Researchers estimate more than 100 million internet-connected devices are vulnerable to a class of flaws dubbed NAME:WRECK.
Devices ranging from smartphones, aircraft navigation systems and industrial internet of things (IIoT) endpoints are vulnerable to either a denial-of-service (DoS) or remote code-execution (RCE) attack, according to a joint report by Forescout Research Labs and JSOF Research Labs. Patches are available for some affected vendors.
Nine vulnerabilities were identified within the implementation of the Domain Name System (DNS) protocol used by TCP/IP network communication stacks. These two technologies are used in tandem to uniquely identifying devices connected to the internet and facilitate digital communications between them. The most serious of the flaws are rated critical in severity.
[](<https://threatpost.com/newsletter-sign/>)
“The widespread deployment and often external exposure of vulnerable DNS clients leads to a dramatically increased attack surface,” researchers wrote in a [report released Tuesday](<https://www.forescout.com/company/resources/namewreck-breaking-and-fixing-dns-implementations/>) (PDF). “[W]e can estimate that at least 100 million devices are impacted by NAME:WRECK.”
## **Breaking Down the NAME:WRECK Bugs**
Under the auspices of the research collective known as Project Memoria, NAME:WRECK is the fifth set of vulnerabilities impacting TCP/IP libraries that have been disclosed over the past three years. Those that have come before are [URGENT/11](<https://threatpost.com/urgent-11-critical-infrastructure-eternalblue/146731/>), [Ripple20](<https://threatpost.com/millions-connected-devices-ripple20-bugs/156599/>), [Amnesia:33](<https://threatpost.com/amnesia33-tcp-ip-flaws-iot-devices/161928/>) and NUMBER:JACK (also discovered by Project Memoria and Forescout).
Forescout and JSOF researchers divide the nine NAME:WRECK vulnerabilities into four subcategories of devices dependent on the DNS and TCP/IP stacks (or firmware) used inside them. The categories include the FreeBSD, IPnet, Nucleus NET and NetX – each common in IoT and operational technology (OT) systems.
Researchers said the origin of the name NAME:WRECK is based on “how the parsing of domain names can break – ‘wreck’ – DNS implementations in TCP/IP stacks, leading to denial of service or remote code-execution.”
NAME:WRECK is similar to previous TCP/IP-DNS bugs that illustrate the complexity of the DNS protocol “that tends to yield vulnerable implementations,” where bugs can often be leveraged by external attackers to take control of millions of devices simultaneously, researchers said.
## **Unpacking a DNS Compression Bug**
One of the class of NAME:WRECK bugs are identified as DNS compression issues, impacting a wide range of devices that compress data used to communicate over the internet using TCP/IP.
“With the first vulnerability, CVE-2020-27009, the attacker can craft a DNS response packet with a combination of invalid compression pointer offsets that allows them to write arbitrary data into sensitive parts of a device’s memory, where they will then inject the code,” researchers wrote.
“The second vulnerability, CVE2020-15795, allows the attacker to craft meaningful code to be injected by abusing very large domain name records in the malicious packet. Finally, to deliver the malicious packet to the target, the attacker can bypass DNS query-response matching using CVE-2021-25667,” they wrote.
The technical specifics are complicated, but boil down to how a domain name (like Google.com) is encoded within the TCP/IP stack as a sequence of labels “terminated by the NULL byte (0x00).” This process of encoding and compressing domain names is meant to reduce the size of the DNS messages. However, hackers could exploit vulnerabilities within the TCP/IP stack to force the unpacking of compressed domain names in a malicious manner, opening the devices running the TCP/IP stack to come under attack.
“By carefully choosing a combination of invalid compression offsets placed in a DNS packet, attackers can perform controlled out-of-bounds writes into the destination buffer ‘dst,’ potentially achieving remote code-execution,” researchers wrote.
As for the attack vector, researchers said, “The easiest way to construct a payload that will overflow name and overwrite heap metadata is to chain multiple domain labels.”
