Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4705
Advisory (icsa-19-351-02) Siemens SPPA-T3000
18 December 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens SPPA-T3000
Publisher: ICS-CERT
Operating System: Network Appliance
Impact/Access: Root Compromise -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-18335 CVE-2019-18334 CVE-2019-18333
CVE-2019-18332 CVE-2019-18331 CVE-2019-18330
CVE-2019-18329 CVE-2019-18328 CVE-2019-18327
CVE-2019-18326 CVE-2019-18325 CVE-2019-18324
CVE-2019-18323 CVE-2019-18322 CVE-2019-18321
CVE-2019-18320 CVE-2019-18319 CVE-2019-18318
CVE-2019-18317 CVE-2019-18316 CVE-2019-18315
CVE-2019-18314 CVE-2019-18313 CVE-2019-18312
CVE-2019-18311 CVE-2019-18310 CVE-2019-18309
CVE-2019-18308 CVE-2019-18307 CVE-2019-18306
CVE-2019-18305 CVE-2019-18304 CVE-2019-18303
CVE-2019-18302 CVE-2019-18301 CVE-2019-18300
CVE-2019-18299 CVE-2019-18298 CVE-2019-18297
CVE-2019-18296 CVE-2019-18295 CVE-2019-18294
CVE-2019-18293 CVE-2019-18292 CVE-2019-18291
CVE-2019-18290 CVE-2019-18289 CVE-2019-18288
CVE-2019-18287 CVE-2019-18286 CVE-2019-18285
CVE-2019-18284 CVE-2019-18283 CVE-2018-4832
Original Bulletin:
https://www.us-cert.gov/ics/advisories/icsa-19-351-02
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-19-351-02)
Siemens SPPA-T3000
Original release date: December 17, 2019
Legal Notice
All information products included in http://ics-cert.us-cert.gov are
provided"as is" for informational purposes only. The Department of Homeland
Security (DHS) does not provide any warranties of any kind regarding any
information contained within. DHS does not endorse any commercial product or
service, referenced in this product or otherwise. Further dissemination of this
product is governed by the Traffic Light Protocol (TLP) marking in the header.
For more information about TLP, see http://www.us-cert.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 9.8
o ATTENTION: Exploitable remotely/low skill level to exploit
o Vendor: Siemens
o Equipment: SPPA-T3000
o Vulnerabilities: Improper Authentication, Cleartext Transmission of
Sensitive Information, Unrestricted Upload of File with Dangerous Type,
Heap-based Buffer Overflow, Integer Overflow or Wraparound, Out-of-bounds
Read, Improper Access Control, Stack-based Buffer Overflow, SFP Secondary
Cluster: Missing Authentication, Deserialization of Untrusted Data,
Information Exposure, Cleartext Transmission of Sensitive Information
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to
execute arbitrary code on the server, cause a denial-of-service condition, view
and modify passwords, gain root privileges, access sensitive information, and
read and write arbitrary files on the local system.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports the vulnerabilities affect the following SPPA-T3000 products:
o Application Server: All Versions
o MS3000 Migration Server: All Versions
3.2 VULNERABILITY OVERVIEW
Note that an attacker must have network access to the Application Server,
MS3000, or access to the Application Highway in order to exploit these
vulnerabilities.
3.2.1 IMPROPER INPUT VALIDATION CWE-20
Specially crafted messages sent to the RPC service of the affected products
could cause a denial-of-service condition on the remote and local communication
functionality of the affected products. A reboot of the system is required to
recover the remote and local communication functionality.
CVE-2018-4832 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).
3.2.2 DESERIALIZATION OF UNTRUSTED DATA CWE-502
The AdminService is available without authentication on the Application Server.
An attacker can gain remote code execution by sending specially crafted objects
to one of its functions.
CVE-2019-18283 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.3 IMPROPER AUTHENTICATION CWE-287
The AdminService is available without authentication on the Application Server.
An attacker can use methods exposed via this interface to receive password
hashes of other users and to change user passwords.
CVE-2019-18284 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.4 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319
The RMI communication between the client and the Application Server is
unencrypted. An attacker with access to the communication channel can read
credentials of a valid user.
