Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4705 Advisory (icsa-19-351-02) Siemens SPPA-T3000 18 December 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Siemens SPPA-T3000 Publisher: ICS-CERT Operating System: Network Appliance Impact/Access: Root Compromise -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-18335 CVE-2019-18334 CVE-2019-18333 CVE-2019-18332 CVE-2019-18331 CVE-2019-18330 CVE-2019-18329 CVE-2019-18328 CVE-2019-18327 CVE-2019-18326 CVE-2019-18325 CVE-2019-18324 CVE-2019-18323 CVE-2019-18322 CVE-2019-18321 CVE-2019-18320 CVE-2019-18319 CVE-2019-18318 CVE-2019-18317 CVE-2019-18316 CVE-2019-18315 CVE-2019-18314 CVE-2019-18313 CVE-2019-18312 CVE-2019-18311 CVE-2019-18310 CVE-2019-18309 CVE-2019-18308 CVE-2019-18307 CVE-2019-18306 CVE-2019-18305 CVE-2019-18304 CVE-2019-18303 CVE-2019-18302 CVE-2019-18301 CVE-2019-18300 CVE-2019-18299 CVE-2019-18298 CVE-2019-18297 CVE-2019-18296 CVE-2019-18295 CVE-2019-18294 CVE-2019-18293 CVE-2019-18292 CVE-2019-18291 CVE-2019-18290 CVE-2019-18289 CVE-2019-18288 CVE-2019-18287 CVE-2019-18286 CVE-2019-18285 CVE-2019-18284 CVE-2019-18283 CVE-2018-4832 Original Bulletin: https://www.us-cert.gov/ics/advisories/icsa-19-351-02 - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-19-351-02) Siemens SPPA-T3000 Original release date: December 17, 2019 Legal Notice All information products included in http://ics-cert.us-cert.gov are provided"as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 9.8 o ATTENTION: Exploitable remotely/low skill level to exploit o Vendor: Siemens o Equipment: SPPA-T3000 o Vulnerabilities: Improper Authentication, Cleartext Transmission of Sensitive Information, Unrestricted Upload of File with Dangerous Type, Heap-based Buffer Overflow, Integer Overflow or Wraparound, Out-of-bounds Read, Improper Access Control, Stack-based Buffer Overflow, SFP Secondary Cluster: Missing Authentication, Deserialization of Untrusted Data, Information Exposure, Cleartext Transmission of Sensitive Information 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code on the server, cause a denial-of-service condition, view and modify passwords, gain root privileges, access sensitive information, and read and write arbitrary files on the local system. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports the vulnerabilities affect the following SPPA-T3000 products: o Application Server: All Versions o MS3000 Migration Server: All Versions 3.2 VULNERABILITY OVERVIEW Note that an attacker must have network access to the Application Server, MS3000, or access to the Application Highway in order to exploit these vulnerabilities. 3.2.1 IMPROPER INPUT VALIDATION CWE-20 Specially crafted messages sent to the RPC service of the affected products could cause a denial-of-service condition on the remote and local communication functionality of the affected products. A reboot of the system is required to recover the remote and local communication functionality. CVE-2018-4832 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:H ). 3.2.2 DESERIALIZATION OF UNTRUSTED DATA CWE-502 The AdminService is available without authentication on the Application Server. An attacker can gain remote code execution by sending specially crafted objects to one of its functions. CVE-2019-18283 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.3 IMPROPER AUTHENTICATION CWE-287 The AdminService is available without authentication on the Application Server. An attacker can use methods exposed via this interface to receive password hashes of other users and to change user passwords. CVE-2019-18284 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.4 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319 The RMI communication between the client and the Application Server is unencrypted. An attacker with access to the communication channel can read credentials of a valid user. CVE-2019-18285 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:R/S:U/ C:H/I:N/A:N) . 3.2.5 IMPROPER AUTHENTICATION CWE-287 The Application Server exposes directory listings and files containing sensitive information. CVE-2019-18286 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:N/A:N ). 3.2.6 IMPROPER AUTHENTICATION CWE-287 The Application Server exposes directory listings and files containing sensitive information. CVE-2019-18287 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:N/A:N ). 3.2.7 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434 An attacker with valid authentication at the RMI interface could gain remote code execution through an unsecured file upload. CVE-2019-18288 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:L/UI:N/S:U/ C:H/I:H/A:H ). 3.2.8 HEAP-BASED BUFFER OVERFLOW CWE-122 An attacker with network access to the MS3000 Server could trigger a denial-of-service condition and gain remote code execution by sending specially crafted packets to Port 5010/TCP. CVE-2019-18289 , has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U /C:H/I:H/A:H ). 3.2.9 HEAP-BASED BUFFER OVERFLOW CWE-122 An attacker with network access to the MS3000 Server could trigger a denial-of-service condition by sending specially crafted packets to Port 5010/ TCP. CVE-2019-18290 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:H ). 