Siemens SIMATIC, SIMOCODE, SINAMICS, SITOP, and TIM Out-of-Bounds Read (CVE-2019-6568)

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(500268);
  script_version("1.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/04");

  script_cve_id("CVE-2019-6568");

  script_name(english:"Siemens SIMATIC, SIMOCODE, SINAMICS, SITOP, and TIM Out-of-Bounds Read (CVE-2019-6568)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"The webserver of the affected devices contains a vulnerability that
may lead to a denial of service condition. An attacker may cause a
denial of service situation which leads to a restart of the webserver
of the affected device. The security vulnerability could be exploited
by an attacker with network access to the affected systems. Successful
exploitation requires no system privileges and no user interaction. An
attacker could use the vulnerability to compromise availability of the
device.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-480230.pdf");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-530931.pdf");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-19-099-06");
  script_set_attribute(attribute:"solution", value:
'The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Siemens recommends upgrading to the following firmware updates for the products below:

- SIMATIC ET 200 SP Open Controller CPU 1515SP PC (incl. SIPLUS variants): Update to v2.1.6
- SIMATIC ET 200 SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants): Update to v2.7
- SIMATIC HMI Comfort Outdoor Panels 7" & 15" (incl. SIPLUS variants): Update to v15.1 Upd4
- SIMATIC HMI Comfort Panels 4" - 22" (incl. SIPLUS variants): Update to v15.1 Upd4
- SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F (incl. SIPLUS variants): Update to v15.1
Upd4
- SIMATIC IPC DiagMonitor: Update to v5.1.3
- SIMATIC RF185C, RF186C, and RF188C: Update to v1.1.0
- SIMATIC RF600R: Update to v3.2.1
- SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants): Update to v2.6.1
- SIMATIC S7-1500 Software Controller: Update to v2.7
- SIMATIC S7-300 CPU family (incl. related ET200 CPUs and SIPLUS variants): Update to v3.X.16
- SIMATIC S7-PLCSIM Advanced: Update to v2.0 SP1 Upd1
- SIMATIC WinAC RTX (F) 2010: Update to SP3 and apply BIOS and MS Windows updates
- SIMATIC WinCC Runtime Advanced: Update to v15.1 Upd4
- SIMOCODE pro VPN (incl. SIPLUS variants): Update to v2.1.3

- SIMOCODE pro V EIP (incl. SIPLUS variants): Update to v1.1.3

- SINAMICS G130 v5.1 Control Unit: Update to v5.1 SP1 HF4 or later version, or to latest version ofv5.2
- SINAMICS G130 v5.1 SP1 Control Unit: Update to v5.1 SP1 HF4 or later version
- SINAMICS G150 v5.1 Control Unit: Update to v5.1 SP1 HF4 or later version, or to latest version ofv5.2
- SINAMICS G150 v5.1 SP1Control Unit: Update to v5.1 SP1 HF4 or later version
- SINAMICS S120 v5.1 Control Unit (incl. SIPLUS variants): Update to v5.1 SP1 HF4 or later version, or to latest version
ofv5.2
- SINAMICS S120 v5.1 SP1 Control Unit(incl. SIPLUS variants): Update to v5.1 SP1 HF4 or later version
- SINAMICS S150 v5.1 Control Unit: Update to v5.1 SP1 HF4 or later version, or to latest version ofv5.2
- SINAMICS S150 v5.1 SP1 Control Unit: Update to v5.1 SP1 HF4 or later version
- SINAMICS G130 v4.6, v4.7, and v4.7 SP1: Update to v5.2 (latest version)
- SINAMICS G130 v4.8: Update to v4.8 HF6
- SINAMICS G150 v4.6 and v4.7 SP1: Update to v5.2 (latest version)
- SINAMICS G150 v4.8: Update to v4.8 HF6
- SINAMICS S120 v4.6 and v4.7 SP1 (incl. SIPLUS variants): Update to v5.2 (latest version)
- SINAMICS S120 v4.8 (incl. SIPLUS variants): Update to v4.8 HF6
- SINAMICS S150 v4.6 and v4.7 SP1: Update to v5.2 (latest version)
- SINAMICS S150 v4.8: Update to v4.8 HF6
- SITOP Manager: Update to v1.1
- SITOP PSU8600: Update to v1.5 
- SITOP UPS1600 (incl. SIPLUS variants): Update to v2.3
- TIM 1531 IRC (incl. SIPLUS NET variants): Update to v2.1

For all other affected products, Siemens has identified the following specific workarounds and mitigations users can
apply to reduce the risk:

- Apply appropriate strategies for mitigation as described in the general security recommendation section.
- Restrict network access to the integrated webserver.
- Deactivate the webserver if not required and if deactivation is supported by the product.
- For SINAMICS S, G130, G150 devices: perform upgrade to a new fixed version, for example v5.2.

As a general security measure, Siemens strongly recommends users protect network access to devices with appropriate
mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends users configure the
environment according to Siemens’ operational guidelines for Industrial Security, and follow the recommendations in the
product manuals.

