Siemens SIMATIC S7-1500 Uncontrolled Resource Consumption (CVE-2024-2511)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(502258);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/04");

  script_cve_id("CVE-2024-2511");

  script_name(english:"Siemens SIMATIC S7-1500 Uncontrolled Resource Consumption (CVE-2024-2511)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"Issue summary: Some non-default TLS server configurations can cause 
unbounded memory growth when processing TLSv1.3 sessions

Impact summary: An attacker may exploit certain server configurations to 
trigger unbounded memory growth that would lead to a Denial of 
Service.

This problem can occur in TLSv1.3 if the non-default 
SSL_OP_NO_TICKET option is being used (but not if early_data support 
is also configured and the default anti-replay protection is in use). 
In this case, under certain conditions, the session cache can get 
into an incorrect state and it will fail to flush properly as it 
fills. The session cache will continue to grow in an unbounded 
manner.

A malicious client could deliberately create the scenario for 
this failure to force a Denial of Service. It may also happen by 
accident in normal operation. This issue only affects TLS servers 
supporting TLSv1.3. It does not affect TLS clients. The FIPS modules 
in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is 
also not affected by this issue. 

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-265688.html");
  script_set_attribute(attribute:"solution", value:
"Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk: 

- Only build and run applications from trusted sources 

Product-specific remediations or mitigations can be found in the section 'Affected Products and Solution' of 
the vendor advisory. 

For more information, see the associated Siemens security advisory in HTML and CSAF.");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-2511");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/04/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/06/03");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_tm_mfp");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:simatic_s7-1500_tm_mfp" :
        {"family" : "S71500", "orderNumbers": ["6ES7558-1AA00-0AB0"]}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_NOTE);