Researchers also identified other types of NAME:WRECK flaws, such as domain name label-parsing bugs, message-compression vulnerabilities and a VDomain name label-parsing bugs.
## **The Nine NAME:WRECK Bugs**
The following are the vulnerability CVE tracking numbers and the type of TCP/IP stacks impacted:
* CVE-2020-7461: A message compression bug impacting devices running FreeBSD and can lead to RCE (CVSS severity rating 7.7);
* CVE-2016-20009: A message compression bug impacting devices running IPnet and can lead to RCE (CVSS severity rating 9.8);
* CVE-2020-15795: A domain name label-parsing bug impacting devices running Nucleus NET and can lead to RCE (CVSS severity rating 8.1);
* CVE-2020-27009: A message-compression bug impacting devices running Nucleus NET and can lead to RCE (CVSS severity rating 8.1);
* CVE-2020-27736: A VDomain name label-parsing bug impacting devices running Nucleus NET and can lead to DoS (CVSS severity rating 6.5);
* CVE-2020-27737: A VDomain name label-parsing bug impacting devices running Nucleus NET and can lead to DoS (CVSS severity rating 6.5);
* CVE-2020-27738: A message-compression bug impacting devices running Nucleus NET and can lead to DoS (CVSS severity rating 6.5);
* CVE-2021-25677: A transaction-ID bug impacting devices running Nucleus NET and can lead to DNS cache-poisoning attacks (CVSS severity rating 5.3);
* And one CVE-unassigned: A message-compression bug impacting devices running NetX and can lead to DNS cache- poisoning attacks (CVSS severity rating 6.5).
## **How Can Users Mitigate NAME:WRECK Bugs? **
Researchers are recommending that users and IT security staff discover and inventory devices running the vulnerable stacks. Forescout is making available an open-source script to fingerprint impacted devices.
Researchers also recommended the implementation of device and network-segmentation controls and restricting external communication to vulnerable devices until they are patched or removed from the network; and of course, users should patch devices as fixes become available.
Beyond that, users should configure vulnerable devices to run on internal DNS servers, and monitor network traffic for malicious packets attempting to exploit NAME:WRECK vulnerabilities or any bug affecting DNS, mDNS and DHCP clients.
**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _****_[FREE Threatpost event](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_, “Underground Markets: A Tour of the Dark Economy.” Experts will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _****_[Register here](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_ for the Wed., April 21 LIVE event. _**
{"id": "THREATPOST:55D5F412C1BC622A738FB3429695E9B1", "type": "threatpost", "bulletinFamily": "info", "title": "How the NAME:WRECK Bugs Impact Consumers, Businesses", "description": "Researchers estimate more than 100 million internet-connected devices are vulnerable to a class of flaws dubbed NAME:WRECK.\n\nDevices ranging from smartphones, aircraft navigation systems and industrial internet of things (IIoT) endpoints are vulnerable to either a denial-of-service (DoS) or remote code-execution (RCE) attack, according to a joint report by Forescout Research Labs and JSOF Research Labs. Patches are available for some affected vendors.\n\nNine vulnerabilities were identified within the implementation of the Domain Name System (DNS) protocol used by TCP/IP network communication stacks. These two technologies are used in tandem to uniquely identifying devices connected to the internet and facilitate digital communications between them. The most serious of the flaws are rated critical in severity. \n[](<https://threatpost.com/newsletter-sign/>) \n\u201cThe widespread deployment and often external exposure of vulnerable DNS clients leads to a dramatically increased attack surface,\u201d researchers wrote in a [report released Tuesday](<https://www.forescout.com/company/resources/namewreck-breaking-and-fixing-dns-implementations/>) (PDF). \u201c[W]e can estimate that at least 100 million devices are impacted by NAME:WRECK.