Tuesday, March 9, 2021

10 Advisories Published – 3-9-21

Today the CISA NCCIC-ICS published ten control system security advisories for products from Siemens.

SCALANCE Advisory #1

This advisory describes an out-of-bounds read vulnerability in Siemens SCALANCE and SIMATIC products. This is a third-party (curl) vulnerability in libcurl. The vulnerability is self-reported. Siemens has a new version for one of the affected products that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to cause a denial-of-service condition on the affected devices.

NOTE 1: There are reported exploits (here and here) for the underlying vulnerability.

NOTE 2: NCCIC-ICS does not provide a link to the Siemens advisory. The Siemens link in the advisory is to an update of an earlier advisory about the same vulnerability in another product line.

Solid Edge Advisory

This advisory describes four vulnerabilities in the Siemens Solid Edge portfolio of software tools. The vulnerabilities were reported by Francis Provencher and rgod via the Zero Day Initiative. Siemens has updates that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Out-of-bounds write (2) - CVE-2020-28385 and CVE-2021-27380,

• Improper restriction of XML external entity reference - CVE-2020-28387, and

• Out-of-bounds read - CVE-2021-27381

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to lead to a denial-of-service condition, and could lead to arbitrary code execution or data extraction on the target host system.

PLUSCONTROL Advisory

This advisory describes a predictable exact value from previous values vulnerability in the Siemens PLUSCONTROL product. The vulnerability is self-reported. Siemens has provided generic mitigations for this vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to affect integrity of TCP connections.

NOTE: This vulnerability was reported in the NCCIC-ICS TCP/IP Stacks Advisory for the NUMBER:JACK vulnerabilities and the Siemens advisory should probably have been reported in an update to ICSA-21-042-01.

TCP Stack Advisory

This advisory describes two vulnerabilities in the Siemens SIMATIC MV400 family. The vulnerability is self-reported. Siemens has a new version that mitigates the vulnerabilities.

The two reported vulnerabilities are:

• Improper validation of specified index, position, or offset in input - CVE-2020-25241, and

• Use of insufficiently random values - CVE-2020-27632

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause a denial-of-service condition or affect the integrity of TCP connections.

NOTE: The second vulnerability was reported in the NUMBER:JACK paper (and the NCCIC-ICS advisory in the Note above) in the NDKTCPIP TCP/IP stack. This means that it is likely that the first vulnerability listed above would also affect other products using the same versions of that stack.

SENTRON Advisory

This advisory describes two vulnerabilities in the Siemens SENTRON products. These are third-party (Amnesia:33) vulnerabilities that have previously been reported by NCCIC-ICS. Siemens has upgrades that mitigate the vulnerabilities in some of the affected products.

The two reported vulnerabilities are:

• Out-of-bounds read - CVE-2020-13987, and

• Out-of-bounds write - CVE-2020-17437

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to cause a denial-of-service condition.

NOTE: NCCIC-ICS probably should have added a link to the Siemens advisory to ICSA-20-343-01, their AMNESIA:33 advisory.

LOGO! Advisory

This advisory describes an improper handling of exceptional conditions vulnerability in the Siemens LOGO! 8 programmable logic controller. The vulnerability was reported by Max Bäumler. Siemens has provided generic workarounds to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to cause a denial-of-service condition if a user is tricked into loading a malicious project file.

SINEMA Advisory

This advisory describes an incorrect authorization vulnerability in the Siemens SINEMA Remote Connect Server. The vulnerability is self-reported. Siemens has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow authenticated unprivileged user accounts to access unauthorized functionality.

SCALANCE Advisory #2

This advisory describes a stack-based buffer overflow in the Siemens SCALANCE and RUGGEDCOM Devices. The vulnerability is self-reported. Siemens has updates available to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to cause a reboot. Under specific circumstances, an attacker could also achieve remote code execution of the affected devices.

SCALANCE Advisory #3

This advisory describes an improper restriction of excessive authentication attempts vulnerability in the Siemens SCALANCE and RUGGEDCOM Devices. The vulnerability is self-reported. Siemens has an update available for one of the affected products.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to cause a denial-of-service under certain conditions.

SIMATIC Advisory

This advisory describes three vulnerabilities to the Siemens SIMATIC S7-PLCSIM. This vulnerability is self-reported. Siemens has provided generic workarounds to mitigate the vulenrabilities.

The three reported vulnerabilities are:

• Infinite loop - CVE-2021-25673,

• Null pointer dereference - CVE-2021-25674, and

• Divide by zero - CVE-2021-25675

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to allow an attacker with local access to craft special project files that may lead to denial-of-service attacks.

Other Siemens Advisories

Siemens published two additional advisories today that have not yet been addressed by NCCIC-ICS. If they are not covered this week, I will discuss them this weekend.

No comments:

 
/* Use this with templates/template-twocol.html */