CVE-2019-18285 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:R/S:U/
C:H/I:N/A:N) .
3.2.5 IMPROPER AUTHENTICATION CWE-287
The Application Server exposes directory listings and files containing
sensitive information.
CVE-2019-18286 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:L/I:N/A:N ).
3.2.6 IMPROPER AUTHENTICATION CWE-287
The Application Server exposes directory listings and files containing
sensitive information.
CVE-2019-18287 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:L/I:N/A:N ).
3.2.7 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434
An attacker with valid authentication at the RMI interface could gain remote
code execution through an unsecured file upload.
CVE-2019-18288 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:L/UI:N/S:U/
C:H/I:H/A:H ).
3.2.8 HEAP-BASED BUFFER OVERFLOW CWE-122
An attacker with network access to the MS3000 Server could trigger a
denial-of-service condition and gain remote code execution by sending specially
crafted packets to Port 5010/TCP.
CVE-2019-18289 , has been assigned to this vulnerability. A CVSS v3 base score
of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U
/C:H/I:H/A:H ).
3.2.9 HEAP-BASED BUFFER OVERFLOW CWE-122
An attacker with network access to the MS3000 Server could trigger a
denial-of-service condition by sending specially crafted packets to Port 5010/
TCP.
CVE-2019-18290 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).
3.2.10 HEAP-BASED BUFFER OVERFLOW CWE-122
An attacker with network access to the MS3000 Server could trigger a
denial-of-service condition by sending specially crafted packets to Port 5010/
TCP.
CVE-2019-18291 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).
3.2.11 HEAP-BASED BUFFER OVERFLOW CWE-122
An attacker with network access to the MS3000 Server could trigger a
denial-of-service condition by sending specially crafted packets to Port 5010/
TCP.
CVE-2019-18292 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:L ).
3.2.12 HEAP-BASED BUFFER OVERFLOW CWE-122
An attacker with network access to the MS3000 Server could trigger a
denial-of-service condition and gain remote code execution by sending specially
crafted packets to Port 5010/TCP.
CVE-2019-18293 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.13 HEAP-BASED BUFFER OVERFLOW CWE-122
An attacker with network access to the MS3000 Server could trigger a
denial-of-service condition by sending specially crafted packets to Port 5010/
TCP.
CVE-2019-18294 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:L ).
3.2.14 HEAP-BASED BUFFER OVERFLOW CWE-122
An attacker with network access to the MS3000 Server could trigger a
denial-of-service condition and gain remote code execution by sending specially
crafted packets to Port 5010/TCP.
CVE-2019-18295 has been assigned to this vulnerability. A CVSS v3 base score of
8.1 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.15 HEAP-BASED BUFFER OVERFLOW CWE-122
An attacker with network access to the MS3000 Server could trigger a
denial-of-service condition and gain remote code execution by sending specially
crafted packets to Port 5010/TCP.
CVE-2019-18296 has been assigned to this vulnerability. A CVSS v3 base score of
8.1 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.16 HEAP-BASED BUFFER OVERFLOW CWE-122
An attacker with local access to the MS3000 Server and low privileges could
gain root privileges by sending specially crafted packets to a named pipe.
CVE-2019-18297 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:L/UI:N/S:U/
C:H/I:H/A:H ).
3.2.17 INTEGER OVERFLOW OR WRAPAROUND CWE-190
An attacker with network access to the MS3000 Server could trigger a
denial-of-service condition by sending specially crafted packets to Port 5010/
TCP.
CVE-2019-18298 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:L ).
3.2.18 INTEGER OVERFLOW OR WRAPAROUND CWE-190
An attacker with network access to the MS3000 Server could trigger a
denial-of-service condition by sending specially crafted packets to Port 5010/
TCP.
CVE-2019-18299 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:L ).
3.2.19 INTEGER OVERFLOW OR WRAPAROUND CWE-190
An attacker with network access to the MS3000 Server could trigger a
denial-of-service condition by sending specially crafted packets to Port 5010/
TCP.
CVE-2019-18300 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:L ).
