Lucene search

K
nessusThis script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.TENABLE_OT_SIEMENS_CVE-2021-45971.NASL
HistorySep 26, 2023 - 12:00 a.m.

Siemens InsydeH2O Out-of-bounds Write (CVE-2021-45971)

2023-09-2600:00:00
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
13
siemens
insydeh2o
out-of-bounds write
vulnerability
sdhostdriver
kernel
smm
ruggedcom ape
simatic
tenable.ot
advisory

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

8.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS

0

Percentile

12.6%

An issue was discovered in SdHostDriver in Insyde InsydeH2O with kernel 5.1 before 05.16.25, 5.2 before 05.26.25, 5.3 before 05.35.25, 5.4 before 05.43.25, and 5.5 before 05.51.25. A vulnerability exists in the SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated buffer pointer (CommBufferData).

Insyde BIOS is typically used in RUGGEDCOM APE products and some SIMATIC devices. Please refer to the vendor advisory for a precise list of models concerned.

This plugin only works with Tenable.ot Please visit https://www.tenable.com/products/tenable-ot for more information.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(501701);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/27");

  script_cve_id("CVE-2021-45971");

  script_name(english:"Siemens InsydeH2O Out-of-bounds Write (CVE-2021-45971)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"An issue was discovered in SdHostDriver in Insyde InsydeH2O with
kernel 5.1 before 05.16.25, 5.2 before 05.26.25, 5.3 before 05.35.25,
5.4 before 05.43.25, and 5.5 before 05.51.25. A vulnerability exists
in the SMM (System Management Mode) branch that registers a SWSMI
handler that does not sufficiently check or validate the allocated
buffer pointer (CommBufferData).

Insyde BIOS is typically used in RUGGEDCOM APE products 
and some SIMATIC devices. Please refer to the vendor advisory for a 
precise list of models concerned.

This plugin only works with Tenable.ot
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://www.insyde.com/security-pledge");
  script_set_attribute(attribute:"see_also", value:"https://security.netapp.com/advisory/ntap-20220216-0004/");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-306654.pdf");
  script_set_attribute(attribute:"solution", value:
"Refer to the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-45971");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(787);

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/01/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/01/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/09/26");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:insyde:insydeh2o:5.1");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:insyde:insydeh2o:5.2");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:insyde:insydeh2o:5.3");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:insyde:insydeh2o:5.4");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:insyde:insydeh2o:5.5");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/a:insyde:insydeh2o:5.1" :
        {"versionEndExcluding" : "5.16.25", "versionStartIncluding" : "5.1", "family" : "APE1808"},
    "cpe:/a:insyde:insydeh2o:5.2" :
        {"versionEndExcluding" : "5.26.25", "versionStartIncluding" : "5.2", "family" : "APE1808"},
    "cpe:/a:insyde:insydeh2o:5.3" :
        {"versionEndExcluding" : "5.35.25", "versionStartIncluding" : "5.3", "family" : "APE1808"},
    "cpe:/a:insyde:insydeh2o:5.4" :
        {"versionEndExcluding" : "5.43.25", "versionStartIncluding" : "5.4", "family" : "APE1808"},
    "cpe:/a:insyde:insydeh2o:5.5" :
        {"versionEndExcluding" : "5.51.25", "versionStartIncluding" : "5.5", "family" : "APE1808"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

8.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS

0

Percentile

12.6%

Related for TENABLE_OT_SIEMENS_CVE-2021-45971.NASL