SB2021061008 - Multiple vulnerabilities in Siemens SIMATIC NET CP 443-1 OPC UA

Description

This security bulletin contains information about 16 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2016-9042)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

An exploitable denial of service vulnerability exists in the origin timestamp check functionality of ntpd 4.2.8p9. A specially crafted unauthenticated network packet can be used to reset the expected origin timestamp for target peers. Legitimate replies from targeted peers will fail the origin timestamp check (TEST2) causing the reply to be dropped and creating a denial of service condition.

2) Race condition (CVE-ID: CVE-2016-4955)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a race condition in ntpd. A remote attacker can exploit the race and cause a denial of service condition on the target system.

3) Out-of-bounds read (CVE-ID: CVE-2016-2518)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition in the MATCH_ASSOC function. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and cause a denial of service condition on the system.

4) Information disclosure (CVE-ID: CVE-2016-1550)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in the message authentication functionality. A remote attacker can send a series of crafted messages to attempt to recover the message digest key.

5) Input validation error (CVE-ID: CVE-2016-1547)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can perform a denial of service (DoS) attack.

6) Denial of service (CVE-ID: CVE-2015-7705)

The vulnerability allows a remote user to cause denial of service on the target system.
The weakness exists due to security bypass in NTP and allows attackers to perform DoS attack.
Successful exploitation of the vulnerability may result in denial of service on the vulnerable system.

7) Input validation error (CVE-ID: CVE-2016-4956)

The vulnerability allows remote attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet.

8) Data Handling (CVE-ID: CVE-2016-1548)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to improper data handling. A remote attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the peer->dst timestamp recorded for that server. 

9) Race condition (CVE-ID: CVE-2016-4954)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a race condition in the "process_packet" function in ntp_proto.c in ntpd. A remote attacker can exploit the race and cause a denial of service condition on the target system.

10) Stack-based buffer overflow (CVE-ID: CVE-2017-6548)

The vulnerability allows a remote unauthenticated user to execute arbitrary code on the target system.

The weakness exists due to stack-based buffer overflow. A remote attacker can send a specially crafted multicast messages containing a long host or port, trigger memory corruption, gain control over networkmap’s control flow and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability result in arbitrary code execution.

11) Improper Authentication (CVE-ID: CVE-2016-4953)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in when processing authentication requests in ntpd. A remote attacker can send a spoofed crypto-NAK packet with incorrect authentication data at a certain time and cause a denial of service (DoS) condition.

12) Buffer overflow (CVE-ID: CVE-2015-7853)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the "datalen" parameter in the "refclock" driver. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

13) Incorrect calcualtion (CVE-ID: CVE-2016-7433)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to improper performance of the initial sync calculations. A remote attacker can cause the service to crash via unknown vectors, related to a "root distance that did not include the peer dispersion."

14) Input validation error (CVE-ID: CVE-2016-7431)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

NTP before 4.2.8p9 allows remote attackers to bypass the origin timestamp protection mechanism via an origin timestamp of zero. NOTE: this vulnerability exists because of a CVE-2015-8138 regression.

15) Input validation error (CVE-ID: CVE-2015-8138)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can bypass the origin timestamp validation via a packet with an origin timestamp set to zero.

16) Buffer overflow (CVE-ID: CVE-2017-6458)

The vulnerability allows a remote authenticated attacker to cause DoS condition.

The weakness exists due to multiple buffer overflows in the ctl_put() functions in NTP. A remote attacker can an overly long string argument, trigger memory corruption and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://ics-cert.us-cert.gov/advisories/icsa-21-159-11"
• https://ics-cert.us-cert.gov/advisories/icsa-21-159-11</a></p><p>
• https://cert-portal.siemens.com/productcert/txt/ssa-211752.txt</p><p><br></p>