\u201d\n\n## **Breaking Down the NAME:WRECK Bugs**\n\nUnder the auspices of the research collective known as Project Memoria, NAME:WRECK is the fifth set of vulnerabilities impacting TCP/IP libraries that have been disclosed over the past three years. Those that have come before are [URGENT/11](<https://threatpost.com/urgent-11-critical-infrastructure-eternalblue/146731/>), [Ripple20](<https://threatpost.com/millions-connected-devices-ripple20-bugs/156599/>), [Amnesia:33](<https://threatpost.com/amnesia33-tcp-ip-flaws-iot-devices/161928/>) and NUMBER:JACK (also discovered by Project Memoria and Forescout).\n\nForescout and JSOF researchers divide the nine NAME:WRECK vulnerabilities into four subcategories of devices dependent on the DNS and TCP/IP stacks (or firmware) used inside them. The categories include the FreeBSD, IPnet, Nucleus NET and NetX \u2013 each common in IoT and operational technology (OT) systems.\n\nResearchers said the origin of the name NAME:WRECK is based on \u201chow the parsing of domain names can break \u2013 \u2018wreck\u2019 \u2013 DNS implementations in TCP/IP stacks, leading to denial of service or remote code-execution.\u201d\n\nNAME:WRECK is similar to previous TCP/IP-DNS bugs that illustrate the complexity of the DNS protocol \u201cthat tends to yield vulnerable implementations,\u201d where bugs can often be leveraged by external attackers to take control of millions of devices simultaneously, researchers said.\n\n## **Unpacking a DNS Compression Bug**\n\nOne of the class of NAME:WRECK bugs are identified as DNS compression issues, impacting a wide range of devices that compress data used to communicate over the internet using TCP/IP.\n\n\u201cWith the first vulnerability, CVE-2020-27009, the attacker can craft a DNS response packet with a combination of invalid compression pointer offsets that allows them to write arbitrary data into sensitive parts of a device\u2019s memory, where they will then inject the code,\u201d researchers wrote.\n\n\u201cThe second vulnerability, CVE2020-15795, allows the attacker to craft meaningful code to be injected by abusing very large domain name records in the malicious packet. Finally, to deliver the malicious packet to the target, the attacker can bypass DNS query-response matching using CVE-2021-25667,\u201d they wrote.\n\nThe technical specifics are complicated, but boil down to how a domain name (like Google.com) is encoded within the TCP/IP stack as a sequence of labels \u201cterminated by the NULL byte (0x00).\u201d This process of encoding and compressing domain names is meant to reduce the size of the DNS messages. However, hackers could exploit vulnerabilities within the TCP/IP stack to force the unpacking of compressed domain names in a malicious manner, opening the devices running the TCP/IP stack to come under attack.\n\n\u201cBy carefully choosing a combination of invalid compression offsets placed in a DNS packet, attackers can perform controlled out-of-bounds writes into the destination buffer \u2018dst,\u2019 potentially achieving remote code-execution,\u201d researchers wrote.\n\nAs for the attack vector, researchers said, \u201cThe easiest way to construct a payload that will overflow name and overwrite heap metadata is to chain multiple domain labels.\u201d\n\nResearchers also identified other types of NAME:WRECK flaws, such as domain name label-parsing bugs, message-compression vulnerabilities and a VDomain name label-parsing bugs.\n\n## **The Nine NAME:WRECK Bugs**\n\nThe following are the vulnerability CVE tracking numbers and the type of TCP/IP stacks impacted:\n\n * CVE-2020-7461: A message compression bug impacting devices running FreeBSD and can lead to RCE (CVSS severity rating 7.7);\n * CVE-2016-20009: A message compression bug impacting devices running IPnet and can lead to RCE (CVSS severity rating 9.8);\n * CVE-2020-15795: A domain name label-parsing bug impacting devices running Nucleus NET and can lead to RCE (CVSS severity rating 8.1);\n * CVE-2020-27009: A message-compression bug impacting devices running Nucleus NET and can lead to RCE (CVSS severity rating 8.1);\n * CVE-2020-27736: A VDomain name label-parsing bug impacting devices running Nucleus NET and can lead to DoS (CVSS severity rating 6.5);\n * CVE-2020-27737: A VDomain name label-parsing bug impacting devices running Nucleus NET and can lead to DoS (CVSS severity rating 6.5);\n * CVE-2020-27738: A message-compression bug impacting devices running Nucleus NET and can lead to DoS (CVSS severity rating 6.5);\n * CVE-2021-25677: A transaction-ID bug impacting devices running Nucleus NET and can lead to DNS cache-poisoning attacks (CVSS severity rating 5.3);\n * And one CVE-unassigned: A message-compression bug impacting devices running NetX and can lead to DNS cache- poisoning attacks (CVSS severity rating 6.5).