Siemens SIMATIC S7-1500 Improper Input Validation (CVE-2023-6121)

2024-04-2200:00:00

www.tenable.com

siemens simatic s7-1500

cve-2023-6121

improper input validation

remote

tcp

linux kernel

vulnerability

tenable.ot

cisa

siemens

mitigations

solutions

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

7 High

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

67.7%

JSON

An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This issue may allow a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data being printed and potentially leaked to the kernel ring buffer (dmesg).

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(502220);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/03");

  script_cve_id("CVE-2023-6121");

  script_name(english:"Siemens SIMATIC S7-1500 Improper Input Validation (CVE-2023-6121)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. 
This issue may allow a remote attacker to send a crafted TCP packet, triggering a heap-based buffer 
overflow that results in kmalloc data being printed and potentially leaked to the kernel ring buffer (dmesg).

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-24-102-01");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-265688.html");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-398330.html");
  script_set_attribute(attribute:"solution", value:
"Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk: 

- Only build and run applications from trusted sources 

Product-specific remediations or mitigations can be found in the section 'Affected Products and Solution' of 
the vendor advisory. 

For more information, see the associated Siemens security advisory in HTML and CSAF.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-6121");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/04/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/04/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/04/22");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_tm_mfp");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1518-4_pn%2fdp_mfp_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1518f-4_pn%2fdp_mfp_firmware");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:simatic_s7-1500_tm_mfp" :
        {"family" : "S71500", "orderNumbers": ["6ES7558-1AA00-0AB0"]},
    "cpe:/o:siemens:cpe:/o:siemens:simatic_s7-1500_cpu_1518-4_pn%2fdp_mfp_firmware" :
        {"versionStartIncluding" : "3.1", "versionEndIncluding" : "3.1", "family" : "S71500", "orderNumbers" : ["6ES7518-4AX00-1AB0","6ES7518-4AX00-1AC0","6AG1518-4AX00-4AC0"]},
    "cpe:/o:siemens:cpe:/o:siemens:simatic_s7-1500_cpu_1518f-4_pn%2fdp_mfp_firmware" :
        {"versionStartIncluding" : "3.1", "versionEndIncluding" : "3.1", "family" : "S71500", "orderNumbers" : ["6ES7518-4FX00-1AB0","6ES7518-4FX00-1AC0"]}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);

VendorProductVersionCPE
siemenssimatic_s7-1500_tm_mfpcpe:/o:siemens:simatic_s7-1500_tm_mfp
siemenssimatic_s7-1500_cpu_1518-4_pn%2fdp_mfp_firmwarecpe:/o:siemens:simatic_s7-1500_cpu_1518-4_pn%2fdp_mfp_firmware
siemenssimatic_s7-1500_cpu_1518f-4_pn%2fdp_mfp_firmwarecpe:/o:siemens:simatic_s7-1500_cpu_1518f-4_pn%2fdp_mfp_firmware

Vendor	Product	CPE
siemens	simatic_s7-1500_tm_mfp	cpe:/o:siemens:simatic_s7-1500_tm_mfp
siemens	simatic_s7-1500_cpu_1518-4_pn%2fdp_mfp_firmware	cpe:/o:siemens:simatic_s7-1500_cpu_1518-4_pn%2fdp_mfp_firmware
siemens	simatic_s7-1500_cpu_1518f-4_pn%2fdp_mfp_firmware	cpe:/o:siemens:simatic_s7-1500_cpu_1518f-4_pn%2fdp_mfp_firmware