All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SINEMA Remote Connect Server
- Vulnerabilities: Multiple
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to escalate privileges, disclose information, or allow code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Siemens products are affected:
- Siemens SINEMA Remote Connect Server: All versions prior to v3.1
3.2 VULNERABILITY OVERVIEW
libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse. Errors in the logic could lead to libcurl reusing wrong connections.
CVE-2021-22924 has been assigned to this vulnerability. A CVSS v3 base score of 3.7 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
3.2.2 USE OF UNINITIALIZED RESOURCE CWE-908
curl supports the -t command line option, known as CURLOPT_TELNETOPTIONS in libcurl. Due to a flaw in the option parser, libcurl could pass on uninitialized data from a stack-based buffer to the server, revealing sensitive internal information to the server.
In Expat, also called libexpat, versions prior to 2.4.3 a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior.
In doProlog in xmlparse.c in Expat, also called libexpat, versions prior to 2.4.3, an integer overflow exists for m_groupSize.
addBinding in xmlparse.c in Expat, also called libexpat, has an integer overflow in versions prior to 2.4.3.
build_model in xmlparse.c in Expat, also called libexpat, has an integer overflow in versions prior to 2.4.3.
defineAttribute in xmlparse.c in Expat, also called libexpat, has an integer overflow in versions prior to 2.4.3.
lookup in xmlparse.c in Expat, also called libexpat, has an integer overflow in versions prior to 2.4.3.
nextScaffoldPart in xmlparse.c in Expat, also called libexpat, has an integer overflow in versions prior to 2.4.3.
storeAtts in xmlparse.c in Expat, also called libexpat, has an integer overflow in versions prior to 2.4.3.
Expat, also called libexpat, versions prior to 2.4.4 have a signed integer overflow in XML_GetBuffer for configurations with a nonzero XML_CONTEXT_BYTES.
Expat, also called libexpat, versions prior to 2.4.4 have an integer overflow in the doProlog function.
xmltok_impl.c in Expat, also called libexpat, versions prior to 2.4.5 lack a certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.
xmlparse.c in Expat, also called libexpat, versions prior to 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.
In Expat, also called libexpat, versions prior to 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.
In Expat, also called libexpat versions prior to 2.4.5, there is an integer overflow in copyString.
In Expat, also called libexpat, versions prior to 2.4.5, there is an integer overflow in storeRawNames.
3.2.18 CRYPTOGRAPHIC ISSUES CWE-310
An attacker employing a machine-in-the-middle attack could obtain plaintext secret values by observing length differences during a series of guesses, in which a string in an HTTP request URL matches an unknown string in an HTTP response body (i.e., BREACH attack).
There is a missing authentication verification for a resource used to change the roles and permissions of a user. This could allow an attacker to change the permissions of any user and gain privileges of an administrative user.
The application does not perform the integrity check of the update packages. Without validation, an admin user could be tricked to install a malicious package, granting root privileges to an attacker.
Due to improper input validation, the OpenSSL certificate’s password could be printed to a file reachable by an attacker.
A customized HTTP POST request could force the application to write the status of a given user to a log file, exposing sensitive user information.
The affected application’s web service lacks proper access control for some endpoints. This vulnerability could lead to unauthorized access to information.
The affected application’s web service lacks proper access control for some endpoints. This could lead to low privileged users’ access to privileged information.
The affected application allows the import of device configurations via a specific endpoint, which could allow information disclosure.
The system images for installation or update of the affected application contain unit test scripts with sensitive information. An attacker could gain information about testing architecture and tamper with test configuration.
The affected application creates temporary user credentials for UMC (User Management Component) users. An attacker could use these temporary credentials for authentication bypass.
The affected application contains a misconfiguration in the APT update. This vulnerability could allow an attacker to add insecure packages to the application.
The affected application contains a file upload server vulnerable to command injection. An attacker could exploit this vulnerability to achieve arbitrary code execution.
- CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Germany
Siemens notified CISA of these vulnerabilities.
Siemens recommends updating the products to the latest version of their software:
- Siemens SINEMA Remote Connect Server: Update to v3.1 or later
The update of SINEMA Remote Connect Server to v3.1 also contains additional fixes for vulnerabilities documented in the following Siemens Security Advisories:
For further inquiries on security vulnerabilities in Siemens products and solutions, contact Siemens.
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.
For more information see Siemens Security Advisory SSA-484086
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
- Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov/ics in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
For any questions related to this report, please contact the CISA at:
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.
Please share your thoughts.
We recently updated our anonymous product survey; we'd welcome your feedback.