SB2023111629 - Multiple vulnerabilities in Siemens SIPROTEC 4 7SJ66 Devices

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023111629

SB2023111629 - Multiple vulnerabilities in Siemens SIPROTEC 4 7SJ66 Devices

Published: November 16, 2023

Security Bulletin ID SB2023111629
CSH Severity
High
Patch available
YES
Number of vulnerabilities 9
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 44% Low 56%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 9 vulnerabilities.


1) Integer underflow (CVE-ID: CVE-2019-12255)

CWE-ID: CWE-191 - Integer underflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer underflow when processing TCP packets with URG-flag set. A remote attacker can send a specially crafted TCP request to the affected system, trigger integer underflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


2) Stack-based buffer overflow (CVE-ID: CVE-2019-12256)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing IPv4 options. A remote unauthenticated attacker can send specially crafted network traffic to the affected system, trigger stack-based buffer overflow and execute arbitrary code on the target system or crash the tNet0 task.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


3) Input validation error (CVE-ID: CVE-2019-12258)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:A/U:Clear


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation when processing options in TCP packets. A remote attacker can a specially crafted TCP packet with the source and destination TCP-port and IP-addresses of an existing session can reset the TCP session, leading to a DoS attack.


4) NULL pointer dereference (CVE-ID: CVE-2019-12259)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when processing IGMP packets. A remote attacker can send specially crafted traffic to the affected system and perform a denial of service (DoS) attack.


5) Buffer overflow (CVE-ID: CVE-2019-12260)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing TCP-segments where the last step is a TCP-segment with the URG-flag set due to TCP Urgent Pointer state confusion caused by malformed TCP AO option. A remote attacker can send specially crafted TCP traffic to the affected system, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


6) Buffer overflow (CVE-ID: CVE-2019-12261)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when sending responses to TCP requests due to TCP Urgent Pointer state confusion during connect() to a remote host. A remote attacker can trigger the system to initiate TCP connection to a malicious host, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


7) Input validation error (CVE-ID: CVE-2019-12262)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when processing unsolicited Reverse ARP replies. A remote attacker can send specially crafted traffic and perform denial of service (DoS) attack.


8) Race condition (CVE-ID: CVE-2019-12263)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to perform denial of service (DoS) attack.

The vulnerability exists due to a race condition when processing TCP packets. A remote unauthenticated attacker can send malicious sequence of TCP packets within a specific timing, trigger a race condition and perform denial of service attack.


9) Memory leak (CVE-ID: CVE-2019-12265)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:A/U:Clear


The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due memory leak when processing IGMPv3 packets. A remote attacker can create a fragmented IGMPv3 query report and read memory contents in the response message.


Remediation

Install update from vendor's website.

References