Siemens SIPROTEC 4, SIPROTEC Compact, and Reyrolle Devices using the EN100 Ethernet Communication Module Extension Missing Authentication For Critical Function (CVE-2018-4838)

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(500163);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/04");

  script_cve_id("CVE-2018-4838");

  script_name(english:"Siemens SIPROTEC 4, SIPROTEC Compact, and Reyrolle Devices using the EN100 Ethernet Communication Module Extension Missing Authentication For Critical Function (CVE-2018-4838)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A vulnerability has been identified in EN100 Ethernet module IEC 61850 variant (All versions < V4.30), EN100 Ethernet
module DNP3 variant (All versions < V1.04), EN100 Ethernet module PROFINET IO variant (All versions), EN100 Ethernet
module Modbus TCP variant (All versions), EN100 Ethernet module IEC 104 variant (All versions < V1.22). The web
interface (TCP/80) of affected devices allows an unauthenticated user to upgrade or downgrade the firmware of the
device, including to older versions with known vulnerabilities.  

This plugin only works with Tenable.ot. Please visit
https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-845879.pdf");
  script_set_attribute(attribute:"see_also", value:"https://ics-cert.us-cert.gov/advisories/ICSA-18-067-01");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-18-067-02");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/bid/103379");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Siemens has provided the following updates for mitigations:

- EN100 Ethernet module DNP3 variant (All versions prior to v1.04): Update to v1.04 and configure maintenance password,
which can be located here: https://support.industry.siemens.com/cs/us/en/ view/109745821
- EN100 Ethernet module IEC 61850 variant (All versions prior to v4.30): Update to v4.30, which can be located here:
https://support.industry.siemens.com/cs/us/en/view/109745821

- EN100 Ethernet module IEC 104 variant: Update to v1.22, which can be located here:
https://support.industry.siemens.com/cs/document/109745821

For all other affected products, Siemens has identified the following specific workarounds and mitigations that users
can apply to reduce the risk. As a general security measure Siemens strongly recommends to protect network access with
appropriate mechanisms (e.g., firewalls, segmentation, VPN). It is advised to configure the environment according to
Siemens’ operational guidelines in order to run the devices in a protected IT environment.

Recommended security guidelines to Secure Substations and Defense-in-Depth can be found at:
https://www.siemens.com/gridsecurity

For further inquiries on vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT:
https://www.siemens.com/cert/advisories

For more information on this vulnerability and associated software updates, please see Siemens security notification
SSA-845879 on their website: https://cert-portal.siemens.com/productcert/pdf/ssa-845879.pdf");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-4838");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(306);

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/03/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/02/07");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:en100_ethernet_module_iec_104_firmware:-");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:en100_ethernet_module_dnp3_firmware:-");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:en100_ethernet_module_modbus_tcp_firmware:-");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:en100_ethernet_module_profinet_io_firmware:-");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:en100_ethernet_module_iec_61850_firmware");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:en100_ethernet_module_iec_104_firmware:-" :
        {"family" : "Siprotec4"},
    "cpe:/o:siemens:en100_ethernet_module_dnp3_firmware:-" :
        {"family" : "Siprotec4"},
    "cpe:/o:siemens:en100_ethernet_module_modbus_tcp_firmware:-" :
        {"family" : "Siprotec4"},
    "cpe:/o:siemens:en100_ethernet_module_profinet_io_firmware:-" :
        {"family" : "Siprotec4"},
    "cpe:/o:siemens:en100_ethernet_module_iec_61850_firmware" :
        {"versionEndExcluding" : "4.30", "family" : "Siprotec4"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);