3.2.10 HEAP-BASED BUFFER OVERFLOW CWE-122 An attacker with network access to the MS3000 Server could trigger a denial-of-service condition by sending specially crafted packets to Port 5010/ TCP. CVE-2019-18291 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:H ). 3.2.11 HEAP-BASED BUFFER OVERFLOW CWE-122 An attacker with network access to the MS3000 Server could trigger a denial-of-service condition by sending specially crafted packets to Port 5010/ TCP. CVE-2019-18292 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:L ). 3.2.12 HEAP-BASED BUFFER OVERFLOW CWE-122 An attacker with network access to the MS3000 Server could trigger a denial-of-service condition and gain remote code execution by sending specially crafted packets to Port 5010/TCP. CVE-2019-18293 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.13 HEAP-BASED BUFFER OVERFLOW CWE-122 An attacker with network access to the MS3000 Server could trigger a denial-of-service condition by sending specially crafted packets to Port 5010/ TCP. CVE-2019-18294 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:L ). 3.2.14 HEAP-BASED BUFFER OVERFLOW CWE-122 An attacker with network access to the MS3000 Server could trigger a denial-of-service condition and gain remote code execution by sending specially crafted packets to Port 5010/TCP. CVE-2019-18295 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.15 HEAP-BASED BUFFER OVERFLOW CWE-122 An attacker with network access to the MS3000 Server could trigger a denial-of-service condition and gain remote code execution by sending specially crafted packets to Port 5010/TCP. CVE-2019-18296 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.16 HEAP-BASED BUFFER OVERFLOW CWE-122 An attacker with local access to the MS3000 Server and low privileges could gain root privileges by sending specially crafted packets to a named pipe. CVE-2019-18297 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:L/UI:N/S:U/ C:H/I:H/A:H ). 3.2.17 INTEGER OVERFLOW OR WRAPAROUND CWE-190 An attacker with network access to the MS3000 Server could trigger a denial-of-service condition by sending specially crafted packets to Port 5010/ TCP. CVE-2019-18298 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:L ). 3.2.18 INTEGER OVERFLOW OR WRAPAROUND CWE-190 An attacker with network access to the MS3000 Server could trigger a denial-of-service condition by sending specially crafted packets to Port 5010/ TCP. CVE-2019-18299 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:L ). 3.2.19 INTEGER OVERFLOW OR WRAPAROUND CWE-190 An attacker with network access to the MS3000 Server could trigger a denial-of-service condition by sending specially crafted packets to Port 5010/ TCP. CVE-2019-18300 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:L ). 3.2.20 INTEGER OVERFLOW OR WRAPAROUND CWE-190 An attacker with network access to the MS3000 Server could trigger a denial-of-service condition by sending specially crafted packets to Port 5010/ TCP. CVE-2019-18301 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:L ). 3.2.21 INTEGER OVERFLOW OR WRAPAROUND CWE-190 An attacker with network access to the MS3000 Server could trigger a denial-of-service condition by sending specially crafted packets to Port 5010/ TCP. CVE-2019-18302 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:L ). 3.2.22 INTEGER OVERFLOW OR WRAPAROUND CWE-190 An attacker with network access to the MS3000 Server could trigger a denial-of-service condition by sending specially crafted packets to Port 5010/ TCP. CVE-2019-18303 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:L ). 3.2.23 INTEGER OVERFLOW OR WRAPAROUND CWE-190 An attacker with network access to the MS3000 Server could trigger a denial-of-service condition by sending specially crafted packets to Port 5010/ TCP. CVE-2019-18304 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:L ). 3.2.24 INTEGER OVERFLOW OR WRAPAROUND CWE-190 An attacker with network access to the MS3000 Server could trigger a denial-of-service condition by sending specially crafted packets to Port 5010/ TCP. CVE-2019-18305 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:L ). 3.2.25 OUT-OF-BOUNDS READ CWE-125 An attacker with network access to the MS3000 Server could trigger a denial-of-service condition by sending specially crafted packets to Port 5010/ TCP. CVE-2019-18306 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:L ). 3.2.26 OUT-OF-BOUNDS READ CWE-125 An attacker with network access to the MS3000 Server could trigger a denial-of-service condition by sending specially crafted packets to Port 5010/ TCP. CVE-2019-18307 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:L ). 3.2.27 IMPROPER ACCESS CONTROL CWE-284 An attacker with local access to the MS3000 Server and a low privileged user account could gain root privileges by manipulating specific files in the local file system. CVE-2019-18308 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:L/UI:N/S:U/ C:H/I:H/A:H ). 