A heap out-of-bounds write vulnerability in the Linux kernel’s Performance Events system component can be exploited to achieve local privilege escalation.
A perf_event’s read_size can overflow, leading to an heap out-of-bounds increment or write in perf_read_group().
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(502218);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/22");
script_cve_id("CVE-2023-6931");
script_name(english:"Siemens SIMATIC S7-1500 Out-of-bounds Write (CVE-2023-6931)");
script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"A heap out-of-bounds write vulnerability in the Linux kernel's Performance
Events system component can be exploited to achieve local privilege escalation.
A perf_event's read_size can overflow, leading to an heap out-of-bounds increment
or write in perf_read_group().
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-24-102-01");
script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-265688.html");
script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-794697.html");
script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-398330.html");
script_set_attribute(attribute:"solution", value:
"Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:
- Only build and run applications from trusted sources
Product-specific remediations or mitigations can be found in the section 'Affected Products and Solution' of
the vendor advisory.
For more information, see the associated Siemens security advisory in HTML and CSAF.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-6931");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/04/09");
script_set_attribute(attribute:"patch_publication_date", value:"2024/04/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/04/22");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_tm_mfp");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1518-4_pn%2fdp_mfp_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1518f-4_pn%2fdp_mfp_firmware");
script_set_attribute(attribute:"generated_plugin", value:"former");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tenable.ot");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tenable_ot_api_integration.nasl");
script_require_keys("Tenable.ot/Siemens");
exit(0);
}
include('tenable_ot_cve_funcs.inc');
get_kb_item_or_exit('Tenable.ot/Siemens');
var asset = tenable_ot::assets::get(vendor:'Siemens');
var vuln_cpes = {
"cpe:/o:siemens:simatic_s7-1500_tm_mfp" :
{"versionStartIncluding" : "1.0", "versionEndIncluding" : "1.1", "family" : "S71500", "orderNumbers": ["6ES7558-1AA00-0AB0"]},
"cpe:/o:siemens:cpe:/o:siemens:simatic_s7-1500_cpu_1518-4_pn%2fdp_mfp_firmware" :
{"versionStartIncluding" : "3.1", "versionEndIncluding" : "3.1", "family" : "S71500", "orderNumbers" : ["6ES7518-4AX00-1AB0","6ES7518-4AX00-1AC0","6AG1518-4AX00-4AC0"]},
"cpe:/o:siemens:cpe:/o:siemens:simatic_s7-1500_cpu_1518f-4_pn%2fdp_mfp_firmware" :
{"versionStartIncluding" : "3.1", "versionEndIncluding" : "3.1", "family" : "S71500", "orderNumbers" : ["6ES7518-4FX00-1AB0","6ES7518-4FX00-1AC0"]}
};
tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);
Vendor | Product | Version | CPE |
---|---|---|---|
siemens | simatic_s7-1500_tm_mfp | cpe:/o:siemens:simatic_s7-1500_tm_mfp | |
siemens | simatic_s7-1500_cpu_1518-4_pn%2fdp_mfp_firmware | cpe:/o:siemens:simatic_s7-1500_cpu_1518-4_pn%2fdp_mfp_firmware | |
siemens | simatic_s7-1500_cpu_1518f-4_pn%2fdp_mfp_firmware | cpe:/o:siemens:simatic_s7-1500_cpu_1518f-4_pn%2fdp_mfp_firmware |