\n\n## **How Can Users Mitigate NAME:WRECK Bugs? **\n\nResearchers are recommending that users and IT security staff discover and inventory devices running the vulnerable stacks. Forescout is making available an open-source script to fingerprint impacted devices.\n\nResearchers also recommended the implementation of device and network-segmentation controls and restricting external communication to vulnerable devices until they are patched or removed from the network; and of course, users should patch devices as fixes become available.\n\nBeyond that, users should configure vulnerable devices to run on internal DNS servers, and monitor network traffic for malicious packets attempting to exploit NAME:WRECK vulnerabilities or any bug affecting DNS, mDNS and DHCP clients.\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _****_[FREE Threatpost event](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _****_[Register here](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_ for the Wed., April 21 LIVE event. _**\n", "published": "2021-04-13T21:03:41", "modified": "2021-04-13T21:03:41", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://threatpost.com/namewreck-bugs-businesses/165385/", "reporter": "Tom Spring", "references": ["https://threatpost.com/newsletter-sign/", "https://www.forescout.com/company/resources/namewreck-breaking-and-fixing-dns-implementations/", "https://threatpost.com/urgent-11-critical-infrastructure-eternalblue/146731/", "https://threatpost.com/millions-connected-devices-ripple20-bugs/156599/", "https://threatpost.com/amnesia33-tcp-ip-flaws-iot-devices/161928/", "https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar", "https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar"], "cvelist": ["CVE-2016-20009", "CVE-2020-15795", "CVE-2020-27009", "CVE-2020-27736", "CVE-2020-27737", "CVE-2020-27738", "CVE-2020-7461", "CVE-2021-25667", "CVE-2021-25677"], "immutableFields": [], "lastseen": "2021-04-13T21:52:45", "viewCount": 268, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-20009", "CVE-2020-15795", "CVE-2020-27009", "CVE-2020-27736", "CVE-2020-27737", "CVE-2020-27738", "CVE-2020-7461", "CVE-2021-25667", "CVE-2021-25677"]}, {"type": "freebsd", "idList": ["762B7D4A-EC19-11EA-88F8-901B0EF719AB"]}, {"type": "githubexploit", "idList": ["8933576F-30F9-528A-836D-62A581226FAA"]}, {"type": "ics", "idList": ["ICSA-21-068-03", "ICSA-21-103-04", "ICSA-21-103-13", "ICSA-21-222-06", "ICSA-21-257-11"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_762B7D4AEC1911EA88F8901B0EF719AB.NASL"]}]}, "score": {"value": 0.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "canvas", "idList": ["ETERNALBLUE"]}, {"type": "cve", "idList": ["CVE-2016-20009", "CVE-2021-25667"]}, {"type": "freebsd", "idList": ["762B7D4A-EC19-11EA-88F8-901B0EF719AB"]}, {"type": "githubexploit", "idList": ["8933576F-30F9-528A-836D-62A581226FAA"]}, {"type": "ics", "idList": ["ICSA-21-103-13"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_762B7D4AEC1911EA88F8901B0EF719AB.NASL"]}, {"type": "threatpost", "idList": ["THREATPOST:050A36E6453D4472A2734DA342E95366"]}]}, "exploitation": null, "vulnersScore": 0.4}, "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 1659749172}}
