Multiple vulnerabilities in Siemens SINEC INS



Published: 2022-09-14
Risk High
Patch available YES
Number of vulnerabilities 15
CVE-ID CVE-2021-23337
CVE-2022-0396
CVE-2022-0235
CVE-2022-0155
CVE-2021-25220
CVE-2021-25217
CVE-2021-23841
CVE-2021-23839
CVE-2016-0701
CVE-2021-4160
CVE-2021-3749
CVE-2020-28500
CVE-2020-28168
CVE-2020-12762
CVE-2020-7793
CWE-ID CWE-77
CWE-399
CWE-200
CWE-350
CWE-20
CWE-476
CWE-310
CWE-400
CWE-185
CWE-918
CWE-787
Exploitation vector Network
Public exploit Public exploit code for vulnerability #14 is available.
Vulnerable software
Subscribe
SINEC INS
Server applications / SCADA systems

Vendor Siemens

Security Bulletin

This security bulletin contains information about 15 vulnerabilities.

1) Command Injection

EUVDB-ID: #VU53202

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-23337

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote user to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation when processing templates. A remote privileged user can inject and execute arbitrary commands on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SINEC INS: before 1.0 SP2

before 1.0 SP2
CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-637483.txt

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

2) Resource management error

EUVDB-ID: #VU61423

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0396

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application that allows TCP connection slots to be consumed for an indefinite time frame via a specifically crafted TCP stream sent from a client. A remote attacker can initiate a specially crafted TCP stream that can cause connections to BIND to remain in CLOSE_WAIT status for an indefinite period of time, even after the client has terminated the connection.

This issue can only be triggered on BIND servers which have keep-response-order enabled, which is not the default configuration. The keep-response-order option is an ACL block; any hosts which are specified within it will be able to trigger this issue on affected versions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SINEC INS: before 1.0 SP2

before 1.0 SP2
CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-637483.txt

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

3) Information disclosure

EUVDB-ID: #VU61471

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-0235

CWE-ID: CWE-200 - Information Exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the application follows the "Location" HTTP header redirect and passes authorization cookie to a third-party resource. A remote attacker can gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SINEC INS: before 1.0 SP2

before 1.0 SP2
CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-637483.txt

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

4) Information disclosure

EUVDB-ID: #VU61669

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-0155

CWE-ID: CWE-200 - Information Exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SINEC INS: before 1.0 SP2

before 1.0 SP2
CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-637483.txt

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

5) Reliance on Reverse DNS Resolution for a Security-Critical Action

EUVDB-ID: #VU61422

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-25220

CWE-ID: CWE-350 - Reliance on Reverse DNS Resolution for a Security-Critical Action

Exploit availability: No

Description

The vulnerability allows a remote attacker to poison DNS cache.

The vulnerability exists due to an error in DNS forwarder implementation. When using forwarders, bogus NS records supplied by, or via, those forwarders may be cached and used by named if it needs to recurse for any reason, causing it to obtain and pass on potentially incorrect answers. The cache could become poisoned with incorrect records leading to queries being made to the wrong servers, which might also result in false information being returned to clients.


Mitigation

Install update from vendor's website.

Vulnerable software versions

SINEC INS: before 1.0 SP2

before 1.0 SP2
CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-637483.txt

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

6) Input validation error

EUVDB-ID: #VU53609

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-25217

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack or gain access to sensitive information.

The vulnerability exists due to insufficient validation of options data stored in DHCP leases. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack or gain access to sensitive information.

Both dhcpd and dhclient are affected by the vulnerability.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SINEC INS: before 1.0 SP2

before 1.0 SP2
CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-637483.txt

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

7) NULL pointer dereference

EUVDB-ID: #VU50740

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-23841

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within the X509_issuer_and_serial_hash() function when parsing the issuer field in the X509 certificate. A remote attacker can supply a specially crafted certificate, trigger a NULL pointer dereference error and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SINEC INS: before 1.0 SP2

before 1.0 SP2
CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-637483.txt

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

8) Cryptographic issues

EUVDB-ID: #VU50744

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-23839

CWE-ID: CWE-310 - Cryptographic Issues

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a MitM attack.

The vulnerability exists due to a faulty implementation of the padding check when server is configured to support SSLv2 protocol. A remote attacker can perform a MitM attack and force the server to use less secure protocols.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SINEC INS: before 1.0 SP2

before 1.0 SP2
CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-637483.txt

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

9) Information disclosure

EUVDB-ID: #VU2972

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2016-0701

CWE-ID: CWE-200 - Information Exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to DH_check_pub_key() function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange, which makes it easier for remote attackers to discover a private DH exponent by making multiple handshakes with a peer that chose an inappropriate number, as demonstrated by a number in an X9.42 file.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SINEC INS: before 1.0 SP2

before 1.0 SP2
CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-637483.txt

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

10) Cryptographic issues

EUVDB-ID: #VU60166

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-4160

CWE-ID: CWE-310 - Cryptographic Issues

Exploit availability: No

Description

The vulnerability allows a remote attacker to decrypt TLS traffic.

The vulnerability exists due to BN_mod_exp may produce incorrect results on MIPS. A remote attacker can decrypt TLS traffic. According to vendor, multiple EC algorithms are affected, including some of the TLS 1.3 default curves. 

Successful exploitation of the vulnerability requires certain pre-requisites for attack, such as obtaining and  reusing private keys. 

Mitigation

Install update from vendor's website.

Vulnerable software versions

SINEC INS: before 1.0 SP2

before 1.0 SP2
CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-637483.txt

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

11) Resource exhaustion

EUVDB-ID: #VU56963

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-3749

CWE-ID: CWE-400 - Uncontrolled Resource Consumption ('Resource Exhaustion')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a regular expression denial of service (ReDoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the isURLSearchParams function in utils.js. A remote attacker can send specially crafted data to the application and perform regular expression denial of service (ReDoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SINEC INS: before 1.0 SP2

before 1.0 SP2
CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-637483.txt

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

12) Incorrect Regular Expression

EUVDB-ID: #VU54394

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-28500

CWE-ID: CWE-185 - Incorrect Regular Expression

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SINEC INS: before 1.0 SP2

before 1.0 SP2
CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-637483.txt

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

13) Server-Side Request Forgery (SSRF)

EUVDB-ID: #VU49251

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-28168

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SINEC INS: before 1.0 SP2

before 1.0 SP2
CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-637483.txt

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

14) Out-of-bounds write

EUVDB-ID: #VU27882

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-12762

CWE-ID: CWE-787 - Out-of-bounds Write

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input in the "printbuf_memappend". A remote attacker can create a specially crafted JSON file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SINEC INS: before 1.0 SP2

before 1.0 SP2
CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-637483.txt

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

15) Incorrect Regular Expression

EUVDB-ID: #VU63704

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-7793

CWE-ID: CWE-185 - Incorrect Regular Expression

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SINEC INS: before 1.0 SP2

before 1.0 SP2
CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-637483.txt

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###