Lucene search

K
nessusThis script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.TENABLE_OT_SIEMENS_CVE-2021-22924.NASL
HistoryApr 11, 2023 - 12:00 a.m.

Siemens Industrial Devices using libcurl Use After Free (CVE-2021-22924)

2023-04-1100:00:00
This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
5
siemens
libcurl
vulnerability
cve-2021-22924
connection pool
logic
reuse
wrong connections
tenable.ot
scanner

AI Score

6.2

Confidence

High

EPSS

0.002

Percentile

53.6%

libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take ‘issuercert’ into account and it compared the involved paths case insensitively,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn’t include the ‘issuer cert’ which a transfer can setto qualify how to verify the server certificate.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(501053);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/05");

  script_cve_id("CVE-2021-22924");
  script_xref(name:"FEDORA", value:"FEDORA-2021-5d21b90a30");
  script_xref(name:"DSA", value:"DSA-5197");

  script_name(english:"Siemens Industrial Devices using libcurl Use After Free (CVE-2021-22924)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"libcurl keeps previously used connections in a connection pool for
subsequenttransfers to reuse, if one of them matches the setup.Due to
errors in the logic, the config matching function did not take
'issuercert' into account and it compared the involved paths *case
insensitively*,which could lead to libcurl reusing wrong
connections.File paths are, or can be, case sensitive on many systems
but not all, and caneven vary depending on used file systems.The
comparison also didn't include the 'issuer cert' which a transfer can
setto qualify how to verify the server certificate.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://hackerone.com/reports/1223565");
  # https://lists.fedoraproject.org/archives/list/[email protected]/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1527c2f4");
  script_set_attribute(attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2021/08/msg00017.html");
  # https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a7de169c");
  # https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d9e232d6");
  # https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8ad28351");
  # https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8c671f18");
  script_set_attribute(attribute:"see_also", value:"https://security.netapp.com/advisory/ntap-20210902-0003/");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-22-132-13");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuoct2021.html");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpujan2022.html");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-732250.pdf");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf");
  script_set_attribute(attribute:"see_also", value:"https://www.debian.org/security/2022/dsa-5197");
  script_set_attribute(attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-22-167-17");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Siemens has released updates for several affected products and recommends updating to the latest versions. Siemens is
preparing further updates and recommends countermeasures for products where updates are not yet available.

- RUGGEDCOM RM1224, SCALANCE M804PB, SCALANCE M812-1, SCALANCE M816-1, SCALANCE M826-2, SCALANCE M874-2, SCALANCE
M874-3, SCALANCE M876-3, SCALANCE M876-4, SCALANCE MUM856-1, and SCALANCE S615: Update to v7.1 or later
- SIMATIC CP 1543-1 and SIPLUS NET CP 1543-1: Update to v3.0.22 or later
- SIMATIC RTU3010C, SIMATIC RTU3030C, SIMATIC RTU3031C, and SIMATIC RTU3041C: Update to v5.0 or later 

- SIMATIC CP 1242-7 V2, SIMATIC CP 1243-1, SIMATIC CP 1243-7 LTE EU, SIMATIC CP 1243-7 LTE US, SIMATIC CP 1243-8 IRC,
SIPLUS NET CP 1242-7 V2, SIPLUS S7-1200 CP 1243-1, and SIPLUS S7-1200 CP 1243-1 RAIL: Update to V3.3.46 or later

- SIMATIC CP 1545-1: Update to v1.1 or later version
- SINEMA Remote Connect Client: Update to v3.1 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To
operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’
operational guidelines for industrial security and to follow the recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For additional information, please refer to Siemens Security Advisory SSA-732250");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-22924");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(706);

