Multiple vulnerabilities in Siemens SIMATIC ITC



Published: 2021-12-16
Risk High
Patch available YES
Number of vulnerabilities 19
CVE-ID CVE-2019-20840
CVE-2020-14405
CVE-2020-14404
CVE-2020-14403
CVE-2020-14402
CVE-2020-14401
CVE-2020-14398
CVE-2020-14397
CVE-2020-14396
CVE-2019-20839
CVE-2017-18922
CVE-2019-20788
CVE-2019-15690
CVE-2019-15681
CVE-2018-21247
CVE-2018-20750
CVE-2018-20749
CVE-2018-20748
CVE-2018-20019
CWE-ID CWE-119
CWE-770
CWE-190
CWE-835
CWE-476
CWE-787
CWE-122
CWE-401
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
SIMATIC ITC1500
Hardware solutions / Office equipment, IP-phones, print servers

SIMATIC ITC1500 PRO
Hardware solutions / Office equipment, IP-phones, print servers

SIMATIC ITC1900
Hardware solutions / Office equipment, IP-phones, print servers

SIMATIC ITC1900 PRO
Hardware solutions / Office equipment, IP-phones, print servers

SIMATIC ITC2200
Hardware solutions / Office equipment, IP-phones, print servers

SIMATIC ITC2200 PRO
Hardware solutions / Office equipment, IP-phones, print servers

Vendor Siemens

Security Bulletin

This security bulletin contains information about 19 vulnerabilities.

1) Buffer overflow

EUVDB-ID: #VU29372

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-20840

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error within hybiReadAndDecode() in libvncserver/ws_decode.c. A remote attacker can create a specially crafted request to the affected LibVNCServer installation and crash the service.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SIMATIC ITC1500: before 3.2.1.0

SIMATIC ITC1500 PRO: before 3.2.1.0

SIMATIC ITC1900: before 3.2.1.0

SIMATIC ITC1900 PRO: before 3.2.1.0

SIMATIC ITC2200: before 3.2.1.0

SIMATIC ITC2200 PRO: before 3.2.1.0

SIMATIC ITC2200 PRO: before

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-350-12


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Allocation of Resources Without Limits or Throttling

EUVDB-ID: #VU29374

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14405

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in libvncclient/rfbproto.c due to LibVNCServer does not limit TextChat size.A remote attacker who controls a malicious VNC server can send large amounts of data to the client application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SIMATIC ITC1500: before 3.2.1.0

SIMATIC ITC1500 PRO: before 3.2.1.0

SIMATIC ITC1900: before 3.2.1.0

SIMATIC ITC1900 PRO: before 3.2.1.0

SIMATIC ITC2200: before 3.2.1.0

SIMATIC ITC2200 PRO: before 3.2.1.0

SIMATIC ITC2200 PRO: before

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-350-12


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Buffer overflow

EUVDB-ID: #VU29375

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14404

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing encodings in libvncserver/rre.c. A remote attacker can pass specially crafted data to the server, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SIMATIC ITC1500: before 3.2.1.0

SIMATIC ITC1500 PRO: before 3.2.1.0

SIMATIC ITC1900: before 3.2.1.0

SIMATIC ITC1900 PRO: before 3.2.1.0

SIMATIC ITC2200: before 3.2.1.0

SIMATIC ITC2200 PRO: before 3.2.1.0

SIMATIC ITC2200 PRO: before

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-350-12


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Buffer overflow

EUVDB-ID: #VU29376

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14403

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing encodings in libvncserver/hextile.c. A remote attacker can pass specially crafted data to the server, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SIMATIC ITC1500: before 3.2.1.0

SIMATIC ITC1500 PRO: before 3.2.1.0

SIMATIC ITC1900: before 3.2.1.0

SIMATIC ITC1900 PRO: before 3.2.1.0

SIMATIC ITC2200: before 3.2.1.0

SIMATIC ITC2200 PRO: before 3.2.1.0

SIMATIC ITC2200 PRO: before

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-350-12


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Buffer overflow

EUVDB-ID: #VU29377

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14402

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing encodings in libvncserver/corre.c. A remote attacker can pass specially crafted data to the server, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SIMATIC ITC1500: before 3.2.1.0

