SB2023111616 - Multiple vulnerabilities in Siemens SIMATIC MV500

Description

This security bulletin contains information about 8 secuirty vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2022-23218)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the svcunix_create() in the sunrpc module ib glibc. A remote attacker can pass specially crafted input to the application that is using the affected library version, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Buffer overflow (CVE-ID: CVE-2022-23219)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the clnt_create() function in the sunrpc module. A remote attacker can pass specially crafted input to the application that is using the affected library version, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

3) NULL pointer dereference (CVE-ID: CVE-2022-44792)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within the handle_ipDefaultTTL() function in agent/mibgroup/ip-mib/ip_scalars.c. A remote non-authenticated attacker can send specially crafted UDP to the application and perform a denial of service (DoS) attack.

4) NULL pointer dereference (CVE-ID: CVE-2022-44793)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within the handle_ipv6IpForwarding() function in agent/mibgroup/ip-mib/ip_scalars.c. A remote attacker can send specially crafted UDP packets to the application and perform a denial of service (DoS) attack.

5) Improper Authentication (CVE-ID: CVE-2023-2975)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in the AES-SIV cipher implementation when authenticating empty data entries via the EVP_EncryptUpdate() and EVP_CipherUpdate() functions. A remote attacker can bypass authentication process and impact application's integrity.

6) Resource management error (CVE-ID: CVE-2023-3446)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the DH_check(), DH_check_ex() and EVP_PKEY_param_check() function when processing a DH key or DH parameters. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

7) Resource management error (CVE-ID: CVE-2023-3817)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when checking the long DH keys. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

8) Out-of-bounds write (CVE-ID: CVE-2023-35788)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within the fl_set_geneve_opt() function in net/sched/cls_flower.c in Linux kernel. A local user can trigger an out-of-bounds write and execute arbitrary code with elevated privileges.

Remediation

Install update from vendor's website.

References

• https://cert-portal.siemens.com/productcert/txt/ssa-099606.txt