Siemens SIMATIC NET CP Modules Improper Restriction of Operations Within the Bounds of a Memory Buffer (CVE-2021-33737)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(501093);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/04");

  script_cve_id("CVE-2021-33737");

  script_name(english:"Siemens SIMATIC NET CP Modules Improper Restriction of Operations Within the Bounds of a Memory Buffer (CVE-2021-33737)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A vulnerability has been identified in SIMATIC CP 343-1 (incl. SIPLUS
variants) (All versions), SIMATIC CP 343-1 Advanced (incl. SIPLUS
variants) (All versions), SIMATIC CP 343-1 ERPC (All versions),
SIMATIC CP 343-1 Lean (incl. SIPLUS variants) (All versions), SIMATIC
CP 443-1 (All versions < V3.3), SIMATIC CP 443-1 (All versions <
V3.3), SIMATIC CP 443-1 Advanced (All versions < V3.3), SIPLUS NET CP
443-1 (All versions < V3.3), SIPLUS NET CP 443-1 Advanced (All
versions < V3.3). Sending a specially crafted packet to port 102/tcp
of an affected device could cause a denial of service condition. A
restart is needed to restore normal operations.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-549234.pdf");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-21-257-15");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Siemens recommends affected users limit access to Port 102/TCP to trusted users and systems only.

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate
mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the
environment according to Siemens’ operational guidelines for industrial security and to following the recommendations in
the product manuals.

Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity

For more information about this issue, please see Siemens Security Advisory SSA-549234");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-33737");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(119);

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/09/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/09/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/05/02");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp_343-1_advanced_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp_343-1_erpc_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp_343-1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp_343-1_lean_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp_443-1_advanced_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp_443-1_firmware");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:simatic_cp_343-1_firmware" :
        {"family" : "S7300"},
    "cpe:/o:siemens:simatic_cp_343-1_advanced_firmware" :
        {"family" : "S7300"},
    "cpe:/o:siemens:simatic_cp_343-1_erpc_firmware" :
        {"family" : "S7300"},
    "cpe:/o:siemens:simatic_cp_343-1_lean_firmware" :
        {"family" : "S7300"},
    "cpe:/o:siemens:simatic_cp_443-1_firmware" :
        {"versionEndExcluding" : "3.3", "family" : "S7400", "orderNumbers" : ["6GK7443-1EX30-0XE0", "6GK7443-1EX30-0XE1", "6AG1443-1EX30-4XE0"]},
    "cpe:/o:siemens:simatic_cp_443-1_advanced_firmware" :
        {"versionEndExcluding" : "3.3", "family" : "S7400", "orderNumbers" : ["6GK7443-1GX30-0XE0", "6AG1443-1GX30-4XE0"]}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);