SIMATIC ITC1500 PRO: before 3.2.1.0

SIMATIC ITC1900: before 3.2.1.0

SIMATIC ITC1900 PRO: before 3.2.1.0

SIMATIC ITC2200: before 3.2.1.0

SIMATIC ITC2200 PRO: before 3.2.1.0

SIMATIC ITC2200 PRO: before

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-350-12


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Integer overflow

EUVDB-ID: #VU29378

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14401

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in libvncserver/scale.c when processing data passed via pixel_value. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SIMATIC ITC1500: before 3.2.1.0

SIMATIC ITC1500 PRO: before 3.2.1.0

SIMATIC ITC1900: before 3.2.1.0

SIMATIC ITC1900 PRO: before 3.2.1.0

SIMATIC ITC2200: before 3.2.1.0

SIMATIC ITC2200 PRO: before 3.2.1.0

SIMATIC ITC2200 PRO: before

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-350-12


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Infinite loop

EUVDB-ID: #VU29381

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14398

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in libvncclient/sockets.c when closing TCP connections. A remote attacker can consume all available system resources and cause denial of service conditions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SIMATIC ITC1500: before 3.2.1.0

SIMATIC ITC1500 PRO: before 3.2.1.0

SIMATIC ITC1900: before 3.2.1.0

SIMATIC ITC1900 PRO: before 3.2.1.0

SIMATIC ITC2200: before 3.2.1.0

SIMATIC ITC2200 PRO: before 3.2.1.0

SIMATIC ITC2200 PRO: before

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-350-12


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) NULL pointer dereference

EUVDB-ID: #VU29382

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14397

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in libvncserver/rfbregion.c. A remote attacker can perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SIMATIC ITC1500: before 3.2.1.0

SIMATIC ITC1500 PRO: before 3.2.1.0

SIMATIC ITC1900: before 3.2.1.0

SIMATIC ITC1900 PRO: before 3.2.1.0

SIMATIC ITC2200: before 3.2.1.0

SIMATIC ITC2200 PRO: before 3.2.1.0

SIMATIC ITC2200 PRO: before

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-350-12


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) NULL pointer dereference

EUVDB-ID: #VU29383

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14396

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in libvncclient/tls_openssl.c. A remote attacker can trick the victim to connect to a malicious server and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SIMATIC ITC1500: before 3.2.1.0

SIMATIC ITC1500 PRO: before 3.2.1.0

SIMATIC ITC1900: before 3.2.1.0

SIMATIC ITC1900 PRO: before 3.2.1.0

SIMATIC ITC2200: before 3.2.1.0

SIMATIC ITC2200 PRO: before 3.2.1.0

SIMATIC ITC2200 PRO: before

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-350-12


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Buffer overflow

EUVDB-ID: #VU29373

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-20839

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary when processing long socket filename in libvncclient/sockets.c in LibVNCServer. A remote attacker can rick the victim to connect to server using a specially crafted configuration file, trigger buffer overflow and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SIMATIC ITC1500: before 3.2.1.0

SIMATIC ITC1500 PRO: before 3.2.1.0

SIMATIC ITC1900: before 3.2.1.0

SIMATIC ITC1900 PRO: before 3.2.1.0

SIMATIC ITC2200: before 3.2.1.0

SIMATIC ITC2200 PRO: before 3.2.1.0

SIMATIC ITC2200 PRO: before

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-350-12


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Out-of-bounds write

EUVDB-ID: #VU30157

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18922

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

It was discovered that websockets.c in LibVNCServer prior to 0.9.12 did not properly decode certain WebSocket frames. A malicious attacker could exploit this by sending specially crafted WebSocket frames to a server, causing a heap-based buffer overflow.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SIMATIC ITC1500: before 3.2.1.0

SIMATIC ITC1500 PRO: before 3.2.1.0

SIMATIC ITC1900: before 3.2.1.0

SIMATIC ITC1900 PRO: before 3.2.1.0

SIMATIC ITC2200: before 3.2.1.0

SIMATIC ITC2200 PRO: before 3.2.1.0

SIMATIC ITC2200 PRO: before

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-350-12


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Integer overflow

EUVDB-ID: #VU29385

Risk: Medium

CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-20788

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in libvncclient/cursor.c  when processing large height or width values. A remote attacker can trick the victim to connect to a malicious VNC server, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SIMATIC ITC1500: before 3.2.1.0