{"ics": [{"lastseen": "2022-10-26T00:13:18", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 6.5**\n * **ATTENTION: **Exploitable remotely/low attack complexity\n * **Vendor:** Siemens\n * **Equipment: **SIMOTICS CONNECT 400\n * **Vulnerabilities:** Improper Null Termination, Out-of-bounds Read, Access of Memory Location After End of Buffer, Use of Insufficiently Random Values\n\n## 2\\. UPDATE INFORMATION\n\nThis updated advisory is a follow-up to the original advisory titled ICSA-21-103-13 Siemens SIMOTICS CONNECT 400 that was published April 13, 2021, on the ICS webpage on www.cisa.gov/uscert. \n\n## 3\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could allow an attacker to poison the DNS cache or spoof DNS resolving.\n\n## 4\\. TECHNICAL DETAILS\n\n### 4.1 AFFECTED PRODUCTS\n\nThe following products and versions are affected: \n\u2022 SIMOTICS CONNECT 400, All versions prior to v0.5.0.0 \n\u2022 SIMOTICS CONNECT 400, v0.5.0.0 and later only affected by [CVE-2021-25677](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25677>)\n\n### 4.2 VULNERABILITY OVERVIEW\n\n#### 4.2.1 [IMPROPER NULL TERMINATION CWE-170](<https://cwe.mitre.org/data/definitions/170.html>)\n\nThe DNS domain name label parsing functionality does not properly validate the null-terminated name in DNS-responses. The parsing of malformed responses could result in a read past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to cause a denial-of-service condition or leak the read memory.\n\n[CVE-2020-27736](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27736>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H>)).\n\n#### 4.2.2 [OUT-OF-BOUNDS READ CWE-125](<https://cwe.mitre.org/data/definitions/125.html>)\n\nThe DNS response parsing functionality does not properly validate various length and counts of the records. The parsing of malformed responses could result in a read past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to cause a denial-of-service condition or leak the memory past the allocated structure.\n\n[CVE-2020-27737](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27737>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H>)).\n\n#### 4.2.3 [ACCESS OF MEMORY LOCATION AFTER END OF BUFFER CWE-788](<https://cwe.mitre.org/data/definitions/788.html>)\n\nThe DNS domain name record decompression functionality does not properly validate the pointer offset values. The parsing of malformed responses could result in a read access past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to cause a denial-of-service condition.\n\n[CVE-2020-27738](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27738>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H>)).\n\n#### 4.2.4 [ACCESS OF MEMORY LOCATION AFTER END OF BUFFER CWE-788](<https://cwe.mitre.org/data/definitions/788.html>)\n\nThe DNS client does not properly randomize DNS transaction IDs. This could allow an attacker to poison the DNS cache or spoof DNS resolving. \n[CVE-2021-25677](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25677>) has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N>)).\n\n### 4.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Energy\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **Germany\n\n### 4.4 RESEARCHER\n\nSiemens reported these vulnerabilities to CISA.\n\n## 5\\. MITIGATIONS\n\nSiemens has identified the following specific workarounds and mitigations users can apply to reduce risk:\n\n**\\--------- Begin Update A Part 1 of 1---------**\n\n * SIMOTICS CONNECT 400, All versions prior to v0.5.0.0: [Update to v0.5.0.0](<https://support.industry.siemens.com/cs/ww/en/view/109778383/>)\n * For versions prior to v0.5.0.0, Siemens recommends users follow general security recommendations in [SSA-669158](<https://cert-portal.siemens.com/productcert/pdf/ssa-669158.pdf>)\n * SIMOTICS CONNECT 400, All versions v0.5.0.0 or later and prior to v1.0.0.0 only affected by CVE-2021-25677: [Update to v1.0.0.0 or later version](<https://support.industry.siemens.com/cs/ww/en/view/109778383/>)\n\n**\\--------- End Update A Part 1 of 1 ---------**\n\nFor additional information, please refer to Siemens Security Advisory [SSA-669158](<https://cert-portal.siemens.com/productcert/pdf/ssa-669158.pdf>)\n\nAs a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to [Siemens operational guidelines for Industrial Security](<https://www.siemens.com/cert/operational-guidelines-industrial-security>), and following the recommendations in the product manuals.\n\nFor further inquiries on security vulnerabilities in Siemens\u2019 products and solutions, please contact [Siemens ProductCERT](<https://www.siemens.com/cert/advisories>).