3.2.20 INTEGER OVERFLOW OR WRAPAROUND CWE-190
An attacker with network access to the MS3000 Server could trigger a
denial-of-service condition by sending specially crafted packets to Port 5010/
TCP.
CVE-2019-18301 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:L ).
3.2.21 INTEGER OVERFLOW OR WRAPAROUND CWE-190
An attacker with network access to the MS3000 Server could trigger a
denial-of-service condition by sending specially crafted packets to Port 5010/
TCP.
CVE-2019-18302 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:L ).
3.2.22 INTEGER OVERFLOW OR WRAPAROUND CWE-190
An attacker with network access to the MS3000 Server could trigger a
denial-of-service condition by sending specially crafted packets to Port 5010/
TCP.
CVE-2019-18303 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:L ).
3.2.23 INTEGER OVERFLOW OR WRAPAROUND CWE-190
An attacker with network access to the MS3000 Server could trigger a
denial-of-service condition by sending specially crafted packets to Port 5010/
TCP.
CVE-2019-18304 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:L ).
3.2.24 INTEGER OVERFLOW OR WRAPAROUND CWE-190
An attacker with network access to the MS3000 Server could trigger a
denial-of-service condition by sending specially crafted packets to Port 5010/
TCP.
CVE-2019-18305 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:L ).
3.2.25 OUT-OF-BOUNDS READ CWE-125
An attacker with network access to the MS3000 Server could trigger a
denial-of-service condition by sending specially crafted packets to Port 5010/
TCP.
CVE-2019-18306 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:L ).
3.2.26 OUT-OF-BOUNDS READ CWE-125
An attacker with network access to the MS3000 Server could trigger a
denial-of-service condition by sending specially crafted packets to Port 5010/
TCP.
CVE-2019-18307 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:L ).
3.2.27 IMPROPER ACCESS CONTROL CWE-284
An attacker with local access to the MS3000 Server and a low privileged user
account could gain root privileges by manipulating specific files in the local
file system.
CVE-2019-18308 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:L/UI:N/S:U/
C:H/I:H/A:H ).
3.2.28 IMPROPER ACCESS CONTROL CWE-284
An attacker with local access to the MS3000 Server and a low privileged user
account could gain root privileges by manipulating specific files in the local
file system.
CVE-2019-18309 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:L/UI:N/S:U/
C:H/I:H/A:H ).
3.2.29 STACK-BASED BUFFER OVERFLOW CWE-121
An attacker with network access to the MS3000 Server could trigger a
denial-of-service condition by sending specially crafted packets to Port 7061/
TCP.
CVE-2019-18310 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).
3.2.30 SFP SECONDARY CLUSTER: MISSING AUTHENTICATION CWE-952
An attacker with network access to the MS3000 Server could trigger a
denial-of-service condition by sending specially crafted packets to Port 7061/
TCP.
CVE-2019-18311 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).
3.2.31 IMPROPER AUTHENTICATION CWE-287
An attacker with network access to the MS3000 Server could be able to enumerate
running RPC services.
CVE-2019-18312 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:L/I:N/A:N ).
3.2.32 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434
An attacker with network access to the MS3000 Server could gain remote code
execution by sending specially crafted objects to one of the RPC services.
CVE-2019-18313 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.33 IMPROPER AUTHENTICATION CWE-287
An attacker with network access to the Application Server could gain remote
code execution by sending specially crafted objects via RMI.
CVE-2019-18314 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.34 IMPROPER AUTHENTICATION CWE-287
An attacker with network access to the Application Server could gain remote
code execution by sending specially crafted packets to Port 8888/TCP.
CVE-2019-18315 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.35 DESERIALIZATION OF UNTRUSTED DATA CWE-502
An attacker with network access to the Application Server could gain remote
code execution by sending specially crafted packets to Port 1099/TCP.
CVE-2019-18316 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.36 IMPROPER AUTHENTICATION CWE-287
An attacker with network access to the Application Server could cause a
denial-of-service condition by sending specially crafted objects via RMI.
CVE-2019-18317 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).
3.2.37 IMPROPER AUTHENTICATION CWE-287
An attacker with network access to the Application Server could cause a
denial-of-service condition by sending specially crafted objects via RMI.
CVE-2019-18318 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).