3.2.28 IMPROPER ACCESS CONTROL CWE-284 An attacker with local access to the MS3000 Server and a low privileged user account could gain root privileges by manipulating specific files in the local file system. CVE-2019-18309 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:L/UI:N/S:U/ C:H/I:H/A:H ). 3.2.29 STACK-BASED BUFFER OVERFLOW CWE-121 An attacker with network access to the MS3000 Server could trigger a denial-of-service condition by sending specially crafted packets to Port 7061/ TCP. CVE-2019-18310 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:H ). 3.2.30 SFP SECONDARY CLUSTER: MISSING AUTHENTICATION CWE-952 An attacker with network access to the MS3000 Server could trigger a denial-of-service condition by sending specially crafted packets to Port 7061/ TCP. CVE-2019-18311 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:H ). 3.2.31 IMPROPER AUTHENTICATION CWE-287 An attacker with network access to the MS3000 Server could be able to enumerate running RPC services. CVE-2019-18312 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:N/A:N ). 3.2.32 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434 An attacker with network access to the MS3000 Server could gain remote code execution by sending specially crafted objects to one of the RPC services. CVE-2019-18313 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.33 IMPROPER AUTHENTICATION CWE-287 An attacker with network access to the Application Server could gain remote code execution by sending specially crafted objects via RMI. CVE-2019-18314 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.34 IMPROPER AUTHENTICATION CWE-287 An attacker with network access to the Application Server could gain remote code execution by sending specially crafted packets to Port 8888/TCP. CVE-2019-18315 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.35 DESERIALIZATION OF UNTRUSTED DATA CWE-502 An attacker with network access to the Application Server could gain remote code execution by sending specially crafted packets to Port 1099/TCP. CVE-2019-18316 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.36 IMPROPER AUTHENTICATION CWE-287 An attacker with network access to the Application Server could cause a denial-of-service condition by sending specially crafted objects via RMI. CVE-2019-18317 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:H ). 3.2.37 IMPROPER AUTHENTICATION CWE-287 An attacker with network access to the Application Server could cause a denial-of-service condition by sending specially crafted objects via RMI. CVE-2019-18318 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:H ). 3.2.38 IMPROPER AUTHENTICATION CWE-287 An attacker with network access to the Application Server could cause a denial-of-service condition by sending specially crafted objects via RMI. CVE-2019-18319 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:H ). 3.2.39 IMPROPER AUTHENTICATION CWE-287 An attacker with network access to the Application Server could be able to upload arbitrary files without authentication. CVE-2019-18320 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:H/A:N ). 3.2.40 IMPROPER AUTHENTICATION CWE-287 An attacker with network access to the MS3000 Server could be able to read and write arbitrary files on the local system by sending specially crafted packets to Port 5010/TCP. CVE-2019-18321 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:N ). 3.2.41 IMPROPER AUTHENTICATION CWE-287 An attacker with network access to the MS3000 Server could be able to read and write arbitrary files on the local system by sending specially crafted packets to Port 5010/TCP. CVE-2019-18322 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:N ). 3.2.42 HEAP-BASED BUFFER OVERFLOW CWE-122 An attacker with network access to the MS3000 Server could cause a denial-of-service condition and gain remote code execution by sending specially crafted packets to Port 5010/TCP. CVE-2019-18323 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.43 HEAP-BASED BUFFER OVERFLOW CWE-122 An attacker with network access to the MS3000 Server could cause a denial-of-service condition and gain remote code execution by sending specially crafted packets to Port 5010/TCP. CVE-2019-18324 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.44 HEAP-BASED BUFFER OVERFLOW CWE-122 An attacker with network access to the MS3000 Server could cause a denial-of-service condition and gain remote code execution by sending specially crafted packets to Port 5010/TCP. CVE-2019-18325 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.45 HEAP-BASED BUFFER OVERFLOW CWE-122 An attacker with network access to the MS3000 Server could cause a denial-of-service condition and gain remote code execution by sending specially crafted packets to Port 5010/TCP. CVE-2019-18326 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.46 HEAP-BASED BUFFER OVERFLOW CWE-122 An attacker with network access to the MS3000 Server could cause a denial-of-service condition and gain remote code execution by sending specially crafted packets to Port 5010/TCP. CVE-2019-18327 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.47 HEAP-BASED BUFFER