Main Vulnerability Database SB2023061617

SB2023061617 - Multiple vulnerabilities in Siemens SIMATIC S7-1500 TM MFP - BIOS

Published: June 16, 2023 Updated: June 7, 2024

Security Bulletin ID SB2023061617

Severity

High

Patch available

Number of vulnerabilities 53

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 53 secuirty vulnerabilities.

1) Out-of-bounds write (CVE-ID: CVE-2022-20422)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a boundary error within emulation_proc_handler() in armv8 emulation in arch/arm64/kernel/armv8_deprecated.c. A local user can trigger an out-of-bounds write and execute arbitrary code with elevated privileges.

2) Use-after-free (CVE-ID: CVE-2021-42386)

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the "nvalloc" function. A remote administrator can execute arbitrary code on the target system.

3) Use-after-free (CVE-ID: CVE-2022-1882)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the Linux kernel’s pipes functionality in free_pipe_info() function in fs/pipe.c. A local user can trigger a use-after-free error and execute arbitrary code with elevated privileges.

4) Resource management error (CVE-ID: CVE-2022-2585)

The vulnerability allows a local user to perform a denial of service (DoS) attack or escalate privileges on the system.

The vulnerability exists due to improper management of internal resources in POSIX CPU timers when handling death of a process. A local user can crash the kernel or execute arbitrary code.

5) Double Free (CVE-ID: CVE-2022-2588)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a double free error within the network packet scheduler implementation in the route4_change() function in Linux kernel when removing all references to a route filter before freeing it. A local user can run a specially crafted program to crash the kernel or execute arbitrary code.

6) Out-of-bounds read (CVE-ID: CVE-2022-2905)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in the Linux kernel BPF subsystem. A local user can call the bpf_tail_call() function with a key larger than the max_entries of the map, trigger an out-of-bounds read and read parts of kernel memory.

7) Race condition (CVE-ID: CVE-2022-3028)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. A local user can exploit the race and escalate privileges on the system.

8) Out-of-bounds read (CVE-ID: CVE-2022-3435)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the fib_nh_match() function in net/ipv4/fib_semantics.c IPv4 handler. A remote attacker can send specially crafted data to the system, trigger an out-of-bounds read error and read contents of memory on the system.

9) Use-after-free (CVE-ID: CVE-2022-3586)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error in the way the sch_sfb enqueue function used the socket buffer (SKB) cb field after the same SKB had been enqueued (and freed) into a child qdisc. A local user can perform a denial of service (DoS) attack.

10) Stack-based buffer overflow (CVE-ID: CVE-2022-4378)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within the __do_proc_dointvec() function. A local user can trigger a stack-based buffer overflow and execute arbitrary code with elevated privileges.

11) Improper access control (CVE-ID: CVE-2022-4662)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper access restrictions in the Linux kernel USB core subsystem in the way user attaches usb device. A local user can perform a denial of service (DoS) attack.

12) Race condition (CVE-ID: CVE-2022-20421)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a race condition within the Binder driver in Android kernel in drivers/android/binder.c. A local application can exploit the race to trigger a use-after-free error and execute arbitrary code with elevated privileges.

13) Information disclosure (CVE-ID: CVE-2022-21233)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to improper isolation of shared resources. A local administrator can gain unauthorized access to sensitive information on the system.

14) Use-after-free (CVE-ID: CVE-2021-42384)

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the "handle_special" function. A remote administrator can execute arbitrary code on the target system.

15) Buffer overflow (CVE-ID: CVE-2022-23218)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the svcunix_create() in the sunrpc module ib glibc. A remote attacker can pass specially crafted input to the application that is using the affected library version, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

16) Buffer overflow (CVE-ID: CVE-2022-23219)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the clnt_create() function in the sunrpc module. A remote attacker can pass specially crafted input to the application that is using the affected library version, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

17) OS Command Injection (CVE-ID: CVE-2022-28391)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation of DNS PTR records output within the netstat utility if executed on VT compatible terminal. A remote attacker can trick the victim to run the netstat command after initiating a connection to the system and execute arbitrary OS commands on the target system with privileges of the user running the netstat command.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

18) Use-after-free (CVE-ID: CVE-2022-30065)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing a crafted awk pattern in the copyvar function. A remote attacker can execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

19) Race condition (CVE-ID: CVE-2022-39188)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition within include/asm-generic/tlb.h in the Linux kernel. A local user can exploit the race and escalate privileges on the system.

