Siemens InsydeH2O Missing Release of Memory after Effective Lifetime (CVE-2022-35894)

2023-09-2600:00:00

www.tenable.com

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. The SMI handler for the FwBlockServiceSmm driver uses an untrusted pointer as the location to copy data to an attacker- specified buffer, leading to information disclosure.

Insyde BIOS is typically used in RUGGEDCOM APE products and some SIMATIC devices. Please refer to the vendor advisory for a precise list of models concerned.

This plugin only works with Tenable.ot Please visit https://www.tenable.com/products/tenable-ot for more information.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(501697);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/27");

  script_cve_id("CVE-2022-35894");

  script_name(english:"Siemens InsydeH2O Missing Release of Memory after Effective Lifetime (CVE-2022-35894)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"An issue was discovered in Insyde InsydeH2O with kernel 5.0 through
5.5. The SMI handler for the FwBlockServiceSmm driver uses an
untrusted pointer as the location to copy data to an attacker-
specified buffer, leading to information disclosure.

Insyde BIOS is typically used in RUGGEDCOM APE products 
and some SIMATIC devices. Please refer to the vendor advisory for a 
precise list of models concerned.

This plugin only works with Tenable.ot
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://www.insyde.com/security-pledge");
  script_set_attribute(attribute:"see_also", value:"https://www.insyde.com/security-pledge/SA-2022030");
  script_set_attribute(attribute:"see_also", value:"https://binarly.io/advisories/BRLY-2022-018/index.html");
  script_set_attribute(attribute:"solution", value:
"Refer to the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:M/C:C/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-35894");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(401);

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/09/22");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/09/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/09/26");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:insyde:insydeh2o:5.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:insyde:insydeh2o:5.1");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:insyde:insydeh2o:5.2");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:insyde:insydeh2o:5.3");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:insyde:insydeh2o:5.4");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:insyde:insydeh2o:5.5");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/a:insyde:insydeh2o:5.0" :
        {"versionEndExcluding" : "5.09.37", "versionStartIncluding" : "5.0", "family" : "APE1808"},
    "cpe:/a:insyde:insydeh2o:5.1" :
        {"versionEndExcluding" : "5.17.37", "versionStartIncluding" : "5.1", "family" : "APE1808"},
    "cpe:/a:insyde:insydeh2o:5.2" :
        {"versionEndExcluding" : "5.27.29", "versionStartIncluding" : "5.2", "family" : "APE1808"},
    "cpe:/a:insyde:insydeh2o:5.3" :
        {"versionEndExcluding" : "5.36.29", "versionStartIncluding" : "5.3", "family" : "APE1808"},
    "cpe:/a:insyde:insydeh2o:5.4" :
        {"versionEndExcluding" : "5.44.29", "versionStartIncluding" : "5.4", "family" : "APE1808"},
    "cpe:/a:insyde:insydeh2o:5.5" :
        {"versionEndExcluding" : "5.52.29", "versionStartIncluding" : "5.5", "family" : "APE1808"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);

VendorProductVersionCPE
insydeinsydeh2o5.0cpe:/a:insyde:insydeh2o:5.0
insydeinsydeh2o5.1cpe:/a:insyde:insydeh2o:5.1
insydeinsydeh2o5.2cpe:/a:insyde:insydeh2o:5.2
insydeinsydeh2o5.3cpe:/a:insyde:insydeh2o:5.3
insydeinsydeh2o5.4cpe:/a:insyde:insydeh2o:5.4
insydeinsydeh2o5.5cpe:/a:insyde:insydeh2o:5.5

Vendor	Product	Version	CPE
insyde	insydeh2o	5.0	cpe:/a:insyde:insydeh2o:5.0
insyde	insydeh2o	5.1	cpe:/a:insyde:insydeh2o:5.1
insyde	insydeh2o	5.2	cpe:/a:insyde:insydeh2o:5.2
insyde	insydeh2o	5.3	cpe:/a:insyde:insydeh2o:5.3
insyde	insydeh2o	5.4	cpe:/a:insyde:insydeh2o:5.4
insyde	insydeh2o	5.5	cpe:/a:insyde:insydeh2o:5.5