Multiple vulnerabilities in Siemens SINUMERIK

Published: 2018-12-12 | Updated: 2018-12-12
Severity High
Patch available YES
Number of vulnerabilities 10
CVE ID CVE-2018-11457
CVE-2018-11458
CVE-2018-11459
CVE-2018-11460
CVE-2018-11461
CVE-2018-11462
CVE-2018-11463
CVE-2018-11464
CVE-2018-11465
CVE-2018-11466
CWE ID CWE-122
CWE-190
CWE-693
CWE-264
CWE-121
CWE-248
Exploitation vector Network
Public exploit N/A
Vulnerable software SINUMERIK 808D Subscribe
SINUMERIK 828D
SINUMERIK 840D
Vendor Siemens

Security Advisory

1) Heap-based buffer overflow

Severity: High

CVSSv3: 8.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2018-11457

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to heap-based buffer overflow when handling malicious input if Port 4842/TCP is manually opened in the firewall configuration of network Port X130. A remote unauthenticated attacker can specially crafted network requests to Port 4842/TCP, trigger memory corruption and execute arbitrary code with privileged permissions.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update SINUMERIK 828D to version 4.7 SP6 HF1.
Update SINUMERIK 840D to version 4.7 SP6 HF5 or 4.8 SP3.

Vulnerable software versions

SINUMERIK 808D: -

SINUMERIK 828D: -

SINUMERIK 840D: -

CPE External links

https://cert-portal.siemens.com/productcert/pdf/ssa-170881.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Integer overflow

Severity: High

CVSSv3: 8.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2018-11458

CWE-ID: CWE-190 - Integer Overflow or Wraparound

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow when handling malicious input if Port 4842/TCP is manually opened in the firewall configuration of network Port X130. A remote unauthenticated attacker can specially crafted network requests to Port 4842/TCP, trigger memory corruption and execute arbitrary code with privileged permissions.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update SINUMERIK 828D to version 4.7 SP6 HF1.
Update SINUMERIK 840D to version 4.7 SP6 HF5 or 4.8 SP3.

Vulnerable software versions

SINUMERIK 808D: -

SINUMERIK 828D: -

SINUMERIK 840D: -

CPE External links

https://cert-portal.siemens.com/productcert/pdf/ssa-170881.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Privilege escalation

Severity: Low

CVSSv3: 6.8 [CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2018-11459

CWE-ID: CWE-693 - Protection Mechanism Failure

Description

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to protection mechanism failure. A local attacker can modify a user-writeable configuration file and execute arbitrary code after reboot or manual initiation with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update SINUMERIK 828D to version 4.7 SP6 HF1.
Update SINUMERIK 840D to version 4.7 SP6 HF5 or 4.8 SP3.

Vulnerable software versions

SINUMERIK 808D: -

SINUMERIK 828D: -

SINUMERIK 840D: -

CPE External links

https://cert-portal.siemens.com/productcert/pdf/ssa-170881.pdf

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Privilege escalation

Severity: Low

CVSSv3: 6.8 [CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2018-11460

CWE-ID: CWE-693 - Protection Mechanism Failure

Description

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to protection mechanism failure. A local attacker can modify a CRAMFS archive so that after reboot, the system loads the modified CRAMFS file that can execute arbitrary code with root privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update SINUMERIK 828D to version 4.7 SP6 HF1.
Update SINUMERIK 840D to version 4.7 SP6 HF5 or 4.8 SP3.

Vulnerable software versions

SINUMERIK 808D: -

SINUMERIK 828D: -

SINUMERIK 840D: -

CPE External links

https://cert-portal.siemens.com/productcert/pdf/ssa-170881.pdf

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Privilege escalation

Severity: Low

CVSSv3: 6.8 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2018-11461

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Description

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to improper privileges and access controls. A local attacker can use the service command application and gain elevated privileges.

