Multiple vulnerabilities in Siemens SIMATIC NET CP 443-1 OPC UA



Published: 2021-06-10
Risk High
Patch available NO
Number of vulnerabilities 16
CVE-ID CVE-2016-9042
CVE-2016-4955
CVE-2016-2518
CVE-2016-1550
CVE-2016-1547
CVE-2015-7705
CVE-2016-4956
CVE-2016-1548
CVE-2016-4954
CVE-2017-6548
CVE-2016-4953
CVE-2015-7853
CVE-2016-7433
CVE-2016-7431
CVE-2015-8138
CVE-2017-6458
CWE-ID CWE-20
CWE-362
CWE-125
CWE-200
CWE-284
CWE-19
CWE-121
CWE-287
CWE-119
CWE-682
CWE-120
Exploitation vector Network
Public exploit Public exploit code for vulnerability #10 is available.
Vulnerable software
Subscribe
SIMATIC NET CP 443-1 OPC UA
Server applications / SCADA systems

Vendor Siemens

Security Bulletin

This security bulletin contains information about 16 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU37084

Risk: Medium

CVSSv3.1: 5.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2016-9042

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

An exploitable denial of service vulnerability exists in the origin timestamp check functionality of ntpd 4.2.8p9. A specially crafted unauthenticated network packet can be used to reset the expected origin timestamp for target peers. Legitimate replies from targeted peers will fail the origin timestamp check (TEST2) causing the reply to be dropped and creating a denial of service condition.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

SIMATIC NET CP 443-1 OPC UA: All versions

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-159-11
http://cert-portal.siemens.com/productcert/txt/ssa-211752.txt


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Race condition

EUVDB-ID: #VU54026

Risk: Medium

CVSSv3.1: 5.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2016-4955

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a race condition in ntpd. A remote attacker can exploit the race and cause a denial of service condition on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

SIMATIC NET CP 443-1 OPC UA: All versions

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-159-11
http://cert-portal.siemens.com/productcert/txt/ssa-211752.txt


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Out-of-bounds read

EUVDB-ID: #VU54031

Risk: Medium

CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:U/RC:C]

CVE-ID: CVE-2016-2518

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition in the MATCH_ASSOC function. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and cause a denial of service condition on the system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

SIMATIC NET CP 443-1 OPC UA: All versions

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-159-11
http://cert-portal.siemens.com/productcert/txt/ssa-211752.txt


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Information disclosure

EUVDB-ID: #VU54030

Risk: Medium

CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2016-1550

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in the message authentication functionality. A remote attacker can send a series of crafted messages to attempt to recover the message digest key.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

SIMATIC NET CP 443-1 OPC UA: All versions

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-159-11
http://cert-portal.siemens.com/productcert/txt/ssa-211752.txt


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Input validation error

EUVDB-ID: #VU54029

Risk: Medium

CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:U/RC:C]

CVE-ID: CVE-2016-1547

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can perform a denial of service (DoS) attack.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

SIMATIC NET CP 443-1 OPC UA: All versions

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-159-11
http://cert-portal.siemens.com/productcert/txt/ssa-211752.txt


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Denial of service

EUVDB-ID: #VU624

Risk: Low

CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:U/RC:C]

CVE-ID: CVE-2015-7705

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote user to cause denial of service on the target system.
The weakness exists due to security bypass in NTP and allows attackers to perform DoS attack.
Successful exploitation of the vulnerability may result in denial of service on the vulnerable system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

SIMATIC NET CP 443-1 OPC UA: All versions

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-159-11
http://cert-portal.siemens.com/productcert/txt/ssa-211752.txt


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Input validation error

EUVDB-ID: #VU54028

Risk: Medium

CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:U/RC:C]

CVE-ID: CVE-2016-4956

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows remote attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

SIMATIC NET CP 443-1 OPC UA: All versions

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-159-11
http://cert-portal.siemens.com/productcert/txt/ssa-211752.txt


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Data Handling

EUVDB-ID: #VU54027

Risk: Medium

CVSSv3.1: 6.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L/E:U/RL:U/RC:C]

CVE-ID: CVE-2016-1548

CWE-ID: CWE-19 - Data Handling

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to improper data handling. A remote attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the peer->dst timestamp recorded for that server. 