Additional information on industrial security by Siemens can be found at: https://www.siemens.com/industrialsecurity

For more information on the vulnerability and more detailed mitigation instructions, please see Siemens Security
Advisory SSA-480230');
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-6568");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(125);

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/04/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/02/07");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp343-1_advanced_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp443-1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp443-1_advanced_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp443-1_opc_ua_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_et_200pro_im_154-8_pn%2fdp_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_et_200pro_im_154-8f_pn%2fdp_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_et_200pro_im_154-8fx_pn%2fdp_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_et_200s_im_151-8_pn%2fdp_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_et_200s_im_151-8f_pn%2fdp_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_et_200_sp_open_controller_cpu_1515sp_pc2_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_et_200_sp_open_controller_cpu_1515sp_pc_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-300_cpu_314c-2_pn%2fdp_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-300_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-400_pn%2fdp_v6_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-400_pn%2fdp_v7_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:sitop_psu8600_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:sitop_ups1600_firmware");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:simatic_cp343-1_advanced_firmware" :
        {"family" : "S7300", "orderNumbers" : ["6GK7343-1GX31-0XE0", "6AG1343-1GX31-4XE0"]},
    "cpe:/o:siemens:simatic_cp443-1_firmware" :
        {"family" : "S7400", "versionEndExcluding" : "3.3", "orderNumbers" : ["6GK7443-1EX30-0XE0", "6GK7443-1EX30-0XE1", "6AG1443-1EX30-4XE0"]},
    "cpe:/o:siemens:simatic_cp443-1_advanced_firmware" :
        {"family" : "S7400", "versionEndExcluding" : "3.3", "orderNumbers" : ["6GK7443-1GX30-0XE0", "6AG1443-1GX30-4XE0"]},
    "cpe:/o:siemens:simatic_cp443-1_opc_ua_firmware" :
        {"family" : "S7400", "orderNumbers" : ["6GK7443-1UX00-0XE0"]},
    "cpe:/o:siemens:cpe:/o:siemens:simatic_et_200pro_im_154-8_pn%2fdp_firmware" :
        {"versionEndExcluding" : "3.2.16", "family" : "ET200", "orderNumbers" : ["6ES7154-8AB01-0AB0"]},
    "cpe:/o:siemens:cpe:/o:siemens:simatic_et_200pro_im_154-8f_pn%2fdp_firmware" :
        {"versionEndExcluding" : "3.2.16", "family" : "ET200", "orderNumbers" : ["6ES7154-8FB01-0AB0"]},
    "cpe:/o:siemens:cpe:/o:siemens:simatic_et_200pro_im_154-8fx_pn%2fdp_firmware" :
        {"versionEndExcluding" : "3.2.16", "family" : "ET200", "orderNumbers" : ["6ES7154-8FX00-0AB0"]},
    "cpe:/o:siemens:cpe:/o:siemens:cpe:/o:siemens:simatic_et_200s_im_151-8_pn%2fdp_firmware" :
        {"versionEndExcluding" : "3.2.16", "family" : "ET200", "orderNumbers" : ["6ES7151-8AB01-0AB0", "6AG1151-8AB01-7AB0"]},
    "cpe:/o:siemens:cpe:/o:siemens:cpe:/o:siemens:simatic_et_200s_im_151-8f_pn%2fdp_firmware" :
        {"versionEndExcluding" : "3.2.16", "family" : "ET200", "orderNumbers" : ["6ES7151-8FB01-0AB0", "6AG1151-8FB01-2AB0"]},
    "cpe:/o:siemens:simatic_et_200_sp_open_controller_cpu_1515sp_pc_firmware" :
        {"versionEndExcluding" : "2.1.6", "family" : "ET200SP"},
    "cpe:/o:siemens:simatic_et_200_sp_open_controller_cpu_1515sp_pc2_firmware" :
        {"versionEndExcluding" : "2.7", "family" : "ET200SP"},
    "cpe:/o:siemens:simatic_s7-1500_firmware" :
        {"versionEndExcluding" : "2.6.1", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-300_cpu_314c-2_pn%2fdp_firmware" :
        {"versionEndExcluding" : "3.3.17", "family" : "S7300", "orderNumbers" : ["6ES7314-6EH04-0AB0", "6AG1314-6EH04-7AB0"]},
    "cpe:/o:siemens:simatic_s7-300_firmware" :
        {"versionEndExcluding" : "3.2.16", "family" : "S7300", "orderNumbers" : ["6ES7315-2EH14-0AB0", "6ES7315-2FJ14-0AB0", "6ES7315-7TJ10-0AB0", "6ES7317-2EK14-0AB0", "6ES7317-2FK14-0AB0", "6ES7317-7TK10-0AB0", "6ES7317-7UL10-0AB0", "6ES7318-3EL01-0AB0", "6ES7318-3FL01-0AB0", "6AG1315-2EH14-7AB0", "6AG1315-2FJ14-2AB0", "6AG1317-2EK14-7AB0", "6AG1317-2FK14-2AB0"]},
    "cpe:/o:siemens:simatic_s7-400_pn%2fdp_v6_firmware" :
        {"versionStartIncluding" : "6.0", "versionEndIncluding" : "6.x", "family" : "S7400"},
    "cpe:/o:siemens:simatic_s7-400_pn%2fdp_v7_firmware" :
        {"versionStartIncluding" : "7.0", "versionEndIncluding" : "7.x", "family" : "S7400"},
    "cpe:/o:siemens:sitop_psu8600_firmware" :
        {"versionEndExcluding" : "1.5", "family" : "SITOP"},
    "cpe:/o:siemens:sitop_ups1600_firmware" :
        {"versionEndExcluding" : "2.3", "family" : "SITOP"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);