Note, this only occurs in situations with VM_PFNMAP VMAs.

20) Out-of-bounds read (CVE-ID: CVE-2022-39190)

The vulnerability allows a local user to perform a denial of service attack.

The vulnerability exists due to an out-of-bounds read error within the net/netfilter/nf_tables_api.c in the Linux kernel. A local user can bind to an already bound chain and crash the kernel.

21) Use-after-free (CVE-ID: CVE-2022-40307)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error within the drivers/firmware/efi/capsule-loader.c in Linux kernel. A local user can trigger a use-after-free error and perform a denial of service (DoS) attack.

22) Use-after-free (CVE-ID: CVE-2022-41222)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to a use-after-free error caused by a stale TLB in mm/mremap.c, because an rmap lock is not held during a PUD move. A local user can gain access to sensitive information.

23) Use-after-free (CVE-ID: CVE-2022-42703)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error within the mm/rmap.c in the Linux kernel, related to leaf anon_vma double reuse. A local user can trigger a use-after-free error and crash the kernel.

24) Integer overflow (CVE-ID: CVE-2023-0179)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to an integer overflow within the nft_payload_copy_vlan() function in Linux kernel Netfilter. A local user can trigger an integer overflow and execute arbitrary code with elevated privileges.

25) NULL pointer dereference (CVE-ID: CVE-2023-0394)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within the rawv6_push_pending_frames() function in net/ipv6/raw.c. A local user can run a specially crafted program on the system and perform a denial of service (DoS) attack.

26) Buffer overflow (CVE-ID: CVE-2023-1073)

The vulnerability allows an attacker to compromise the affected system.

The vulnerability exists due to a boundary error in the Linux kernel human interface device (HID) subsystem. An attacker with physical access to the system can insert in a specific way malicious USB device, trigger memory corruption and execute arbitrary code.

27) Use-after-free (CVE-ID: CVE-2021-42385)

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the "evaluate" function. A remote administrator can execute arbitrary code on the target system.

28) Use-after-free (CVE-ID: CVE-2021-42383)

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the awk applet. A remote privileged user can pass a specially crafted input to the application, trigger a use-after-free error and execute arbitrary code.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

29) Double Free (CVE-ID: CVE-2021-27645)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error within the nameserver caching daemon (nscd) in the GNU C Library when processing a request for netgroup lookup. A local user can initiate a specially crafted request, trigger a double free error and perform a denial of service (DoS) attack.

30) Input validation error (CVE-ID: CVE-2016-10228)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.

31) Out-of-bounds read (CVE-ID: CVE-2019-25013)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition in GNU C Library within the iconv feature when processing multi-byte input sequences in the EUC-KR encoding. A remote attacker can pass specially crafted input to the application, trigger out-of-bounds read error and perform a denial of service (DoS) attack.

32) Use-after-free (CVE-ID: CVE-2020-1752)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the glob() function in glibc in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username are affected by this issue. A local user can create a specially crafted path that, when processed by the glob() function, would potentially lead to arbitrary code execution.

33) Stack-based buffer overflow (CVE-ID: CVE-2020-10029)

The vulnerability allows an attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within "sysdeps/ieee754/ldbl-96/e_rem_pio2l.c" in GNU C Library (aka glibc or libc6). An attacker can pas specially crafted input to the application and trigger a stack-based buffer overflow.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system or denial of service conditions.

34) Infinite loop (CVE-ID: CVE-2020-27618)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop within iconv implementation when processing multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, IBM1399 encodings. A remote attacker can pass specially crafted data to the application, consume all available system resources and cause denial of service conditions.

35) Reachable Assertion (CVE-ID: CVE-2020-29562)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion when converting UCS4 text containing an irreversible character in the iconv function in the GNU C Library (aka glibc or libc6). A remote attacker can pass specially crafted data to the library, trigger an assertion failure and preform a denial of service attack.