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

SIMATIC NET CP 443-1 OPC UA: All versions

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-159-11
http://cert-portal.siemens.com/productcert/txt/ssa-211752.txt


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Race condition

EUVDB-ID: #VU54025

Risk: Medium

CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2016-4954

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a race condition in the "process_packet" function in ntp_proto.c in ntpd. A remote attacker can exploit the race and cause a denial of service condition on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

SIMATIC NET CP 443-1 OPC UA: All versions

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-159-11
http://cert-portal.siemens.com/productcert/txt/ssa-211752.txt


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Stack-based buffer overflow

EUVDB-ID: #VU6515

Risk: High

CVSSv3.1: 9.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C]

CVE-ID: CVE-2017-6548

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: Yes

Description

The vulnerability allows a remote unauthenticated user to execute arbitrary code on the target system.

The weakness exists due to stack-based buffer overflow. A remote attacker can send a specially crafted multicast messages containing a long host or port, trigger memory corruption, gain control over networkmap’s control flow and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability result in arbitrary code execution.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

SIMATIC NET CP 443-1 OPC UA: All versions

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-159-11
http://cert-portal.siemens.com/productcert/txt/ssa-211752.txt


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

11) Improper Authentication

EUVDB-ID: #VU54024

Risk: Medium

CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2016-4953

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in when processing authentication requests in ntpd. A remote attacker can send a spoofed crypto-NAK packet with incorrect authentication data at a certain time and cause a denial of service (DoS) condition.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

SIMATIC NET CP 443-1 OPC UA: All versions

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-159-11
http://cert-portal.siemens.com/productcert/txt/ssa-211752.txt


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Buffer overflow

EUVDB-ID: #VU54023

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2015-7853

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the "datalen" parameter in the "refclock" driver. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

SIMATIC NET CP 443-1 OPC UA: All versions

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-159-11
http://cert-portal.siemens.com/productcert/txt/ssa-211752.txt


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Incorrect calcualtion

EUVDB-ID: #VU12304

Risk: Medium

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2016-7433

CWE-ID: CWE-682 - Incorrect Calculation

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to improper performance of the initial sync calculations. A remote attacker can cause the service to crash via unknown vectors, related to a "root distance that did not include the peer dispersion."

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

SIMATIC NET CP 443-1 OPC UA: All versions

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-159-11
http://cert-portal.siemens.com/productcert/txt/ssa-211752.txt


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Input validation error

EUVDB-ID: #VU39824

Risk: Medium

CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2016-7431

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

NTP before 4.2.8p9 allows remote attackers to bypass the origin timestamp protection mechanism via an origin timestamp of zero. NOTE: this vulnerability exists because of a CVE-2015-8138 regression.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

SIMATIC NET CP 443-1 OPC UA: All versions

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-159-11
http://cert-portal.siemens.com/productcert/txt/ssa-211752.txt


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Input validation error

EUVDB-ID: #VU54022

Risk: Medium

CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2015-8138

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can bypass the origin timestamp validation via a packet with an origin timestamp set to zero.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

SIMATIC NET CP 443-1 OPC UA: All versions

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-159-11
http://cert-portal.siemens.com/productcert/txt/ssa-211752.txt


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Buffer overflow

EUVDB-ID: #VU7386

Risk: Low

CVSSv3.1: 4 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:U/RC:C]

CVE-ID: CVE-2017-6458

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to cause DoS condition.

The weakness exists due to multiple buffer overflows in the ctl_put() functions in NTP. A remote attacker can an overly long string argument, trigger memory corruption and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

SIMATIC NET CP 443-1 OPC UA: All versions

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-159-11
http://cert-portal.siemens.com/productcert/txt/ssa-211752.txt


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###