3.2.38 IMPROPER AUTHENTICATION CWE-287
An attacker with network access to the Application Server could cause a
denial-of-service condition by sending specially crafted objects via RMI.
CVE-2019-18319 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).
3.2.39 IMPROPER AUTHENTICATION CWE-287
An attacker with network access to the Application Server could be able to
upload arbitrary files without authentication.
CVE-2019-18320 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:H/A:N ).
3.2.40 IMPROPER AUTHENTICATION CWE-287
An attacker with network access to the MS3000 Server could be able to read and
write arbitrary files on the local system by sending specially crafted packets
to Port 5010/TCP.
CVE-2019-18321 has been assigned to this vulnerability. A CVSS v3 base score of
9.1 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:N ).
3.2.41 IMPROPER AUTHENTICATION CWE-287
An attacker with network access to the MS3000 Server could be able to read and
write arbitrary files on the local system by sending specially crafted packets
to Port 5010/TCP.
CVE-2019-18322 has been assigned to this vulnerability. A CVSS v3 base score of
9.1 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:N ).
3.2.42 HEAP-BASED BUFFER OVERFLOW CWE-122
An attacker with network access to the MS3000 Server could cause a
denial-of-service condition and gain remote code execution by sending specially
crafted packets to Port 5010/TCP.
CVE-2019-18323 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.43 HEAP-BASED BUFFER OVERFLOW CWE-122
An attacker with network access to the MS3000 Server could cause a
denial-of-service condition and gain remote code execution by sending specially
crafted packets to Port 5010/TCP.
CVE-2019-18324 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.44 HEAP-BASED BUFFER OVERFLOW CWE-122
An attacker with network access to the MS3000 Server could cause a
denial-of-service condition and gain remote code execution by sending specially
crafted packets to Port 5010/TCP.
CVE-2019-18325 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.45 HEAP-BASED BUFFER OVERFLOW CWE-122
An attacker with network access to the MS3000 Server could cause a
denial-of-service condition and gain remote code execution by sending specially
crafted packets to Port 5010/TCP.
CVE-2019-18326 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.46 HEAP-BASED BUFFER OVERFLOW CWE-122
An attacker with network access to the MS3000 Server could cause a
denial-of-service condition and gain remote code execution by sending specially
crafted packets to Port 5010/TCP.
CVE-2019-18327 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.47 HEAP-BASED BUFFER OVERFLOW CWE-122
An attacker with network access to the MS3000 Server could cause a
denial-of-service condition and gain remote code execution by sending specially
crafted packets to Port 5010/TCP.
CVE-2019-18328 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.48 HEAP-BASED BUFFER OVERFLOW CWE-122
An attacker with network access to the MS3000 Server could cause a
denial-of-service condition and gain remote code execution by sending specially
crafted packets to Port 5010/TCP.
CVE-2019-18329 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.49 HEAP-BASED BUFFER OVERFLOW CWE-122
An attacker with network access to the MS3000 Server could cause a
denial-of-service condition and gain remote code execution by sending specially
crafted packets to Port 5010/TCP.
CVE-2019-18330 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.50 INFORMATION EXPOSURE CWE-200
An attacker with network access to the Application Server could gain access to
path and filenames on the server by sending specially crafted packets to Port
1099/TCP.
CVE-2019-18331 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:L/I:N/A:N ).
3.2.51 INFORMATION EXPOSURE CWE-200
An attacker with network access to the Application Server could gain access to
directory listings of the server by sending specially crafted packets to Port
80/TCP, 8095/TCP, or 8080/TCP.
CVE-2019-18332 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:L/I:N/A:N ).
3.2.52 INFORMATION EXPOSURE CWE-200
An attacker with network access to the Application Server could gain access to
filenames on the server by sending specially crafted packets to Port 8090/TCP.
CVE-2019-18333 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:L/I:N/A:N ).
3.2.53 INFORMATION EXPOSURE CWE-200
An attacker with network access to the Application Server could be able to
enumerate valid usernames by sending specially crafted packets to Port 8090/
TCP.
CVE-2019-18334 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:L/I:N/A:N ).