36) Reachable Assertion (CVE-ID: CVE-2021-3326)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion within the iconv function in the GNU C Library (aka glibc or libc6) when processing invalid input sequences in the ISO-2022-JP-3 encoding. A remote attacker can pass specially crafted data to the application, trigger an assertion failure and crash the affected application.

37) Memory leak (CVE-ID: CVE-2021-3998)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due memory leak in glibc realpath() function. A remote attacker can force the application to leak memory and perform denial of service attack or gain access to sensitive information.

38) Off-by-one (CVE-ID: CVE-2021-3999)

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to an off-by-one error glibc getcwd() function. A remote attacker can pass specially crafted input to the application that is using the affected library version, trigger an off-by-one error and execute arbitrary code on the target system.

39) Incorrect default permissions (CVE-ID: CVE-2021-20269)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to incorrect default permissions for files and folders that are set by the application. A local user can read arbitrary files and leak kernel internal information from a previous panic.

40) Improper Handling of Exceptional Conditions (CVE-ID: CVE-2021-28831)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper handling of error bit on the huft_build result pointer in decompress_gunzip.c. A remote attacker can pass malformed gzip data to the application, trigger an invalid free and perform a denial of service (DoS) attack.

41) Use-after-free (CVE-ID: CVE-2021-42382)

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the "getvar_s" function. A remote administrator can execute arbitrary code on the target system.

42) Use-after-free (CVE-ID: CVE-2021-33574)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the mq_notify() function in the GNU C Library. A remote attacker can force the library to use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service or possibly remote code execution.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

43) Integer overflow (CVE-ID: CVE-2021-35942)

The vulnerability allows a remote attacker to gain access to sensitive information or perform a DoS attack.

The vulnerability exists due to integer overflow in parse_param in posix/wordexp.c in the GNU C Library when called with an untrusted pattern. A remote attacker can pass specially crafted data to the application, trigger integer overflow and read arbitrary memory on the system of perform a denial of service (DoS) attack.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

44) NULL pointer dereference (CVE-ID: CVE-2021-38604)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the "sysdeps/unix/sysv/linux/mq_notify.c" file within NOTIFY_REMOVED data. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

45) NULL pointer dereference (CVE-ID: CVE-2021-42373)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within the man applet when a section name is supplied but no page argument is given. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

46) Out-of-bounds read (CVE-ID: CVE-2021-42374)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in "unlzma". A remote attacker can trigger out-of-bounds read error and read contents of memory on the system or perform a denial of service (DoS) attack.

47) Input validation error (CVE-ID: CVE-2021-42375)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the ash applet. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.

48) NULL pointer dereference (CVE-ID: CVE-2021-42376)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in Busybox's hush applet when processing a crafted shell command with a \x03 delimiter character. A local user can pass specially crafted string to the affected applet and crash the application.

49) Release of invalid pointer or reference (CVE-ID: CVE-2021-42377)

The vulnerability allows a remote attacker execute arbitrary code on the system.

The vulnerability exists due to improper input validation within the hush applet. A remote attacker can pass a specially crafted input to the application and potentially execute arbitrary shell commands.

50) Use-after-free (CVE-ID: CVE-2021-42378)

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the "getvar_i" function. A remote administrator can execute arbitrary code on the target system.

51) Use-after-free (CVE-ID: CVE-2021-42379)

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the "next_input_file" function. A remote administrator can execute arbitrary code on the target system.

52) Use-after-free (CVE-ID: CVE-2021-42380)

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the "next_input_file" function. A remote administrator can execute arbitrary code on the target system.

53) Use-after-free (CVE-ID: CVE-2021-42381)

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the "hash_init" function. A remote administrator can execute arbitrary code on the target system.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

https://cert-portal.siemens.com/productcert/txt/ssa-831302.txt

SB2023061617 - Multiple vulnerabilities in Siemens SIMATIC S7-1500 TM MFP - BIOS

Breakdown by Severity

Description

Remediation

References

Please verify you're human