SIMATIC ITC1500 PRO: before 3.2.1.0

SIMATIC ITC1900: before 3.2.1.0

SIMATIC ITC1900 PRO: before 3.2.1.0

SIMATIC ITC2200: before 3.2.1.0

SIMATIC ITC2200 PRO: before 3.2.1.0

SIMATIC ITC2200 PRO: before

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-350-12


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Heap-based buffer overflow

EUVDB-ID: #VU26343

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-15690

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SIMATIC ITC1500: before 3.2.1.0

SIMATIC ITC1500 PRO: before 3.2.1.0

SIMATIC ITC1900: before 3.2.1.0

SIMATIC ITC1900 PRO: before 3.2.1.0

SIMATIC ITC2200: before 3.2.1.0

SIMATIC ITC2200 PRO: before 3.2.1.0

SIMATIC ITC2200 PRO: before

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-350-12


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Memory leak

EUVDB-ID: #VU22957

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-15681

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information on the target system.

The vulnerability exists due memory leak in VNC server code. A remote attacker can read stack memory and disclose sensitive information.

Combined with another vulnerability, it can be used to leak stack memory and bypass ASLR.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SIMATIC ITC1500: before 3.2.1.0

SIMATIC ITC1500 PRO: before 3.2.1.0

SIMATIC ITC1900: before 3.2.1.0

SIMATIC ITC1900 PRO: before 3.2.1.0

SIMATIC ITC2200: before 3.2.1.0

SIMATIC ITC2200 PRO: before 3.2.1.0

SIMATIC ITC2200 PRO: before

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-350-12


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Memory leak

EUVDB-ID: #VU29384

Risk: Medium

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-21247

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due memory leak within the ConnectToRFBRepeater() function in  libvncclient/rfbproto.c. A remote attacker can trick the victim to connect to a malicious VNC server, trigger the memory leak and gain access to sensitive information on the client's system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SIMATIC ITC1500: before 3.2.1.0

SIMATIC ITC1500 PRO: before 3.2.1.0

SIMATIC ITC1900: before 3.2.1.0

SIMATIC ITC1900 PRO: before 3.2.1.0

SIMATIC ITC2200: before 3.2.1.0

SIMATIC ITC2200 PRO: before 3.2.1.0

SIMATIC ITC2200 PRO: before

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-350-12


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Heap out-of-bounds write

EUVDB-ID: #VU17750

Risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-20750

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trigger out-of-bounds write in rfbserver.c and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SIMATIC ITC1500: before 3.2.1.0

SIMATIC ITC1500 PRO: before 3.2.1.0

SIMATIC ITC1900: before 3.2.1.0

SIMATIC ITC1900 PRO: before 3.2.1.0

SIMATIC ITC2200: before 3.2.1.0

SIMATIC ITC2200 PRO: before 3.2.1.0

SIMATIC ITC2200 PRO: before

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-350-12


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Heap out-of-bounds write

EUVDB-ID: #VU17751

Risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-20749

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trigger out-of-bounds write in rfbserver.c and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SIMATIC ITC1500: before 3.2.1.0

SIMATIC ITC1500 PRO: before 3.2.1.0

SIMATIC ITC1900: before 3.2.1.0

SIMATIC ITC1900 PRO: before 3.2.1.0

SIMATIC ITC2200: before 3.2.1.0

SIMATIC ITC2200 PRO: before 3.2.1.0

SIMATIC ITC2200 PRO: before

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-350-12


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Heap out-of-bounds write

EUVDB-ID: #VU17749

Risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-20748

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trigger out-of-bounds write in VNC client code and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SIMATIC ITC1500: before 3.2.1.0

SIMATIC ITC1500 PRO: before 3.2.1.0

SIMATIC ITC1900: before 3.2.1.0

SIMATIC ITC1900 PRO: before 3.2.1.0

SIMATIC ITC2200: before 3.2.1.0

SIMATIC ITC2200 PRO: before 3.2.1.0

SIMATIC ITC2200 PRO: before

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-350-12


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Heap out-of-bounds write

EUVDB-ID: #VU17123

Risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-20019

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to heap out-of-bounds write in VNC client code. A remote attacker can trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SIMATIC ITC1500: before 3.2.1.0

SIMATIC ITC1500 PRO: before 3.2.1.0

SIMATIC ITC1900: before 3.2.1.0

SIMATIC ITC1900 PRO: before 3.2.1.0

SIMATIC ITC2200: before 3.2.1.0

SIMATIC ITC2200 PRO: before 3.2.1.0

SIMATIC ITC2200 PRO: before

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-350-12


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###