\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure they are [not accessible from the Internet](<https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://www.cisa.gov/uscert/ics/recommended-practices>) on the ICS webpage on [cisa.gov](<https://www.cisa.gov/uscert/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on cisa.gov](<https://www.cisa.gov/uscert/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-21-103-13>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-03-10T00:00:00", "type": "ics", "title": "Siemens SIMOTICS CONNECT 400 (Update A)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27736", "CVE-2020-27737", "CVE-2020-27738", "CVE-2021-25677"], "modified": "2022-03-10T00:00:00", "id": "ICSA-21-103-13", "href": "https://www.us-cert.gov/ics/advisories/icsa-21-103-13", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2022-10-26T00:13:54", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 8.1**\n * **ATTENTION:** Exploitable remotely/low attack complexity\n * **Vendor:** Siemens\n\n**\\--------- Begin Update A Part 1 of 3 ---------**\n\n * **Equipment: **Nucleus NET, Nucleus Source Code, Capital VSTAR\n\n**\\--------- End Update A Part 1 of 3 ---------**\n\n * **Vulnerabilities:** Out-of-bounds Write, Use of Out-of-Range Pointer Offset\n\n## 2\\. UPDATE INFORMATION\n\nThis updated advisory is a follow-up to the original advisory titled ICSA-21-103-04 Siemens Nucleus Products DNS Module that was published April 13, 2021, to the ICS webpage on us-cert.cisa.gov.\n\n## 3\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could allow a denial-of-service condition or for the execution of code remotely.\n\n## 4\\. TECHNICAL DETAILS\n\n### 4.1 AFFECTED PRODUCTS\n\nThe following Nucleus products are affected:\n\n**\\--------- Begin Update A Part 2 of 3 ---------**\n\n * Nucleus NET: All versions prior to v5.2\n * Nucleus Source Code: Versions including affected DNS modules\n * Capital VSTAR: Versions including affected DNS modules\n\n**\\--------- End Update A Part 2 of 3 ---------**\n\n### 4.2 VULNERABILITY OVERVIEW\n\n#### 4.2.1 [OUT-OF-BOUNDS WRITE CWE-787](<https://cwe.mitre.org/data/definitions/787.html>)\n\nThe DNS domain name label parsing functionality does not properly validate the names in DNS-responses. The parsing of malformed responses could result in a write past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to execute code in the context of the current process or cause a denial-of-service condition.\n\n[CVE-2020-15795](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15795>) has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H>)). \n\n\n#### 4.2.2 [USE OF OUT-OF-RANGE POINTER OFFSET CWE-823](<https://cwe.mitre.org/data/definitions/823.html>)\n\nThe DNS domain name record decompression functionality does not properly validate the pointer offset values. The parsing of malformed responses could result in a write past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to execute code in the context of the current process or cause a denial-of-service condition.\n\n[CVE-2020-27009](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27009>) has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n### 4.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Multiple Sectors\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **Germany\n\n### 4.4 RESEARCHER\n\nDaniel dos Santos, from Forescout Technologies, and Siemens reported these vulnerabilities to CISA.\n\n## 5\\. MITIGATIONS\n\nSiemens has published security advisory [SSA-185699](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>) and released the following mitigations for the affected products:\n\n**\\--------- Begin Update A Part 3 of 3 ---------**\n\n * **Nucleus NET:** Update to the latest version of Nucleus ReadyStart v3 or v4. Note the latest version of Nucleus NET (v5.2) is not affected by the vulnerabilities but is already beyond the end of software support. Contact [customer support](<https://support.sw.siemens.com/en-US/signin>) or a Nucleus Sales team for mitigation advice. \n * **Nucleus Source Code: **Contact [customer support](<https://support.sw.siemens.com/en-US/signin>) to receive patch and update information.