Siemens SIMATIC CP products Improper Access Control (CVE-2023-37194)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(502001);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/02/21");

  script_cve_id("CVE-2023-37194");

  script_name(english:"Siemens SIMATIC CP products Improper Access Control (CVE-2023-37194)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A vulnerability has been identified in SIMATIC CP 1604 (All versions),
SIMATIC CP 1616 (All versions), SIMATIC CP 1623 (All versions),
SIMATIC CP 1626 (All versions), SIMATIC CP 1628 (All versions). The
kernel memory of affected devices is exposed to user-mode via direct
memory access (DMA) which could allow a local attacker with
administrative privileges to execute arbitrary code on the host system
without any restrictions.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-784849.pdf");
  script_set_attribute(attribute:"solution", value:
"Refer to the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:M/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-37194");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(284);

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/10/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/10/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/02/20");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp_1604_firmware:-");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp_1616_firmware:-");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp_1623_firmware:-");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp_1626_firmware:-");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp_1628_firmware:-");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
  "cpe:/o:siemens:simatic_cp_1604_firmware:-" :
      {"family" : "NETCP1600", "orderNumbers" : ["6GK1160-4AA01"]},
  "cpe:/o:siemens:simatic_cp_1616_firmware:-" :
      {"family" : "NETCP1600", "orderNumbers" : ["6GK1161-6AA02"]},
  "cpe:/o:siemens:simatic_cp_1623_firmware:-" :
      {"family" : "NETCP1600", "orderNumbers" : ["6GK1162-3AA00"]},
  "cpe:/o:siemens:simatic_cp_1626_firmware:-" :
      {"family" : "NETCP1600", "orderNumbers" : ["6GK1162-6AA01"]},
  "cpe:/o:siemens:simatic_cp_1628_firmware:-" :
      {"family" : "NETCP1600", "orderNumbers" : ["6GK1162-8AA00"]}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);