Multiple vulnerabilities in Siemens SINUMERIK
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 10 |
| CVE-ID | CVE-2018-11457 CVE-2018-11458 CVE-2018-11459 CVE-2018-11460 CVE-2018-11461 CVE-2018-11462 CVE-2018-11463 CVE-2018-11464 CVE-2018-11465 CVE-2018-11466 |
| CWE-ID | CWE-122 CWE-190 CWE-693 CWE-264 CWE-121 CWE-248 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
SINUMERIK 808D Hardware solutions / Firmware SINUMERIK 840D Hardware solutions / Firmware SINUMERIK 828D Server applications / SCADA systems |
| Vendor | Siemens |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
1) Heap-based buffer overflow
EUVDB-ID: #VU16504
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-11457
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to heap-based buffer overflow when handling malicious input if Port 4842/TCP is manually opened in the firewall configuration of network Port X130. A remote unauthenticated attacker can specially crafted network requests to Port 4842/TCP, trigger memory corruption and execute arbitrary code with privileged permissions.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate SINUMERIK 828D to version 4.7 SP6 HF1.
Update SINUMERIK 840D to version 4.7 SP6 HF5 or 4.8 SP3.
SINUMERIK 808D: All versions
SINUMERIK 828D: before 4.7 SP6 HF1
SINUMERIK 840D: before 4.8 SP3
External linkshttp://cert-portal.siemens.com/productcert/pdf/ssa-170881.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Integer overflow
EUVDB-ID: #VU16505
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-11458
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow when handling malicious input if Port 4842/TCP is manually opened in the firewall configuration of network Port X130. A remote unauthenticated attacker can specially crafted network requests to Port 4842/TCP, trigger memory corruption and execute arbitrary code with privileged permissions.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate SINUMERIK 828D to version 4.7 SP6 HF1.
Update SINUMERIK 840D to version 4.7 SP6 HF5 or 4.8 SP3.
SINUMERIK 808D: All versions
SINUMERIK 828D: before 4.7 SP6 HF1
SINUMERIK 840D: before 4.8 SP3
External linkshttp://cert-portal.siemens.com/productcert/pdf/ssa-170881.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Privilege escalation
EUVDB-ID: #VU16506
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-11459
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to protection mechanism failure. A local attacker can modify a user-writeable configuration file and execute arbitrary code after reboot or manual initiation with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate SINUMERIK 828D to version 4.7 SP6 HF1.
Update SINUMERIK 840D to version 4.7 SP6 HF5 or 4.8 SP3.
SINUMERIK 808D: All versions
SINUMERIK 828D: before 4.7 SP6 HF1
SINUMERIK 840D: before 4.8 SP3
External linkshttp://cert-portal.siemens.com/productcert/pdf/ssa-170881.pdf
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Privilege escalation
EUVDB-ID: #VU16507
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-11460
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to protection mechanism failure. A local attacker can modify a CRAMFS archive so that after reboot, the system loads the modified CRAMFS file that can execute arbitrary code with root privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate SINUMERIK 828D to version 4.7 SP6 HF1.
Update SINUMERIK 840D to version 4.7 SP6 HF5 or 4.8 SP3.
SINUMERIK 808D: All versions
SINUMERIK 828D: before 4.7 SP6 HF1
SINUMERIK 840D: before 4.8 SP3
External linkshttp://cert-portal.siemens.com/productcert/pdf/ssa-170881.pdf
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Privilege escalation
EUVDB-ID: #VU16508
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-11461
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to improper privileges and access controls. A local attacker can use the service command application and gain elevated privileges.
MitigationUpdate SINUMERIK 828D to version 4.7 SP6 HF1.
Update SINUMERIK 840D to version 4.7 SP6 HF5 or 4.8 SP3.
SINUMERIK 808D: All versions
SINUMERIK 828D: before 4.7 SP6 HF1
SINUMERIK 840D: before 4.8 SP3
External linkshttp://cert-portal.siemens.com/productcert/pdf/ssa-170881.pdf
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Privilege escalation
EUVDB-ID: #VU16509
Risk: Low
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-11462
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to gain elevated privileges on the target system.
The vulnerability exists due to improper privileges and access controls. A remote attacker can send a specially crafted authentication request and gain elevated privileges.
MitigationUpdate SINUMERIK 828D to version 4.7 SP6 HF1.
Update SINUMERIK 840D to version 4.7 SP6 HF5 or 4.8 SP3.
SINUMERIK 808D: All versions
SINUMERIK 828D: before 4.7 SP6 HF1
SINUMERIK 840D: before 4.8 SP3
External linkshttp://cert-portal.siemens.com/productcert/pdf/ssa-170881.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Stack-based buffer overflow
EUVDB-ID: #VU16510
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-11463
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to stack-based buffer overflow in the service command application when handling malicious input. A local attacker can execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate SINUMERIK 828D to version 4.7 SP6 HF1.
Update SINUMERIK 840D to version 4.7 SP6 HF5 or 4.8 SP3.
SINUMERIK 808D: All versions
SINUMERIK 828D: before 4.7 SP6 HF1
SINUMERIK 840D: before 4.8 SP3
External linkshttp://cert-portal.siemens.com/productcert/pdf/ssa-170881.pdf
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Uncaught exception
EUVDB-ID: #VU16511
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-11464
CWE-ID:
CWE-248 - Uncaught Exception
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to uncaught exception if Port 5900/TCP is manually opened in the firewall configuration of network Port X130. A remote unauthenticated attacker can cause a denial-of-service condition of the VNC server.
MitigationUpdate SINUMERIK 828D to version 4.7 SP6 HF1.
Update SINUMERIK 840D to version 4.7 SP6 HF5 or 4.8 SP3.
SINUMERIK 808D: All versions
SINUMERIK 828D: before 4.7 SP6 HF1
SINUMERIK 840D: before 4.8 SP3
External linkshttp://cert-portal.siemens.com/productcert/pdf/ssa-170881.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Uncaught exception
EUVDB-ID: #VU16512
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-11465
CWE-ID:
CWE-248 - Uncaught Exception
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to uncaught exception. A local attacker can use ioctl calls to do out of bounds reads, arbitrary writes, or execute arbitrary code in kernel mode.
MitigationUpdate SINUMERIK 828D to version 4.7 SP6 HF1.
Update SINUMERIK 840D to version 4.7 SP6 HF5 or 4.8 SP3.
SINUMERIK 808D: All versions
SINUMERIK 828D: before 4.7 SP6 HF1
SINUMERIK 840D: before 4.8 SP3
External linkshttp://cert-portal.siemens.com/productcert/pdf/ssa-170881.pdf
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Uncaught exception
EUVDB-ID: #VU16513
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-11466
CWE-ID:
CWE-248 - Uncaught Exception
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code on the target system.
The vulnerability exists due to uncaught exception. A remote unauthenticated attacker can send specially crafted network packets to Port 102/TCP (ISO-TSAP), cause a denial-of-service condition of the integrated software firewall or execute code in the context of the software firewall.
MitigationUpdate SINUMERIK 828D to version 4.7 SP6 HF1.
Update SINUMERIK 840D to version 4.7 SP6 HF5 or 4.8 SP3.
SINUMERIK 808D: All versions
SINUMERIK 828D: before 4.7 SP6 HF1
SINUMERIK 840D: before 4.8 SP3
External linkshttp://cert-portal.siemens.com/productcert/pdf/ssa-170881.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