OVERFLOW CWE-122 An attacker with network access to the MS3000 Server could cause a denial-of-service condition and gain remote code execution by sending specially crafted packets to Port 5010/TCP. CVE-2019-18328 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.48 HEAP-BASED BUFFER OVERFLOW CWE-122 An attacker with network access to the MS3000 Server could cause a denial-of-service condition and gain remote code execution by sending specially crafted packets to Port 5010/TCP. CVE-2019-18329 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.49 HEAP-BASED BUFFER OVERFLOW CWE-122 An attacker with network access to the MS3000 Server could cause a denial-of-service condition and gain remote code execution by sending specially crafted packets to Port 5010/TCP. CVE-2019-18330 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.50 INFORMATION EXPOSURE CWE-200 An attacker with network access to the Application Server could gain access to path and filenames on the server by sending specially crafted packets to Port 1099/TCP. CVE-2019-18331 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:N/A:N ). 3.2.51 INFORMATION EXPOSURE CWE-200 An attacker with network access to the Application Server could gain access to directory listings of the server by sending specially crafted packets to Port 80/TCP, 8095/TCP, or 8080/TCP. CVE-2019-18332 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:N/A:N ). 3.2.52 INFORMATION EXPOSURE CWE-200 An attacker with network access to the Application Server could gain access to filenames on the server by sending specially crafted packets to Port 8090/TCP. CVE-2019-18333 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:N/A:N ). 3.2.53 INFORMATION EXPOSURE CWE-200 An attacker with network access to the Application Server could be able to enumerate valid usernames by sending specially crafted packets to Port 8090/ TCP. CVE-2019-18334 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:N/A:N ). 3.2.54 INFORMATION EXPOSURE CWE-200 An attacker with network access to the Application Server could be able to gain access to logs and configuration files by sending specially crafted packets to Port 80/TCP. CVE-2019-18335 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:N/A:N ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Energy o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Gleb Gritsai, Eugenie Potseluevskaya, Sergey Andreev, and Radu Motspan from Kaspersky Lab; Vyacheslav Moskvin, and Ivan B from Positive Technologies; and Can Demirel from Biznet Bilisim Sistemleri ve Danismanlik reported these vulnerabilities to Siemens. 4. MITIGATIONS Siemens recommends users upgrade SPPA-T3000 Application Server to SPPAT3000 Service Pack R8.2 SP1 to resolve CVE-2019-18331, CVE-2019-18333, and CVE-2019-18334. Please contact a Siemens service management organization to obtain the update. Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk for all other vulnerabilities: o Implement mitigations described in the SPPA-T3000 security manual. o Restrict access to the Application Highway using the SPPA-T3000 Firewall. o Connect external components only to the SPPA-T3000 DMZ; do not bridge an external network to either the Application or Automation highway. o Perform regular updates of the SPPA-T3000 (e.g., by using the Security Server if available). o Implement mitigations provided in the customer information letter distributed via the customer service portal. o Please contact a Siemens representative if you need help at securing SPPA-T3000 installation. As a general security measure, Siemens strongly recommends users protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends users configure the environment according to Siemens' operational guidelines for industrial security (download: https://www.siemens.com/cert/ operational-guidelines-industrial-security ) and follow the recommendations in the product manuals. Additional information on industrial security by Siemens can be found at: https://www.siemens.com/industrialsecurity For more information, please see Siemens Security Advisory SSA-451445 . CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Monitor or block access to 80/TCP, 8090/TCP, 8095/TCP, 8080/TCP, 1099/TCP, 5010/TCP, 8888/TCP, and 7061/TCP. o Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls, and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXfmLxWaOgq3Tt24GAQge4A/+L5yoD+lLsHweLvlq65XtQxW7uccCffhR 4RrYBlR6S6fjXGTTNKDX0SRtlZWoInqXF071X4fMJTTBkCJeC5Kx21WBGOxnLMJe bn9gO0Etcs4uhzO3HaPq3o03r6nizLKA0DlxlD3XpUxzOJXXMc9w9DjwQkHxXve1 SCos97ITdBCqVpYIl5ms+RyfJiOevRpus2vpJlspjmeHU0ThBLGsKWB++8urdfEA 9onrJx3qLWrD45OywBnIrohBI8m5NBHeyuWyghdC7nhRfpQaKMUVAAtddWs4AS08 0j4UZ7QAFBZA91dmER2LzRw68tsHGeIlP0EUrxmakAUc9mqX5q3tQyFlvXh8NJwr kh9VlHktx9Mt+ZKtxs0SarPQBFJxlt6h7dqQMOZh/p5LtLWxlxl2/h15BUM6HWv/ ACC+fUHMg8v/ngNu6g+JCTBzEc9kCXX17a8B+ZhE2eaUS89vV9jw2ap6FdlNjmfn Tr3E78tMRPHgNHiL3BAu86m6dwcC7vZPvGbqrjzaTcjlVUe2RpnIiKggui6DyD10 GHTBWYp+NH/Cp+ZaRWvP5THmR7e5/voR61Eo3GaTrXBpekD4j+80J8kx5PE6Tlhi hEGlMMcT8gAjBqEdZ6ZCxk7ZPdQiw7sl0Xodj/XphxpLwJTx40cLBRea5u62JrmL yQzedj1tJmg= =bfc9 -----END PGP SIGNATURE-----