Multiple vulnerabilities in Siemens SIMATIC UltraVNC HMI WinCC Products
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 10 |
| CVE-ID | CVE-2019-8259 CVE-2019-8260 CVE-2019-8261 CVE-2019-8262 CVE-2019-8263 CVE-2019-8264 CVE-2019-8265 CVE-2019-8275 CVE-2019-8277 CVE-2019-8280 |
| CWE-ID | CWE-401 CWE-125 CWE-122 CWE-121 CWE-787 CWE-170 CWE-665 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
SIMATIC WinCC Runtime Advanced Server applications / SCADA systems SIMATIC HMI KTP900F Server applications / SCADA systems SIMATIC HMI KTP900 Server applications / SCADA systems SIMATIC HMI KTP700F Server applications / SCADA systems SIMATIC HMI KTP700 Server applications / SCADA systems SIMATIC HMI KTP400F Server applications / SCADA systems SIMATIC HMI Comfort Panels 4”-22” Server applications / SCADA systems SIMATIC HMI Comfort Outdoor Panels 7” & 15” Server applications / SCADA systems |
| Vendor | Siemens |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
1) Memory leak
EUVDB-ID: #VU22961
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-8259
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information on the target system.
The vulnerability exists due memory leak in VNC client code. A remote attacker that controls a malicious VNC server can trick a user to connect to it and access sensitive information.
Combined with another vulnerability, it can be used to leak stack memory and bypass ASLR.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSIMATIC WinCC Runtime Advanced: before 16 Update 4
SIMATIC HMI KTP900F: before 16 Update 4
SIMATIC HMI KTP900: before 16 Update 4
SIMATIC HMI KTP700F: before 16 Update 4
SIMATIC HMI KTP700: before 16 Update 4
SIMATIC HMI KTP400F: before 16 Update 4
SIMATIC HMI Comfort Panels 4”-22”: before 16 Update 4
SIMATIC HMI Comfort Outdoor Panels 7” & 15”: before 16 Update 4
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-21-131-11
http://cert-portal.siemens.com/productcert/pdf/ssa-940818.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Out-of-bounds read
EUVDB-ID: #VU22962
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-8260
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
Description
The vulnerability allows a remote attacker to gain access to sensitive information on the target system.
The vulnerability exists due to a boundary condition in VNC client RRE decoder code, caused by multiplication overflow. A remote attacker that controls a malicious VNC server can trick a user to connect to it, trigger out-of-bounds read error and read contents of memory on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSIMATIC WinCC Runtime Advanced: before 16 Update 4
SIMATIC HMI KTP900F: before 16 Update 4
SIMATIC HMI KTP900: before 16 Update 4
SIMATIC HMI KTP700F: before 16 Update 4
SIMATIC HMI KTP700: before 16 Update 4
SIMATIC HMI KTP400F: before 16 Update 4
SIMATIC HMI Comfort Panels 4”-22”: before 16 Update 4
SIMATIC HMI Comfort Outdoor Panels 7” & 15”: before 16 Update 4
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-21-131-11
http://cert-portal.siemens.com/productcert/pdf/ssa-940818.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Out-of-bounds read
EUVDB-ID: #VU22963
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-8261
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
Description
The vulnerability allows a remote attacker to gain access to sensitive information on the target system.
The vulnerability exists due to a boundary condition in VNC code inside client CoRRE decoder, caused by multiplication overflow. A remote attacker that controls a malicious VNC server can trick a user to connect to it, trigger out-of-bounds read error and read contents of memory on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSIMATIC WinCC Runtime Advanced: before 16 Update 4
SIMATIC HMI KTP900F: before 16 Update 4
SIMATIC HMI KTP900: before 16 Update 4
SIMATIC HMI KTP700F: before 16 Update 4
SIMATIC HMI KTP700: before 16 Update 4
SIMATIC HMI KTP400F: before 16 Update 4
SIMATIC HMI Comfort Panels 4”-22”: before 16 Update 4
SIMATIC HMI Comfort Outdoor Panels 7” & 15”: before 16 Update 4
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-21-131-11
http://cert-portal.siemens.com/productcert/pdf/ssa-940818.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Heap-based buffer overflow
EUVDB-ID: #VU22964
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-8262
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in VNC client code inside Ultra decoder. A remote attacker that controls a malicious VNC server can trick a user to connect to it, trigger heap-based buffer overflow and execute arbitrary code with privileges of the user, running the VNC client.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSIMATIC WinCC Runtime Advanced: before 16 Update 4
SIMATIC HMI KTP900F: before 16 Update 4
SIMATIC HMI KTP900: before 16 Update 4
SIMATIC HMI KTP700F: before 16 Update 4
SIMATIC HMI KTP700: before 16 Update 4
SIMATIC HMI KTP400F: before 16 Update 4
SIMATIC HMI Comfort Panels 4”-22”: before 16 Update 4
SIMATIC HMI Comfort Outdoor Panels 7” & 15”: before 16 Update 4
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-21-131-11
http://cert-portal.siemens.com/productcert/pdf/ssa-940818.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Stack-based buffer overflow
EUVDB-ID: #VU22965
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-8263
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in VNC client code inside ShowConnInfo routine. A remote attacker that controls a malicious VNC server can trick a user to connect to it, trigger stack-based buffer overflow and cause a denial of service condition on the target system.