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/08/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/08/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/04/11");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:logo%21_cmr2020_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:logo%21_cmr2040_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:ruggedcom_rm1224_lte%284g%29_eu_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:ruggedcom_rm1224_lte%284g%29_nam_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_m804pb_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_m812-1_adsl-router_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_m816-1_adsl-router_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_m826-2_shdsl-router_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_m874-2_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_m874-3_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_m876-3_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_m876-4_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_mum856-1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_s615_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp_1242-7_v2_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp_1243-1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp_1243-7_lte_eu_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp_1243-7_lte_us_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp_1243-8_irc_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp_1543-1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp_1545-1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:siplus_net_cp_1242-7_v2_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:siplus_net_cp_1543-1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:siplus_s7-1200_cp_1243-1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:siplus_s7-1200_cp_1243-1_rail_firmware");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:logo%21_cmr2040_firmware" :
        {"family" : "LOGO!CM"},
    "cpe:/o:siemens:logo%21_cmr2020_firmware" :
        {"family" : "LOGO!CM"},
    "cpe:/o:siemens:ruggedcom_rm1224_lte%284g%29_eu_firmware" :
        {"versionEndExcluding" : "7.1", "family" : "RuggedCom", "orderNumbers" : ["6GK6108-4AM00-2BA2"]},
    "cpe:/o:siemens:ruggedcom_rm1224_lte%284g%29_nam_firmware" :
        {"versionEndExcluding" : "7.1", "family" : "RuggedCom", "orderNumbers" : ["6GK6108-4AM00-2DA2"]},
    "cpe:/o:siemens:scalance_m804pb_firmware" :
        {"versionEndExcluding" : "7.1", "family" : "SCALANCEM", "orderNumbers" : ["6GK5804-0AP00-2AA2"]},
    "cpe:/o:siemens:scalance_m812-1_adsl-router_firmware" :
        {"versionEndExcluding" : "7.1", "family" : "SCALANCEM", "orderNumbers" : ["6GK5812-1AA00-2AA2", "6GK5812-1BA00-2AA2"]},
    "cpe:/o:siemens:scalance_m816-1_adsl-router_firmware" :
        {"versionEndExcluding" : "7.1", "family" : "SCALANCEM", "orderNumbers" : ["6GK5816-1AA00-2AA2", "6GK5816-1BA00-2AA2"]},
    "cpe:/o:siemens:scalance_m826-2_shdsl-router_firmware" :
        {"versionEndExcluding" : "7.1", "family" : "SCALANCEM", "orderNumbers" : ["6GK5826-2AB00-2AB2"]},
    "cpe:/o:siemens:scalance_m874-2_firmware" :
        {"versionEndExcluding" : "7.1", "family" : "SCALANCEM", "orderNumbers" : ["6GK5874-2AA00-2AA2"]},
    "cpe:/o:siemens:scalance_m874-3_firmware" :
        {"versionEndExcluding" : "7.1", "family" : "SCALANCEM", "orderNumbers" : ["6GK5874-3AA00-2AA2"]},