3.2.54 INFORMATION EXPOSURE CWE-200
An attacker with network access to the Application Server could be able to gain
access to logs and configuration files by sending specially crafted packets to
Port 80/TCP.
CVE-2019-18335 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:L/I:N/A:N ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Energy
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Gleb Gritsai, Eugenie Potseluevskaya, Sergey Andreev, and Radu Motspan from
Kaspersky Lab; Vyacheslav Moskvin, and Ivan B from Positive Technologies; and
Can Demirel from Biznet Bilisim Sistemleri ve Danismanlik reported these
vulnerabilities to Siemens.
4. MITIGATIONS
Siemens recommends users upgrade SPPA-T3000 Application Server to SPPAT3000
Service Pack R8.2 SP1 to resolve CVE-2019-18331, CVE-2019-18333, and
CVE-2019-18334. Please contact a Siemens service management organization to
obtain the update.
Siemens has identified the following specific workarounds and mitigations users
can apply to reduce the risk for all other vulnerabilities:
o Implement mitigations described in the SPPA-T3000 security manual.
o Restrict access to the Application Highway using the SPPA-T3000 Firewall.
o Connect external components only to the SPPA-T3000 DMZ; do not bridge an
external network to either the Application or Automation highway.
o Perform regular updates of the SPPA-T3000 (e.g., by using the Security
Server if available).
o Implement mitigations provided in the customer information letter
distributed via the customer service portal.
o Please contact a Siemens representative if you need help at securing
SPPA-T3000 installation.
As a general security measure, Siemens strongly recommends users protect
network access to devices with appropriate mechanisms. In order to operate the
devices in a protected IT environment, Siemens recommends users configure the
environment according to Siemens' operational guidelines for industrial
security (download: https://www.siemens.com/cert/
operational-guidelines-industrial-security ) and follow the recommendations in
the product manuals. Additional information on industrial security by Siemens
can be found at: https://www.siemens.com/industrialsecurity
For more information, please see Siemens Security Advisory SSA-451445 .
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:
o Monitor or block access to 80/TCP, 8090/TCP, 8095/TCP, 8080/TCP, 1099/TCP,
5010/TCP, 8888/TCP, and 7061/TCP.
o Minimize network exposure for all control system devices and/or systems,
and ensure that they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls, and
isolate them from the business network.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing that VPNs may have vulnerabilities and should
be updated to the most current version available. Also recognize that VPN
is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXfmLxWaOgq3Tt24GAQge4A/+L5yoD+lLsHweLvlq65XtQxW7uccCffhR
4RrYBlR6S6fjXGTTNKDX0SRtlZWoInqXF071X4fMJTTBkCJeC5Kx21WBGOxnLMJe
bn9gO0Etcs4uhzO3HaPq3o03r6nizLKA0DlxlD3XpUxzOJXXMc9w9DjwQkHxXve1
SCos97ITdBCqVpYIl5ms+RyfJiOevRpus2vpJlspjmeHU0ThBLGsKWB++8urdfEA
9onrJx3qLWrD45OywBnIrohBI8m5NBHeyuWyghdC7nhRfpQaKMUVAAtddWs4AS08
0j4UZ7QAFBZA91dmER2LzRw68tsHGeIlP0EUrxmakAUc9mqX5q3tQyFlvXh8NJwr
kh9VlHktx9Mt+ZKtxs0SarPQBFJxlt6h7dqQMOZh/p5LtLWxlxl2/h15BUM6HWv/
ACC+fUHMg8v/ngNu6g+JCTBzEc9kCXX17a8B+ZhE2eaUS89vV9jw2ap6FdlNjmfn
Tr3E78tMRPHgNHiL3BAu86m6dwcC7vZPvGbqrjzaTcjlVUe2RpnIiKggui6DyD10
GHTBWYp+NH/Cp+ZaRWvP5THmR7e5/voR61Eo3GaTrXBpekD4j+80J8kx5PE6Tlhi
hEGlMMcT8gAjBqEdZ6ZCxk7ZPdQiw7sl0Xodj/XphxpLwJTx40cLBRea5u62JrmL
yQzedj1tJmg=
=bfc9
-----END PGP SIGNATURE-----