Multiple vulnerabilities in Siemens SIPROTEC 4 7SJ66 Devices
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 9 |
| CVE-ID | CVE-2019-12255 CVE-2019-12256 CVE-2019-12258 CVE-2019-12259 CVE-2019-12260 CVE-2019-12261 CVE-2019-12262 CVE-2019-12263 CVE-2019-12265 |
| CWE-ID | CWE-191 CWE-121 CWE-20 CWE-476 CWE-119 CWE-362 CWE-401 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #3 is available. Vulnerability #9 is being exploited in the wild. |
| Vulnerable software |
SIPROTEC 4 7SJ66 Hardware solutions / Security hardware applicances |
| Vendor | Siemens |
Security Bulletin
This security bulletin contains information about 9 vulnerabilities.
1) Integer underflow
EUVDB-ID: #VU19580
Risk: High
CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2019-12255
CWE-ID:
CWE-191 - Integer underflow
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer underflow when processing TCP packets with URG-flag set. A remote attacker can send a specially crafted TCP request to the affected system, trigger integer underflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsSIPROTEC 4 7SJ66: before 4.41
CPE2.3 External linkshttps://cert-portal.siemens.com/productcert/txt/ssa-617233.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Stack-based buffer overflow
EUVDB-ID: #VU19578
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-12256
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing IPv4 options. A remote unauthenticated attacker can send specially crafted network traffic to the affected system, trigger stack-based buffer overflow and execute arbitrary code on the target system or crash the tNet0 task.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsSIPROTEC 4 7SJ66: before 4.41
CPE2.3 External linkshttps://cert-portal.siemens.com/productcert/txt/ssa-617233.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU19584
Risk: Low
CVSSv4.0: 5.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:A/U:Clear]
CVE-ID: CVE-2019-12258
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation when processing options in TCP packets. A remote attacker can a specially crafted TCP packet with the source and destination TCP-port and IP-addresses of an existing session can reset the TCP session, leading to a DoS attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsSIPROTEC 4 7SJ66: before 4.41
CPE2.3 External linkshttps://cert-portal.siemens.com/productcert/txt/ssa-617233.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
4) NULL pointer dereference
EUVDB-ID: #VU19586
Risk: Low
CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-12259
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error when processing IGMP packets. A remote attacker can send specially crafted traffic to the affected system and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsSIPROTEC 4 7SJ66: before 4.41
CPE2.3 External linkshttps://cert-portal.siemens.com/productcert/txt/ssa-617233.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Buffer overflow
EUVDB-ID: #VU19581
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-12260
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing TCP-segments where the last step is a TCP-segment with the URG-flag set due to TCP Urgent Pointer state confusion caused by malformed TCP AO option. A remote attacker can send specially crafted TCP traffic to the affected system, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsSIPROTEC 4 7SJ66: before 4.41
CPE2.3 External linkshttps://cert-portal.siemens.com/productcert/txt/ssa-617233.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Buffer overflow
EUVDB-ID: #VU19582
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-12261
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when sending responses to TCP requests due to TCP Urgent Pointer state confusion during connect() to a remote host. A remote attacker can trigger the system to initiate TCP connection to a malicious host, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsSIPROTEC 4 7SJ66: before 4.41
CPE2.3 External linkshttps://cert-portal.siemens.com/productcert/txt/ssa-617233.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Input validation error
EUVDB-ID: #VU19587
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-12262
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when processing unsolicited Reverse ARP replies. A remote attacker can send specially crafted traffic and perform denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsSIPROTEC 4 7SJ66: before 4.41
CPE2.3 External linkshttps://cert-portal.siemens.com/productcert/txt/ssa-617233.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Race condition
EUVDB-ID: #VU19583
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-12263
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform denial of service (DoS) attack.
The vulnerability exists due to a race condition when processing TCP packets. A remote unauthenticated attacker can send malicious sequence of TCP packets within a specific timing, trigger a race condition and perform denial of service attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsSIPROTEC 4 7SJ66: before 4.41
CPE2.3 External linkshttps://cert-portal.siemens.com/productcert/txt/ssa-617233.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Memory leak
EUVDB-ID: #VU19588
Risk: Low
CVSSv4.0: 5.3 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:A/U:Clear]
CVE-ID: CVE-2019-12265
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due memory leak when processing IGMPv3 packets. A remote attacker can create a fragmented IGMPv3 query report and read memory contents in the response message.
MitigationInstall update from vendor's website.
Vulnerable software versionsSIPROTEC 4 7SJ66: before 4.41
CPE2.3 External linkshttps://cert-portal.siemens.com/productcert/txt/ssa-617233.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
