Siemens SIMATIC S7-1500 Use After Free (CVE-2023-6932)

2024-04-2200:00:00

www.tenable.com

siemens

simatic s7-1500

use after free

cve-2023-6932

vulnerability

linux kernel

igmp component

local privilege escalation

tenable.ot

cisa

ics advisories

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

5.1%

JSON

A use-after-free vulnerability in the Linux kernel’s ipv4: igmp component can be exploited to achieve local privilege escalation.

A race condition can be exploited to cause a timer be mistakenly registered on a RCU read locked object which is freed by another thread.

We recommend upgrading past commit e2b706c691905fe78468c361aaabc719d0a496f1.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(502216);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/03");

  script_cve_id("CVE-2023-6932");

  script_name(english:"Siemens SIMATIC S7-1500 Use After Free (CVE-2023-6932)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A use-after-free vulnerability in the Linux kernel's ipv4: 
igmp component can be exploited to achieve local privilege escalation. 

A race condition can be exploited to cause a timer be mistakenly registered 
on a RCU read locked object which is freed by another thread. 

We recommend upgrading past commit e2b706c691905fe78468c361aaabc719d0a496f1. 

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-24-102-01");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-265688.html");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-794697.html");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-398330.html");
  script_set_attribute(attribute:"solution", value:
"Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk: 

- Only build and run applications from trusted sources 

Product-specific remediations or mitigations can be found in the section 'Affected Products and Solution' of 
the vendor advisory. 

For more information, see the associated Siemens security advisory in HTML and CSAF.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-6932");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/04/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/04/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/04/22");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_tm_mfp");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1518-4_pn%2fdp_mfp_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1518f-4_pn%2fdp_mfp_firmware");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:simatic_s7-1500_tm_mfp" :
        {"family" : "S71500", "orderNumbers": ["6ES7558-1AA00-0AB0"]},
    "cpe:/o:siemens:cpe:/o:siemens:simatic_s7-1500_cpu_1518-4_pn%2fdp_mfp_firmware" :
        {"versionStartIncluding" : "3.1", "versionEndIncluding" : "3.1", "family" : "S71500", "orderNumbers" : ["6ES7518-4AX00-1AB0","6ES7518-4AX00-1AC0","6AG1518-4AX00-4AC0"]},
    "cpe:/o:siemens:cpe:/o:siemens:simatic_s7-1500_cpu_1518f-4_pn%2fdp_mfp_firmware" :
        {"versionStartIncluding" : "3.1", "versionEndIncluding" : "3.1", "family" : "S71500", "orderNumbers" : ["6ES7518-4FX00-1AB0","6ES7518-4FX00-1AC0"]}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);

VendorProductVersionCPE
siemenssimatic_s7-1500_tm_mfpcpe:/o:siemens:simatic_s7-1500_tm_mfp
siemenssimatic_s7-1500_cpu_1518-4_pn%2fdp_mfp_firmwarecpe:/o:siemens:simatic_s7-1500_cpu_1518-4_pn%2fdp_mfp_firmware
siemenssimatic_s7-1500_cpu_1518f-4_pn%2fdp_mfp_firmwarecpe:/o:siemens:simatic_s7-1500_cpu_1518f-4_pn%2fdp_mfp_firmware

Vendor	Product	CPE
siemens	simatic_s7-1500_tm_mfp	cpe:/o:siemens:simatic_s7-1500_tm_mfp
siemens	simatic_s7-1500_cpu_1518-4_pn%2fdp_mfp_firmware	cpe:/o:siemens:simatic_s7-1500_cpu_1518-4_pn%2fdp_mfp_firmware
siemens	simatic_s7-1500_cpu_1518f-4_pn%2fdp_mfp_firmware	cpe:/o:siemens:simatic_s7-1500_cpu_1518f-4_pn%2fdp_mfp_firmware