Multiple vulnerabilities in Siemens SIMATIC CP Devices
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2022-34819 CVE-2022-34820 CVE-2022-34821 |
| CWE-ID | CWE-122 CWE-77 CWE-94 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
SIMATIC CP 1242-7 V2 Hardware solutions / Firmware SIMATIC CP 1243-1 Hardware solutions / Firmware SIMATIC CP 1243-7 LTE EU Hardware solutions / Firmware SIMATIC CP 1243-7 LTE US Hardware solutions / Firmware SIMATIC CP 1243-8 IRC Hardware solutions / Firmware SIMATIC CP 1542SP-1 IRC Hardware solutions / Firmware SIMATIC CP 1543SP-1 Hardware solutions / Firmware SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL Hardware solutions / Firmware SIPLUS ET 200SP CP 1543SP-1 ISEC Hardware solutions / Firmware SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL Hardware solutions / Firmware SIPLUS NET CP 1242-7 V2 Hardware solutions / Firmware SIPLUS S7-1200 CP 1243-1 Hardware solutions / Firmware SIPLUS S7-1200 CP 1243-1 RAIL Hardware solutions / Firmware SIMATIC CP 1543-1 Hardware solutions / Firmware SIPLUS NET CP 1543-1 Hardware solutions / Firmware |
| Vendor | Siemens |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Heap-based buffer overflow
EUVDB-ID: #VU65271
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-34819
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when parsing specific messages. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsSIMATIC CP 1242-7 V2: All versions
SIMATIC CP 1243-1: All versions
SIMATIC CP 1243-7 LTE EU: All versions
SIMATIC CP 1243-7 LTE US: All versions
SIMATIC CP 1243-8 IRC: All versions
SIMATIC CP 1542SP-1 IRC: 2.0
SIMATIC CP 1543SP-1: 2.0
SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL: 2.0
SIPLUS ET 200SP CP 1543SP-1 ISEC: 2.0
SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL: 2.0
SIPLUS NET CP 1242-7 V2: All versions
SIPLUS S7-1200 CP 1243-1: All versions
SIPLUS S7-1200 CP 1243-1 RAIL: All versions
SIMATIC CP 1543-1: before 3.0.22
SIPLUS NET CP 1543-1: before 3.0.22
CPE2.3- cpe:2.3:h:siemens:simatic_cp_1242-7_v2:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1243-1:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1243-7_lte_eu:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1243-7_lte_us:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1243-8_irc:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1542sp-1_irc:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1542sp-1_irc:2.0:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1543sp-1:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1543sp-1:2.0:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:siplus_et_200sp_cp_1542sp-1_irc_tx_rail:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:siplus_et_200sp_cp_1543sp-1_isec:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:siplus_et_200sp_cp_1543sp-1_isec_tx_rail:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:siplus_net_cp_1242-7_v2:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:siplus_s7-1200_cp_1243-1:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:siplus_s7-1200_cp_1243-1_rail:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1543-1:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:siplus_net_cp_1543-1:*:*:*:*:*:*:*:*
https://cert-portal.siemens.com/productcert/pdf/ssa-517377.pdficsa-22-195-12
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Command Injection
EUVDB-ID: #VU65272
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-34820
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary commands on the target system.
The vulnerability exists due to the affected application does not correctly escape some user provided fields during the authentication process. A remote administrator on the local network can pass specially crafted data to the application and execute arbitrary commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsSIMATIC CP 1242-7 V2: All versions
SIMATIC CP 1243-1: All versions
SIMATIC CP 1243-7 LTE EU: All versions
SIMATIC CP 1243-7 LTE US: All versions
SIMATIC CP 1243-8 IRC: All versions
SIMATIC CP 1542SP-1 IRC: 2.0
SIMATIC CP 1543SP-1: 2.0
SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL: 2.0
SIPLUS ET 200SP CP 1543SP-1 ISEC: 2.0
SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL: 2.0
SIPLUS NET CP 1242-7 V2: All versions
SIPLUS S7-1200 CP 1243-1: All versions
SIPLUS S7-1200 CP 1243-1 RAIL: All versions
SIMATIC CP 1543-1: before 3.0.22
SIPLUS NET CP 1543-1: before 3.0.22
CPE2.3- cpe:2.3:h:siemens:simatic_cp_1242-7_v2:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1243-1:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1243-7_lte_eu:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1243-7_lte_us:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1243-8_irc:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1542sp-1_irc:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1542sp-1_irc:2.0:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1543sp-1:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1543sp-1:2.0:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:siplus_et_200sp_cp_1542sp-1_irc_tx_rail:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:siplus_et_200sp_cp_1543sp-1_isec:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:siplus_et_200sp_cp_1543sp-1_isec_tx_rail:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:siplus_net_cp_1242-7_v2:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:siplus_s7-1200_cp_1243-1:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:siplus_s7-1200_cp_1243-1_rail:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1543-1:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:siplus_net_cp_1543-1:*:*:*:*:*:*:*:*
https://cert-portal.siemens.com/productcert/pdf/ssa-517377.pdficsa-22-195-12
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Code Injection
EUVDB-ID: #VU65274
Risk: Low
CVSSv4.0: 4.4 [CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-34821
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within the specific configuration options for OpenVPN. A remote administrator on the local network can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsSIMATIC CP 1242-7 V2: All versions
SIMATIC CP 1243-1: All versions
SIMATIC CP 1243-7 LTE EU: All versions
SIMATIC CP 1243-7 LTE US: All versions
SIMATIC CP 1243-8 IRC: All versions
SIMATIC CP 1542SP-1 IRC: 2.0
SIMATIC CP 1543SP-1: 2.0
SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL: 2.0
SIPLUS ET 200SP CP 1543SP-1 ISEC: 2.0
SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL: 2.0
SIPLUS NET CP 1242-7 V2: All versions
SIPLUS S7-1200 CP 1243-1: All versions
SIPLUS S7-1200 CP 1243-1 RAIL: All versions
SIMATIC CP 1543-1: before 3.0.22
SIPLUS NET CP 1543-1: before 3.0.22
CPE2.3- cpe:2.3:h:siemens:simatic_cp_1242-7_v2:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1243-1:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1243-7_lte_eu:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1243-7_lte_us:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1243-8_irc:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1542sp-1_irc:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1542sp-1_irc:2.0:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1543sp-1:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1543sp-1:2.0:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:siplus_et_200sp_cp_1542sp-1_irc_tx_rail:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:siplus_et_200sp_cp_1543sp-1_isec:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:siplus_et_200sp_cp_1543sp-1_isec_tx_rail:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:siplus_net_cp_1242-7_v2:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:siplus_s7-1200_cp_1243-1:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:siplus_s7-1200_cp_1243-1_rail:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:simatic_cp_1543-1:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:siplus_net_cp_1543-1:*:*:*:*:*:*:*:*
https://cert-portal.siemens.com/productcert/pdf/ssa-517377.pdficsa-22-195-12
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
