Multiple vulnerabilities in Siemens SIMATIC NET CP 443-1 OPC UA
| Risk | High |
| Patch available | NO |
| Number of vulnerabilities | 16 |
| CVE-ID | CVE-2016-9042 CVE-2016-4955 CVE-2016-2518 CVE-2016-1550 CVE-2016-1547 CVE-2015-7705 CVE-2016-4956 CVE-2016-1548 CVE-2016-4954 CVE-2017-6548 CVE-2016-4953 CVE-2015-7853 CVE-2016-7433 CVE-2016-7431 CVE-2015-8138 CVE-2017-6458 |
| CWE-ID | CWE-20 CWE-362 CWE-125 CWE-200 CWE-284 CWE-19 CWE-121 CWE-287 CWE-119 CWE-682 CWE-120 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #10 is available. |
| Vulnerable software |
SIMATIC NET CP 443-1 OPC UA Server applications / SCADA systems |
| Vendor | Siemens |
Security Bulletin
This security bulletin contains information about 16 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU37084
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-9042
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An exploitable denial of service vulnerability exists in the origin timestamp check functionality of ntpd 4.2.8p9. A specially crafted unauthenticated network packet can be used to reset the expected origin timestamp for target peers. Legitimate replies from targeted peers will fail the origin timestamp check (TEST2) causing the reply to be dropped and creating a denial of service condition.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsSIMATIC NET CP 443-1 OPC UA: All versions
CPE2.3 External linkshttps://ics-cert.us-cert.gov/advisories/icsa-21-159-11
https://cert-portal.siemens.com/productcert/txt/ssa-211752.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Race condition
EUVDB-ID: #VU54026
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-4955
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a race condition in ntpd. A remote attacker can exploit the race and cause a denial of service condition on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsSIMATIC NET CP 443-1 OPC UA: All versions
CPE2.3 External linkshttps://ics-cert.us-cert.gov/advisories/icsa-21-159-11
https://cert-portal.siemens.com/productcert/txt/ssa-211752.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Out-of-bounds read
EUVDB-ID: #VU54031
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-2518
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition in the MATCH_ASSOC function. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and cause a denial of service condition on the system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsSIMATIC NET CP 443-1 OPC UA: All versions
CPE2.3 External linkshttps://ics-cert.us-cert.gov/advisories/icsa-21-159-11
https://cert-portal.siemens.com/productcert/txt/ssa-211752.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Information disclosure
EUVDB-ID: #VU54030
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-1550
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application in the message authentication functionality. A remote attacker can send a series of crafted messages to attempt to recover the message digest key.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsSIMATIC NET CP 443-1 OPC UA: All versions
CPE2.3 External linkshttps://ics-cert.us-cert.gov/advisories/icsa-21-159-11
https://cert-portal.siemens.com/productcert/txt/ssa-211752.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU54029
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-1547
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can perform a denial of service (DoS) attack.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsSIMATIC NET CP 443-1 OPC UA: All versions
CPE2.3 External linkshttps://ics-cert.us-cert.gov/advisories/icsa-21-159-11
https://cert-portal.siemens.com/productcert/txt/ssa-211752.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Denial of service
EUVDB-ID: #VU624
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2015-7705
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to cause denial of service on the target system.
The weakness exists due to security bypass in NTP and allows attackers to perform DoS attack.
Successful exploitation of the vulnerability may result in denial of service on the vulnerable system.
