#VU10113 Null pointer dereference in Siemens products - CVE-2017-11498

Cybersecurity Help s.r.o.

Published: 2018-01-19

Vulnerability identifier: #VU10113

Vulnerability risk: Low

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-11498

CWE-ID: CWE-476

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SIMATIC WinCC Add-On SIPAPER IT MIS
Server applications / SCADA systems
SIMATIC WinCC Add-On SICEMENT IT MIS
Server applications / SCADA systems
SIMATIC WinCC Add-On PM-QUALITY
Server applications / SCADA systems
SIMATIC WinCC Add-On PM-OPEN TCP/IP
Server applications / SCADA systems
SIMATIC WinCC Add-On PM-OPEN PV02
Server applications / SCADA systems
SIMATIC WinCC Add-On PM-OPEN PI
Server applications / SCADA systems
SIMATIC WinCC Add-On PM-OPEN IMPORT
Server applications / SCADA systems
SIMATIC WinCC Add-On PM-OPEN HOST-S
Server applications / SCADA systems
SIMATIC WinCC Add-On PM-OPEN EXPORT
Server applications / SCADA systems
SIMATIC WinCC Add-On PM-MAINT
Server applications / SCADA systems
SIMATIC WinCC Add-On PM-CONTROL
Server applications / SCADA systems
SIMATIC WinCC Add-On PM-ANALYZE
Server applications / SCADA systems
SIMATIC WinCC Add-On PM-AGENT
Server applications / SCADA systems
SIMATIC WinCC Add-On PI CONNECT AUDIT TRAIL
Server applications / SCADA systems
SIMATIC WinCC Add-On PI CONNECT ALARM
Server applications / SCADA systems
SIMATIC WinCC Add-On Historian CONNECT ALARM
Server applications / SCADA systems

Vendor: Siemens

Description
The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to insufficient validation of user-supplied input. A remote attacker can send language pack (ZIP file) with invalid HTML files, trigger NULL pointer dereference and cause the service to crash.

Mitigation
Install update from vendor's website.

Vulnerable software versions

SIMATIC WinCC Add-On SIPAPER IT MIS: All versions

SIMATIC WinCC Add-On SICEMENT IT MIS: All versions

SIMATIC WinCC Add-On PM-QUALITY: All versions

SIMATIC WinCC Add-On PM-OPEN TCP/IP: All versions

SIMATIC WinCC Add-On PM-OPEN PV02: All versions

SIMATIC WinCC Add-On PM-OPEN PI: All versions

SIMATIC WinCC Add-On PM-OPEN IMPORT: All versions

SIMATIC WinCC Add-On PM-OPEN HOST-S: All versions

SIMATIC WinCC Add-On PM-OPEN EXPORT: All versions

SIMATIC WinCC Add-On PM-MAINT: All versions

SIMATIC WinCC Add-On PM-CONTROL: All versions

SIMATIC WinCC Add-On PM-ANALYZE: All versions

SIMATIC WinCC Add-On PM-AGENT: All versions

SIMATIC WinCC Add-On PI CONNECT AUDIT TRAIL: All versions

SIMATIC WinCC Add-On PI CONNECT ALARM: All versions

SIMATIC WinCC Add-On Historian CONNECT ALARM: All versions

External links
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-127490.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Siemens Building Technologies Products

Multiple vulnerabilities in Gemalto Sentinel License Manager

Multiple vulnerabilities in Siemens SIMATIC WinCC Add-Ons