Siemens Industrial Products with OPC UA Uncaught Exception (CVE-2019-6575)

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(500070);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/09/04");

  script_cve_id("CVE-2019-6575");
  script_xref(name:"ICSA", value:"19-099-03");
  script_xref(name:"CEA-ID", value:"CEA-2019-0227");

  script_name(english:"Siemens Industrial Products with OPC UA Uncaught Exception (CVE-2019-6575)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A vulnerability has been identified in SIMATIC CP 443-1 OPC UA (All
versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl.
SIPLUS variants) (All versions < V2.7), SIMATIC HMI Comfort Outdoor
Panels 7 & 15 (incl. SIPLUS variants) (All versions < V15.1 Upd 4),
SIMATIC HMI Comfort Panels 4 - 22 (incl. SIPLUS variants) (All
versions < V15.1 Upd 4), SIMATIC HMI KTP Mobile Panels KTP400F,
KTP700, KTP700F, KTP900 and KTP900F (All versions < V15.1 Upd 4),
SIMATIC IPC DiagMonitor (All versions < V5.1.3), SIMATIC NET PC
Software V13 (All versions), SIMATIC NET PC Software V14 (All versions
< V14 SP1 Update 14), SIMATIC NET PC Software V15 (All versions),
SIMATIC RF188C (All versions < V1.1.0), SIMATIC RF600R family (All
versions < V3.2.1), SIMATIC S7-1500 CPU family (incl. related ET200
CPUs and SIPLUS variants) (All versions >= V2.5 < V2.6.1), SIMATIC
S7-1500 Software Controller (All versions between V2.5 (including) and
V2.7 (excluding)), SIMATIC WinCC OA (All versions < V3.15 P018),
SIMATIC WinCC Runtime Advanced (All versions < V15.1 Upd 4), SINEC NMS
(All versions < V1.0 SP1), SINEMA Server (All versions < V14 SP2),
SINUMERIK OPC UA Server (All versions < V2.1), TeleControl Server
Basic (All versions < V3.1.1). Specially crafted network packets sent
to affected devices on port 4840/tcp could allow an unauthenticated
remote attacker to cause a denial of service condition of the OPC
communication or crash the device. The security vulnerability could be
exploited by an attacker with network access to the affected systems.
Successful exploitation requires no system privileges and no user
interaction. An attacker could use the vulnerability to compromise
availability of the OPC communication.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-307392.pdf");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-19-099-03");
  script_set_attribute(attribute:"solution", value:
'The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Siemens currently has updates for the following products:

SIMATIC ET 200 Open Controller CPU 1515SP PC2: Update to v2.7

- SIMATIC HMI Comfort Outdoor Panels 7" & 15" (including SIPLUS variants): Update to v15.1 Upd 4
- SIMATIC HMI Comfort Panels 4" 22" (including SIPLUS variants): Update to v15.1 Upd 4
- SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900, KTP900F (including SIPLUS variants): Update to v15.1
Upd 4
- SIMATIC IPC DiagMonitor: Update to v5.1.3
- SIMATIC NET PC Software v14: Update to v14 SP1 Update 14 or later version
- SIMATIC RF188C: Update to v1.1.0
- SIMATIC RF600R: Update to v3.2.1
- SIMATIC S7-1500 CPU Family (including related ET200 CPUs and SIPLUS variants): Update to v2.6.1
- SIMATIC S7-1500 Software Controller: Update to v2.7
- SIMATIC WinCC OA: Update to v3.15-P018 (logon required)
- SIMATIC WinCC Runtime Advanced: Update to v15.1 Upd 4
- SINEC-NMS: Update to v1.0 SP1
- SINEMA Server: Update to v14 SP2
- SINUMERIK OPC UA Server: Update to v2.1 or newer

- TeleControl Server Basic: Update to V3.1.1 or later version

For the balance of the listed products, Siemens is preparing further updates and recommends users apply the following
specific workarounds and mitigations to reduce risk until patches are available:

- Deactivate the OPC UA Service if supported by the product.
- Apply cell protection concept.
- Use VPN for protecting network communication between cells.
- Apply Defense-in-Depth.

Siemens recommends users configure their environment according to Siemens’ operational guidelines for Industrial
Security (Download) and follow the recommendations in the product manuals.

Additional information on industrial security by Siemens can be found at: https://www.siemens.com/industrialsecurity

For more information on the vulnerability and more detailed mitigation instructions, please see Siemens Security
Advisory SSA-307392');
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-6575");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(248);

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/04/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/02/07");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp443-1_opc_ua_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_et_200_open_controller_cpu_1515sp_pc2_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500f_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500s_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500t_firmware");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:simatic_cp443-1_opc_ua_firmware" :
        {"family" : "S7400"},
    "cpe:/o:siemens:simatic_et_200_open_controller_cpu_1515sp_pc2_firmware" :
        {"versionEndExcluding" : "2.7", "family" : "ET200"},
    "cpe:/o:siemens:simatic_s7-1500_firmware" :
        {"versionEndIncluding" : "2.5", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500f_firmware" :
        {"versionEndIncluding" : "2.5", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500s_firmware" :
        {"versionEndIncluding" : "2.5", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500t_firmware" :
        {"versionEndIncluding" : "2.5", "family" : "S71500"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);