    "cpe:/o:siemens:scalance_m876-3_firmware" :
        {"versionEndExcluding" : "7.1", "family" : "SCALANCEM", "orderNumbers" : ["6GK5876-3AA02-2BA2", "6GK5876-3AA02-2EA2"]},
    "cpe:/o:siemens:scalance_m876-4_firmware" :
        {"versionEndExcluding" : "7.1", "family" : "SCALANCEM", "orderNumbers" : ["6GK5876-4AA00-2BA2", "6GK5876-4AA00-2DA2"]},
    "cpe:/o:siemens:scalance_mum856-1_firmware" :
        {"versionEndExcluding" : "7.1", "family" : "SCALANCEM", "orderNumbers" : ["6GK5856-2EA00-3DA1", "6GK5856-2EA00-3AA1"]},
    "cpe:/o:siemens:scalance_s615_firmware" :
        {"versionEndExcluding" : "7.1", "family" : "SCALANCES", "orderNumbers" : ["6GK5615-0AA00-2AA2"]},
    "cpe:/o:siemens:simatic_cp_1242-7_v2_firmware" :
        {"versionEndExcluding" : "3.3.46", "family" : "S71200", "orderNumbers" : ["6GK7242-7KX31-0XE0"]},
    "cpe:/o:siemens:simatic_cp_1243-1_firmware" :
        {"versionEndExcluding" : "3.3.46", "family" : "S71200", "orderNumbers" : ["6GK7243-1BX30-0XE0"]},
    "cpe:/o:siemens:simatic_cp_1243-7_lte_eu_firmware" :
        {"versionEndExcluding" : "3.3.46", "family" : "S71200", "orderNumbers" : ["6GK7243-7KX30-0XE0"]},
    "cpe:/o:siemens:simatic_cp_1243-7_lte_us_firmware" :
        {"versionEndExcluding" : "3.3.46", "family" : "S71200", "orderNumbers" : ["6GK7243-7SX30-0XE0"]},
    "cpe:/o:siemens:simatic_cp_1243-8_irc_firmware" :
        {"versionEndExcluding" : "3.3.46", "family" : "S71200", "orderNumbers" : ["6GK7243-8RX30-0XE0"]},
    "cpe:/o:siemens:simatic_cp_1543-1_firmware" :
        {"versionEndExcluding" : "3.0.22", "family" : "S71500", "orderNumbers" : ["6GK7543-1AX00-0XE0"]},
    "cpe:/o:siemens:simatic_cp_1545-1_firmware" :
        {"versionEndExcluding" : "1.1", "family" : "S71500", "orderNumbers" : ["6GK7545-1GX00-0XE0"]},
    "cpe:/o:siemens:siplus_net_cp_1242-7_v2_firmware" :
        {"versionEndExcluding" : "3.3.46", "family" : "S71200", "orderNumbers" : ["6AG1242-7KX31-7XE0"]},
    "cpe:/o:siemens:siplus_net_cp_1543-1_firmware" :
        {"versionEndExcluding" : "3.0.22", "family" : "S71500", "orderNumbers" : ["6AG1543-1AX00-2XE0"]},
    "cpe:/o:siemens:siplus_s7-1200_cp_1243-1_firmware" :
        {"versionEndExcluding" : "3.3.46", "family" : "S71200", "orderNumbers" : ["6AG1243-1BX30-2AX0"]},
    "cpe:/o:siemens:siplus_s7-1200_cp_1243-1_rail_firmware" :
        {"versionEndExcluding" : "3.3.46", "family" : "S71200", "orderNumbers" : ["6AG2243-1BX30-1XE0"]}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);
VendorProductVersionCPE
siemenslogo%21_cmr2020_firmwarecpe:/o:siemens:logo%21_cmr2020_firmware
siemenslogo%21_cmr2040_firmwarecpe:/o:siemens:logo%21_cmr2040_firmware
siemensruggedcom_rm1224_lte%284g%29_eu_firmwarecpe:/o:siemens:ruggedcom_rm1224_lte%284g%29_eu_firmware
siemensruggedcom_rm1224_lte%284g%29_nam_firmwarecpe:/o:siemens:ruggedcom_rm1224_lte%284g%29_nam_firmware
siemensscalance_m804pb_firmwarecpe:/o:siemens:scalance_m804pb_firmware
siemensscalance_m812-1_adsl-router_firmwarecpe:/o:siemens:scalance_m812-1_adsl-router_firmware
siemensscalance_m816-1_adsl-router_firmwarecpe:/o:siemens:scalance_m816-1_adsl-router_firmware
siemensscalance_m826-2_shdsl-router_firmwarecpe:/o:siemens:scalance_m826-2_shdsl-router_firmware
siemensscalance_m874-2_firmwarecpe:/o:siemens:scalance_m874-2_firmware
siemensscalance_m874-3_firmwarecpe:/o:siemens:scalance_m874-3_firmware
Rows per page:
1-10 of 251