\n * **Capital VSTAR: **Contact [customer support](<https://support.sw.siemens.com/en-US/signin>) to receive patch and update information.\n\n**\\--------- End Update A Part 3 of 3 ---------**\n\nSiemens has identified the following specific workarounds and mitigations users can apply to reduce risk:\n\n * Avoid using DNS client of affected versions.\n * For additional mitigation advice contact Siemens customer support or a Nucleus Sales team.\n\nAs a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u2019 [Operational Guidelines for Industrial Security](<https://www.siemens.com/cert/operational-guidelines-industrial-security>), and to follow the recommendations in the product manuals.\n\nAdditional information on industrial security by Siemens can be found at: [https://www.siemens.com/industrialsecurity ](<https://www.siemens.com/industrialsecurity>)\n\nFor further inquiries on security vulnerabilities in Siemens\u2019 products and solutions, contact [Siemens ProductCERT](<https://www.siemens.com/cert/advisories>).\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-21-103-04>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-11T00:00:00", "type": "ics", "title": "Siemens Nucleus Products DNS Module (Update A)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15795", "CVE-2020-27009"], "modified": "2021-11-11T00:00:00", "id": "ICSA-21-103-04", "href": "https://www.us-cert.gov/ics/advisories/icsa-21-103-04", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-27T15:51:28", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 9.8**\n * **ATTENTION: **Exploitable remotely/low attack complexity\n * **Vendor: **Siemens\n * **Equipment:** SGT\n * **Vulnerability:** Out-of-bounds Write\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of this vulnerability could lead to remote code execution.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nThe following Siemens products are affected:\n\n * SGT-100: All versions\n * SGT-200: All versions\n * SGT-300: All versions\n * SGT-400: All versions\n * SGT-A20: All versions\n * SGT-A35: All versions\n * SGT-A64: All versions\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [OUT-OF-BOUNDS WRITE CWE-787](<https://cwe.mitre.org/data/definitions/787.html>)\n\nA DNS client stack-based buffer overflow in ipdnsc_decode_name() affects Wind River VxWorks v6.5 through v7\n\n[CVE-2016-20009](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-20009>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS: **Multiple Sectors\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **Germany\n\n### 3.4 RESEARCHER\n\nSiemens reported to CISA that these products are affected by this vulnerability when using some third-party components.\n\n## 4\\. MITIGATIONS\n\nUpdates are for affected Rockwell Automation / Allen Bradley components in use within Siemens products. Please see Rockwell Security Advisory [PN1564](<https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131196>) (login required) for affected parts and software/firmware updates. Some updates may not be compatible with other components in the system. Contact [Siemens Energy](<mailto:support@siemens-energy.com>) for further support.\n\nSiemens has identified the following specific workarounds and mitigations users can apply to reduce the risk:\n\n * While firmware updates are suggested as solutions, the updates may not be compatible with the software or other components in the system. Please contact a [Siemens Energy representative](<mailto:support@siemens-energy.com>) for an assessment.\n * For more details on how to mitigate this vulnerability, see Rockwell Security Advisory [PN1564](<https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131196>) (login required).\n\nAs a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to the [Siemens operational guidelines for industrial security](<https://cert-portal.siemens.com/operational-guidelines-industrial-security.pdf>) and following the recommendations in the product manuals.