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsSIMATIC NET CP 443-1 OPC UA: All versions
CPE2.3 External linkshttps://ics-cert.us-cert.gov/advisories/icsa-21-159-11
https://cert-portal.siemens.com/productcert/txt/ssa-211752.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Input validation error
EUVDB-ID: #VU54028
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-4956
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows remote attackers to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsSIMATIC NET CP 443-1 OPC UA: All versions
CPE2.3 External linkshttps://ics-cert.us-cert.gov/advisories/icsa-21-159-11
https://cert-portal.siemens.com/productcert/txt/ssa-211752.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Data Handling
EUVDB-ID: #VU54027
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-1548
CWE-ID:
CWE-19 - Data Handling
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper data handling. A remote attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the peer->dst timestamp recorded for that server.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsSIMATIC NET CP 443-1 OPC UA: All versions
CPE2.3 External linkshttps://ics-cert.us-cert.gov/advisories/icsa-21-159-11
https://cert-portal.siemens.com/productcert/txt/ssa-211752.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Race condition
EUVDB-ID: #VU54025
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-4954
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a race condition in the "process_packet" function in ntp_proto.c in ntpd. A remote attacker can exploit the race and cause a denial of service condition on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsSIMATIC NET CP 443-1 OPC UA: All versions
CPE2.3 External linkshttps://ics-cert.us-cert.gov/advisories/icsa-21-159-11
https://cert-portal.siemens.com/productcert/txt/ssa-211752.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Stack-based buffer overflow
EUVDB-ID: #VU6515
Risk: High
CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2017-6548
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: Yes
DescriptionThe vulnerability allows a remote unauthenticated user to execute arbitrary code on the target system.
The weakness exists due to stack-based buffer overflow. A remote attacker can send a specially crafted multicast messages containing a long host or port, trigger memory corruption, gain control over networkmap’s control flow and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability result in arbitrary code execution.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsSIMATIC NET CP 443-1 OPC UA: All versions
CPE2.3 External linkshttps://ics-cert.us-cert.gov/advisories/icsa-21-159-11
https://cert-portal.siemens.com/productcert/txt/ssa-211752.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
11) Improper Authentication
EUVDB-ID: #VU54024
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-4953
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in when processing authentication requests in ntpd. A remote attacker can send a spoofed crypto-NAK packet with incorrect authentication data at a certain time and cause a denial of service (DoS) condition.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsSIMATIC NET CP 443-1 OPC UA: All versions
CPE2.3 External linkshttps://ics-cert.us-cert.gov/advisories/icsa-21-159-11
https://cert-portal.siemens.com/productcert/txt/ssa-211752.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Buffer overflow
EUVDB-ID: #VU54023
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2015-7853
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the "datalen" parameter in the "refclock" driver. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsSIMATIC NET CP 443-1 OPC UA: All versions
CPE2.3 External linkshttps://ics-cert.us-cert.gov/advisories/icsa-21-159-11
https://cert-portal.siemens.com/productcert/txt/ssa-211752.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Incorrect calcualtion
EUVDB-ID: #VU12304
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-7433
CWE-ID:
CWE-682 - Incorrect Calculation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to improper performance of the initial sync calculations. A remote attacker can cause the service to crash via unknown vectors, related to a "root distance that did not include the peer dispersion."
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsSIMATIC NET CP 443-1 OPC UA: All versions
CPE2.3 External linkshttps://ics-cert.us-cert.gov/advisories/icsa-21-159-11
https://cert-portal.siemens.com/productcert/txt/ssa-211752.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Input validation error
EUVDB-ID: #VU39824
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-7431
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
NTP before 4.2.8p9 allows remote attackers to bypass the origin timestamp protection mechanism via an origin timestamp of zero. NOTE: this vulnerability exists because of a CVE-2015-8138 regression.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsSIMATIC NET CP 443-1 OPC UA: All versions
CPE2.3 External linkshttps://ics-cert.us-cert.gov/advisories/icsa-21-159-11
https://cert-portal.siemens.com/productcert/txt/ssa-211752.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Input validation error
EUVDB-ID: #VU54022
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2015-8138
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can bypass the origin timestamp validation via a packet with an origin timestamp set to zero.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsSIMATIC NET CP 443-1 OPC UA: All versions
CPE2.3 External linkshttps://ics-cert.us-cert.gov/advisories/icsa-21-159-11
https://cert-portal.siemens.com/productcert/txt/ssa-211752.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Buffer overflow
EUVDB-ID: #VU7386
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-6458
CWE-ID:
CWE-120 - Buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to cause DoS condition.
The weakness exists due to multiple buffer overflows in the ctl_put() functions in NTP. A remote attacker can an overly long string argument, trigger memory corruption and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsSIMATIC NET CP 443-1 OPC UA: All versions
CPE2.3 External linkshttps://ics-cert.us-cert.gov/advisories/icsa-21-159-11
https://cert-portal.siemens.com/productcert/txt/ssa-211752.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