Mitigation

Update SINUMERIK 828D to version 4.7 SP6 HF1.
Update SINUMERIK 840D to version 4.7 SP6 HF5 or 4.8 SP3.

Vulnerable software versions

SINUMERIK 808D: -

SINUMERIK 828D: -

SINUMERIK 840D: -

CPE External links

https://cert-portal.siemens.com/productcert/pdf/ssa-170881.pdf

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Privilege escalation

Severity: Low

CVSSv3: 8.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2018-11462

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Description

The vulnerability allows a remote unauthenticated attacker to gain elevated privileges on the target system.

The vulnerability exists due to improper privileges and access controls. A remote attacker can send a specially crafted authentication request and gain elevated privileges.

Mitigation

Update SINUMERIK 828D to version 4.7 SP6 HF1.
Update SINUMERIK 840D to version 4.7 SP6 HF5 or 4.8 SP3.

Vulnerable software versions

SINUMERIK 808D: -

SINUMERIK 828D: -

SINUMERIK 840D: -

CPE External links

https://cert-portal.siemens.com/productcert/pdf/ssa-170881.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Stack-based buffer overflow

Severity: Low

CVSSv3: 7.7 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2018-11463

CWE-ID: CWE-121 - Stack-based Buffer Overflow

Description

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to stack-based buffer overflow in the service command application when handling malicious input. A local attacker can execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update SINUMERIK 828D to version 4.7 SP6 HF1.
Update SINUMERIK 840D to version 4.7 SP6 HF5 or 4.8 SP3.

Vulnerable software versions

SINUMERIK 808D: -

SINUMERIK 828D: -

SINUMERIK 840D: -

CPE External links

https://cert-portal.siemens.com/productcert/pdf/ssa-170881.pdf

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Uncaught exception

Severity: Low

CVSSv3: 4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2018-11464

CWE-ID: CWE-248 - Uncaught Exception

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to uncaught exception if Port 5900/TCP is manually opened in the firewall configuration of network Port X130. A remote unauthenticated attacker can cause a denial-of-service condition of the VNC server.

Mitigation

Update SINUMERIK 828D to version 4.7 SP6 HF1.
Update SINUMERIK 840D to version 4.7 SP6 HF5 or 4.8 SP3.

Vulnerable software versions

SINUMERIK 808D: -

SINUMERIK 828D: -

SINUMERIK 840D: -

CPE External links

https://cert-portal.siemens.com/productcert/pdf/ssa-170881.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Uncaught exception

Severity: Low

CVSSv3: 7.7 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2018-11465

CWE-ID: CWE-248 - Uncaught Exception

Description

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to uncaught exception. A local attacker can use ioctl calls to do out of bounds reads, arbitrary writes, or execute arbitrary code in kernel mode.

Mitigation

Update SINUMERIK 828D to version 4.7 SP6 HF1.
Update SINUMERIK 840D to version 4.7 SP6 HF5 or 4.8 SP3.

Vulnerable software versions

SINUMERIK 808D: -

SINUMERIK 828D: -

SINUMERIK 840D: -

CPE External links

https://cert-portal.siemens.com/productcert/pdf/ssa-170881.pdf

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Uncaught exception

Severity: High

CVSSv3: 8.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2018-11466

CWE-ID: CWE-248 - Uncaught Exception

Description

The vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code on the target system.

The vulnerability exists due to uncaught exception. A remote unauthenticated attacker can send specially crafted network packets to Port 102/TCP (ISO-TSAP), cause a denial-of-service condition of the integrated software firewall or execute code in the context of the software firewall. 

Mitigation

Update SINUMERIK 828D to version 4.7 SP6 HF1.
Update SINUMERIK 840D to version 4.7 SP6 HF5 or 4.8 SP3.

Vulnerable software versions

SINUMERIK 808D: -

SINUMERIK 828D: -

SINUMERIK 840D: -

CPE External links

https://cert-portal.siemens.com/productcert/pdf/ssa-170881.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.