Install updates from vendor's website.
Vulnerable software versionsSIMATIC WinCC Runtime Advanced: before 16 Update 4
SIMATIC HMI KTP900F: before 16 Update 4
SIMATIC HMI KTP900: before 16 Update 4
SIMATIC HMI KTP700F: before 16 Update 4
SIMATIC HMI KTP700: before 16 Update 4
SIMATIC HMI KTP400F: before 16 Update 4
SIMATIC HMI Comfort Panels 4”-22”: before 16 Update 4
SIMATIC HMI Comfort Outdoor Panels 7” & 15”: before 16 Update 4
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-21-131-11
http://cert-portal.siemens.com/productcert/pdf/ssa-940818.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Out-of-bounds write
EUVDB-ID: #VU22966
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-8264
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error in VNC client inside Ultra2 decoder when processing untrusted input. A remote attacker that controls a malicious VNC server can trick a user to connect to it, trigger out-of-bounds write and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSIMATIC WinCC Runtime Advanced: before 16 Update 4
SIMATIC HMI KTP900F: before 16 Update 4
SIMATIC HMI KTP900: before 16 Update 4
SIMATIC HMI KTP700F: before 16 Update 4
SIMATIC HMI KTP700: before 16 Update 4
SIMATIC HMI KTP400F: before 16 Update 4
SIMATIC HMI Comfort Panels 4”-22”: before 16 Update 4
SIMATIC HMI Comfort Outdoor Panels 7” & 15”: before 16 Update 4
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-21-131-11
http://cert-portal.siemens.com/productcert/pdf/ssa-940818.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Out-of-bounds write
EUVDB-ID: #VU22968
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-8265
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error connected with improper usage of SETPIXELS macro in VNC client code. A remote attacker that controls a malicious VNC server can trick a user to connect to it, trigger out-of-bounds write and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSIMATIC WinCC Runtime Advanced: before 16 Update 4
SIMATIC HMI KTP900F: before 16 Update 4
SIMATIC HMI KTP900: before 16 Update 4
SIMATIC HMI KTP700F: before 16 Update 4
SIMATIC HMI KTP700: before 16 Update 4
SIMATIC HMI KTP400F: before 16 Update 4
SIMATIC HMI Comfort Panels 4”-22”: before 16 Update 4
SIMATIC HMI Comfort Outdoor Panels 7” & 15”: before 16 Update 4
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-21-131-11
http://cert-portal.siemens.com/productcert/pdf/ssa-940818.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Improper Null Termination
EUVDB-ID: #VU22995
Risk: Medium
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-8275
CWE-ID:
CWE-170 - Improper Null Termination
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information on the target system.
The vulnerability exists in VNC server code due to the affected software does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator. A remote attacker can trigger out-of-bounds read error and read contents of memory on the system.
Install updates from vendor's website.
Vulnerable software versionsSIMATIC WinCC Runtime Advanced: before 16 Update 4
SIMATIC HMI KTP900F: before 16 Update 4
SIMATIC HMI KTP900: before 16 Update 4
SIMATIC HMI KTP700F: before 16 Update 4
SIMATIC HMI KTP700: before 16 Update 4
SIMATIC HMI KTP400F: before 16 Update 4
SIMATIC HMI Comfort Panels 4”-22”: before 16 Update 4
SIMATIC HMI Comfort Outdoor Panels 7” & 15”: before 16 Update 4
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-21-131-11
http://cert-portal.siemens.com/productcert/pdf/ssa-940818.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Improper Initialization
EUVDB-ID: #VU23010
Risk: Medium
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-8277
CWE-ID:
CWE-665 - Improper Initialization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information on the target system.
The vulnerability exists due to an uninitialized read condition in VNC server code. A remote attacker can read stack memory and disclose sensitive information on the target system.
Combined with another vulnerability, it can be used to leak stack memory and bypass ASLR.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSIMATIC WinCC Runtime Advanced: before 16 Update 4
SIMATIC HMI KTP900F: before 16 Update 4
SIMATIC HMI KTP900: before 16 Update 4
SIMATIC HMI KTP700F: before 16 Update 4
SIMATIC HMI KTP700: before 16 Update 4
SIMATIC HMI KTP400F: before 16 Update 4
SIMATIC HMI Comfort Panels 4”-22”: before 16 Update 4
SIMATIC HMI Comfort Outdoor Panels 7” & 15”: before 16 Update 4
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-21-131-11
http://cert-portal.siemens.com/productcert/pdf/ssa-940818.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Out-of-bounds write
EUVDB-ID: #VU23011
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-8280
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input in VNC client inside RAW decoder. A remote attacker that controls a malicious VNC server can trick a user to connect to it, trigger out-of-bounds write and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSIMATIC WinCC Runtime Advanced: before 16 Update 4
SIMATIC HMI KTP900F: before 16 Update 4
SIMATIC HMI KTP900: before 16 Update 4
SIMATIC HMI KTP700F: before 16 Update 4
SIMATIC HMI KTP700: before 16 Update 4
SIMATIC HMI KTP400F: before 16 Update 4
SIMATIC HMI Comfort Panels 4”-22”: before 16 Update 4
SIMATIC HMI Comfort Outdoor Panels 7” & 15”: before 16 Update 4
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-21-131-11
http://cert-portal.siemens.com/productcert/pdf/ssa-940818.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
