#VU10111 Stack-based buffer overflow in Siemens products - CVE-2017-11496

Cybersecurity Help s.r.o.

Published: 2018-01-19

Vulnerability identifier: #VU10111

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2017-11496

CWE-ID: CWE-121

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SIMATIC WinCC Add-On SIPAPER IT MIS
Server applications / SCADA systems
SIMATIC WinCC Add-On SICEMENT IT MIS
Server applications / SCADA systems
SIMATIC WinCC Add-On PM-QUALITY
Server applications / SCADA systems
SIMATIC WinCC Add-On PM-OPEN TCP/IP
Server applications / SCADA systems
SIMATIC WinCC Add-On PM-OPEN PV02
Server applications / SCADA systems
SIMATIC WinCC Add-On PM-OPEN PI
Server applications / SCADA systems
SIMATIC WinCC Add-On PM-OPEN IMPORT
Server applications / SCADA systems
SIMATIC WinCC Add-On PM-OPEN HOST-S
Server applications / SCADA systems
SIMATIC WinCC Add-On PM-OPEN EXPORT
Server applications / SCADA systems
SIMATIC WinCC Add-On PM-MAINT
Server applications / SCADA systems
SIMATIC WinCC Add-On PM-CONTROL
Server applications / SCADA systems
SIMATIC WinCC Add-On PM-ANALYZE
Server applications / SCADA systems
SIMATIC WinCC Add-On PM-AGENT
Server applications / SCADA systems
SIMATIC WinCC Add-On PI CONNECT AUDIT TRAIL
Server applications / SCADA systems
SIMATIC WinCC Add-On PI CONNECT ALARM
Server applications / SCADA systems
SIMATIC WinCC Add-On Historian CONNECT ALARM
Server applications / SCADA systems

Vendor: Siemens

Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to stack-based buffer overflow. A remote attacker can send malformed ASN1 streams in V2C and similar input files, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation
Install update from vendor's website.

Vulnerable software versions

SIMATIC WinCC Add-On SIPAPER IT MIS: All versions

SIMATIC WinCC Add-On SICEMENT IT MIS: All versions

SIMATIC WinCC Add-On PM-QUALITY: All versions

SIMATIC WinCC Add-On PM-OPEN TCP/IP: All versions

SIMATIC WinCC Add-On PM-OPEN PV02: All versions

SIMATIC WinCC Add-On PM-OPEN PI: All versions

SIMATIC WinCC Add-On PM-OPEN IMPORT: All versions

SIMATIC WinCC Add-On PM-OPEN HOST-S: All versions

SIMATIC WinCC Add-On PM-OPEN EXPORT: All versions

SIMATIC WinCC Add-On PM-MAINT: All versions

SIMATIC WinCC Add-On PM-CONTROL: All versions

SIMATIC WinCC Add-On PM-ANALYZE: All versions

SIMATIC WinCC Add-On PM-AGENT: All versions

SIMATIC WinCC Add-On PI CONNECT AUDIT TRAIL: All versions

SIMATIC WinCC Add-On PI CONNECT ALARM: All versions

SIMATIC WinCC Add-On Historian CONNECT ALARM: All versions

External links
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-127490.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Siemens Building Technologies Products

Multiple vulnerabilities in Gemalto Sentinel License Manager

Multiple vulnerabilities in Siemens SIMATIC WinCC Add-Ons