SB2022061614 - Multiple vulnerabilities in Siemens SINEMA Remote Connect Server

Description

This security bulletin contains information about 30 secuirty vulnerabilities.

1) Integer overflow (CVE-ID: CVE-2022-22826)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in the nextScaffoldPart() function in xmlparse.c. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Integer overflow (CVE-ID: CVE-2022-25315)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in storeRawNames function. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

3) Integer overflow (CVE-ID: CVE-2022-25314)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow in copyString. A remote attacker can pass specially crafted data to the application, trigger integer overflow and cause a denial of service condition on the target system.

4) Input validation error (CVE-ID: CVE-2022-25236)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper protection against insertion of namesep characters into namespace URIs in xmlparse.c. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

5) Integer overflow (CVE-ID: CVE-2022-22827)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in the storeAtts() function in xmlparse.c. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

6) Integer overflow (CVE-ID: CVE-2022-22825)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in the lookup() function in xmlparse.c. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

7) Integer overflow (CVE-ID: CVE-2022-22824)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in the defineAttribute() function in xmlparse.c. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

8) Integer overflow (CVE-ID: CVE-2022-22823)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in the build_model() function in xmlparse.c. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

9) Use of Uninitialized Variable (CVE-ID: CVE-2021-22925)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to usage of uninitialized variable in code, responsible for processing TELNET requests when parsing NEW_ENV variables. A remote attacker can force the affected application to connect to a telnet server under attackers control and read up to 1800 bytes from the uninitialized memory on the libcurl client system.

10) Stack-based buffer overflow (CVE-ID: CVE-2022-25313)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in build_model. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

11) Code Injection (CVE-ID: CVE-2022-25235)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to the affected application lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

12) Integer overflow (CVE-ID: CVE-2022-23990)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in the doProlog() function. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

13) Integer overflow (CVE-ID: CVE-2022-23852)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

14) Integer overflow (CVE-ID: CVE-2022-22822)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in the addBinding() function in xmlparse.c. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

15) Integer overflow (CVE-ID: CVE-2021-46143)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in the doProlog() function in xmlparse.c. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

16) Resource exhaustion (CVE-ID: CVE-2021-45960)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in the storeAtts() function in xmlparse.c. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

17) Improper Certificate Validation (CVE-ID: CVE-2021-22924)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to errors in the logic when the config matching function does not take "issuer cert" into account and it compares the involved paths case insensitively. A remote attacker can gain access to sensitive information on the system.

18) Cross-site scripting (CVE-ID: CVE-2022-29034)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the web interface. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

19) Missing Authentication for Critical Function (CVE-ID: CVE-2022-32251)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to missing authentication verification for a resource used to change the roles and permissions of a user. A remote user can change the permissions of any user and gain the privileges of an administrative user

20) Command Injection (CVE-ID: CVE-2022-32262)

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to improper input validation in the file upload server. A remote user can pass specially crafted data to the application and execute arbitrary commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

21) Cryptographic issues (CVE-ID: CVE-2022-27221)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to a "BREACH" attack issue. A remote attacker in machine-in-the-middle can obtain plaintext secret values.

22) Insufficient verification of data authenticity (CVE-ID: CVE-2022-32252)

The vulnerability allows a local user to compromsie the target system.

The vulnerability exists due to insufficient verification of data authenticity. A local administrator can trick a victim to install a malicious package and gain root privileges.

23) Input validation error (CVE-ID: CVE-2022-32253)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input. A remote administrator can print the OpenSSL certificate's password to a reachable file.

24) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2022-32254)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to software stores sensitive information into log files. A remote user can send a specially crafted HTTP POST request to read the log files and gain access to sensitive data.

25) Improper access control (CVE-ID: CVE-2022-32255)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote attacker can bypass implemented security restrictions and gain access to limited information.

26) Improper access control (CVE-ID: CVE-2022-32256)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and gain unauthorized access to privileged information.

27) Obsolete Feature in UI (CVE-ID: CVE-2022-32258)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the affected application contains an older feature that allows to import device configurations via a specific endpoint. A remote attacker can gain unauthorized access to sensitive information on the system.

28) Information disclosure (CVE-ID: CVE-2022-32259)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the system images for installation or update contain unit test scripts with sensitive information. A remote attacker can gain information about testing architecture and also tamper with test configuration.

29) Incorrect User Management (CVE-ID: CVE-2022-32260)

The vulnerability allows a local user to bypass authentication process.

The vulnerability exists due to the affected application creates temporary user credentials for UMC (User Management Component) users. A local administrator can use these temporary credentials for authentication bypass.

30) Improper Handling of Parameters (CVE-ID: CVE-2022-32261)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the affected application contains a misconfiguration in the APT update. A remote attacker can add insecure packages to the application.

Remediation

Install update from vendor's website.

References

• https://cert-portal.siemens.com/productcert/txt/ssa-484086.txt