S:U/C:H/I:H/A:H ).
3.2.29 IMPROPER INPUT VALIDATION CWE-20
Microsoft ODBC Driver for SQL Server remote code execution vulnerability.
CVE-2023-32026 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/
UI:R/S:U/C:H/I:H/A:H ).
3.2.30 IMPROPER INPUT VALIDATION CWE-20
Microsoft ODBC Driver for SQL Server remote code execution vulnerability.
CVE-2023-32027 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/
UI:R/S:U/C:H/I:H/A:H ).
3.2.31 IMPROPER INPUT VALIDATION CWE-20
Microsoft SQL OLE DB remote code execution vulnerability.
CVE-2023-32028 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/
UI:R/S:U/C:H/I:H/A:H ).
3.2.32 IMPROPER INPUT VALIDATION CWE-20
.NET, .NET Framework, and Visual Studio elevation of privilege vulnerability.
CVE-2023-36049 has been assigned to this vulnerability. A CVSS v3 base score of
7.6 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/
UI:N/S:U/C:L/I:H/A:L ).
3.2.33 IMPROPER INPUT VALIDATION CWE-20
Microsoft SQL OLE DB remote code execution vulnerability.
CVE-2023-36417 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/
UI:R/S:U/C:H/I:H/A:H ).
3.2.34 IMPROPER INPUT VALIDATION CWE-20
Microsoft ODBC Driver for SQL Server remote code execution vulnerability.
CVE-2023-36420 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/
UI:R/S:U/C:H/I:H/A:H ).
3.2.35 IMPROPER INPUT VALIDATION CWE-20
ASP.NET security feature bypass vulnerability.
CVE-2023-36560 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/
UI:N/S:U/C:H/I:H/A:H ).
3.2.36 IMPROPER INPUT VALIDATION CWE-20
Microsoft SQL Server denial-of-service vulnerability.
CVE-2023-36728 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/
UI:N/S:U/C:N/I:N/A:H ).
3.2.37 IMPROPER INPUT VALIDATION CWE-20
Microsoft ODBC Driver for SQL Server remote code execution vulnerability.
CVE-2023-36730 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/
UI:R/S:U/C:H/I:H/A:H ).
3.2.38 IMPROPER INPUT VALIDATION CWE-20
Microsoft ODBC Driver for SQL Server remote code execution vulnerability.
CVE-2023-36785 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/
UI:R/S:U/C:H/I:H/A:H ).
3.2.39 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
.NET Framework remote code execution vulnerability.
CVE-2023-36788 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/
UI:R/S:U/C:H/I:H/A:H ).
3.2.40 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
Visual Studio remote code execution vulnerability.
CVE-2023-36792 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/
UI:R/S:U/C:H/I:H/A:H ).
3.2.41 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
Visual Studio remote code execution vulnerability.
CVE-2023-36793 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/
UI:R/S:U/C:H/I:H/A:H ).
3.2.42 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
Visual Studio remote code execution vulnerability.
CVE-2023-36794 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/
UI:R/S:U/C:H/I:H/A:H ).
3.2.43 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
Visual Studio remote code execution vulnerability.
CVE-2023-36796 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/
UI:R/S:U/C:H/I:H/A:H ).
3.2.44 IMPROPER INPUT VALIDATION CWE-20
.NET Framework spoofing vulnerability.
CVE-2023-36873 has been assigned to this vulnerability. A CVSS v3 base score of
7.4 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/
UI:N/S:U/C:H/I:H/A:N ).
3.2.45 IMPROPER INPUT VALIDATION CWE-20
ASP.NET elevation of privilege vulnerability.
CVE-2023-36899 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/
UI:N/S:U/C:H/I:H/A:H ).
3.2.46 IMPROPER INPUT VALIDATION CWE-20
Microsoft SQL OLE DB remote code execution vulnerability.
CVE-2023-38169 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:R/S:U/C:H/I:H/A:H ).
3.2.47 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER
CWE-119
Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the
xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows
attackers to cause a denial of service via supplying a crafted XML file. NOTE:
the vendor's position is that the product does not support the legacy SAX1
interface with custom callbacks; there is a crash even without crafted input.
CVE-2023-39615 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:R/S:U/C:N/I:N/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Energy, Transportation Systems, Water and
Wastewater Systems
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens has released a new version for Telecontrol Server Basic that fixes
multiple vulnerabilities:
o TeleControl Server Basic V3: Update to V3.1.2 or later version
As a general security measure, Siemens recommends protecting network access to
devices with appropriate mechanisms. To operate the devices in a protected IT
environment, Siemens recommends configuring the environment according to
Siemens' operational guidelines for industrial security and following
recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the
Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-556635 in
HTML and CSAF .
CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. CISA reminds organizations to perform
proper impact analysis and risk assessment prior to deploying defensive
measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several CISA products detailing cyber defense
best practices are available for reading and download, including Improving
Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies .
CISA encourages organizations to implement recommended cybersecurity strategies
for proactive defense of ICS assets .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage at cisa.gov in the technical information paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing suspected malicious activity should follow established
internal procedures and report findings to CISA for tracking and correlation
against other incidents.
No known public exploitation specifically targeting these vulnerabilities has
been reported to CISA at this time.
5. UPDATE HISTORY
o April 11, 2024: Initial Publication
This product is provided subject to this Notification and this Privacy & Use
policy.
Vendor
Siemens
- --------------------------END INCLUDED TEXT----------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================