Siemens EN100 Ethernet Module Improper Restriction of Operations Within the Bounds of a Memory Buffer (CVE-2022-30938)

##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(500692);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/04");

  script_cve_id("CVE-2022-30938");

  script_name(english:"Siemens EN100 Ethernet Module Improper Restriction of Operations Within the Bounds of a Memory Buffer (CVE-2022-30938)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A vulnerability has been identified in EN100 Ethernet module DNP3 IP
variant (All versions), EN100 Ethernet module IEC 104 variant (All
versions), EN100 Ethernet module IEC 61850 variant (All versions <
V4.40), EN100 Ethernet module Modbus TCP variant (All versions), EN100
Ethernet module PROFINET IO variant (All versions). Affected
applications contains a memory corruption vulnerability while parsing
specially crafted HTTP packets to /txtrace endpoint manupulating a
specific argument. This could allow an attacker to crash the affected
application leading to a denial of service condition

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-865333.pdf");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-22-195-16");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Siemens has released an update for the EN100 Ethernet module IEC 61850 variant and recommends updating to the latest
version. Siemens recommends specific countermeasures for products where updates are either not implemented or not yet
available.

- EN100 Ethernet module IEC 61850 variant: Update to v4.40 or later version

Siemens recommends implementing the following specific workarounds and mitigations that customers can apply to reduce
the risk:

- Disable web service within the device configuration if it is not used 
- Block access to port 80/TCP and 443/TCP e.g., with an external firewall 
- Apply secure substation concept and defense-in-depth or contact customer care to find specific solutions

Operators of critical power systems worldwide are usually required by regulations to build resilience into the power
grid by applying multi-level redundant secondary protection schemes. Siemens recommends that operators check whether
appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid’s reliability can
thus be minimized by virtue of the grid design.

Siemens strongly recommends applying the provided security updates using the corresponding tooling and documented
procedures made available with the product. If supported by the product, an automated means to apply the security
updates across multiple product instances may be used. Siemens strongly recommends prior validation of any security
update before application. Trained supervisors should oversee the during the update process as this will ensure that
thorough updates are implemented in the target environment.

As a general security measure Siemens strongly recommends protecting network access with appropriate mechanisms, such as
firewalls, segmentation, or a VPN. It is advised to configure the environment according to Siemens’ operational
guidelines to run the devices in a protected IT environment.

Recommended security guidelines can be found at: https://www.siemens.com/gridsecurity 

For more information on these vulnerabilities and associated software updates, please see Siemens security advisory
SSA-865333");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-30938");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(119);

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/07/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/07/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/08/02");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:en100_ethernet_module_dnp3_ip_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:en100_ethernet_module_iec_104_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:en100_ethernet_module_iec_61850_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:en100_ethernet_module_modbus_tcp_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:en100_ethernet_module_profinet_io_firmware:-");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:en100_ethernet_module_dnp3_ip_firmware" :
        {"family" : "Siprotec4"},
    "cpe:/o:siemens:en100_ethernet_module_iec_104_firmware" :
        {"family" : "Siprotec4"},
    "cpe:/o:siemens:en100_ethernet_module_iec_61850_firmware" :
        {"versionEndExcluding" : "4.40", "family" : "Siprotec4"},
    "cpe:/o:siemens:en100_ethernet_module_modbus_tcp_firmware" :
        {"family" : "Siprotec4"},
    "cpe:/o:siemens:en100_ethernet_module_profinet_io_firmware:-" :
        {"family" : "Siprotec4"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);