\n\nFor additional information, please refer to Siemens Security Advisory [SSA-553445](<https://cert-portal.siemens.com/productcert/pdf/ssa-553445.pdf>)\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nCISA also recommends users take the following measures to protect themselves from social engineering attacks:\n\n * Do not click web links or open unsolicited attachments in email messages.\n * Refer to [Recognizing and Avoiding Email Scams](<https://us-cert.cisa.gov/sites/default/files/publications/emailscams_0905.pdf>) for more information on avoiding email scams.\n * Refer to [Avoiding Social Engineering and Phishing Attacks](<https://us-cert.cisa.gov/ncas/tips/ST04-014>) for more information on social engineering attacks.\n\nNo known public exploits specifically target this vulnerability.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-21-222-06>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T00:00:00", "type": "ics", "title": "Siemens Energy AGT and SGT Solutions", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-20009"], "modified": "2021-08-10T00:00:00", "id": "ICSA-21-222-06", "href": "https://www.us-cert.gov/ics/advisories/icsa-21-222-06", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-26T00:15:16", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 8.8**\n * **ATTENTION: **Exploitable remotely/low attack complexity\n * **Vendor: **Siemens\n * **Equipment: **SCALANCE and RUGGEDCOM Devices\n * **Vulnerability: **Stack-based Buffer Overflow\n\n## 2\\. UPDATE INFORMATION\n\nThis updated advisory is a follow-up to the original advisory titled ICSA-21-068-03 Siemens SCALANCE and RUGGEDCOM Devices that was published March 9, 2021, to the ICS webpage on us-cert.cisa.gov.\n\n## 3\\. RISK EVALUATION\n\nSuccessful exploitation of this vulnerability could allow an attacker to cause a reboot. Under specific circumstances, an attacker could also achieve remote code execution of the affected devices.\n\n## 4\\. TECHNICAL DETAILS\n\n### 4.1 AFFECTED PRODUCTS\n\nThe following Siemens products are affected:\n\n**\\--------- Begin Update A Part 1 of 2 --------**\n\n * RUGGEDCOM RM1224: All versions from v4.3 and prior to v4.6\n * SCALANCE M-800: All versions from v4.3 and prior to v4.6\n * SCALANCE S615: All versions from v4.3 and prior to v4.6\n * SCALANCE XR-300WG: All versions prior to v4.1\n * SCALANCE XB-200: All versions prior to v4.1\n * SCALANCE XC-200: All versions prior to v4.1\n * SCALANCE XF-200BA: All versions prior to v4.1\n * SCALANCE XP-200: All versions prior to v4.1\n\n**\\--------- End Update A Part 1 of 2 --------**\n\n * SCALANCE SC-600 Family: All versions from v2.0 and prior to v2.1.3\n * SCALANCE XM400: All versions prior to v6.2\n * SCALANCE XR500: All versions prior to v6.2\n\n### 4.2 VULNERABILITY OVERVIEW\n\n#### 4.2.1 [STACK-BASED BUFFER OVERFLOW CWE-121](<https://cwe.mitre.org/data/definitions/121.html>)\n\nAffected devices contain a stack-based buffer overflow vulnerability in the handling of Spanning Tree Protocol (STP) Bridge Protocol Data Unit (BPDU) frames that could allow a remote attacker to trigger a denial-of-service condition or potential remote code execution. Successful exploitation requires the passive listening feature of the device to be active.\n\n[CVE-2021-25667](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25667>) has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n### 4.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS: **Multiple Sectors\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION:** Germany\n\n### 4.4 RESEARCHER\n\nSiemens reported this vulnerability to CISA.\n\n## 5\\. MITIGATIONS\n\nSiemens recommends applying updates where applicable:\n\n * SCALANCE SC-600 Family: [Update to v2.1.3](<https://support.industry.siemens.com/cs/ww/en/109793041>) or later\n * SCALANCE X300WG: [Update to v4.1](<https://support.industry.siemens.com/cs/ww/en/109773547>) or later\n * SCALANCE XM400: [Update to v6.2](<https://support.industry.siemens.com/cs/ww/en/109764409>) or later\n * SCALANCE XR500: [Update to v6.2](<https://support.industry.siemens.com/cs/ww/en/109761425>) or later\n\n**\\--------- Begin Update A Part 2 of 2 --------**\n\n * SCALANCE XB-200: [Update to v4.1 ](<https://support.industry.siemens.com/cs/ww/en/109773547>)or later\n * SCALANCE XC-200: [Update to v4.1](<https://support.industry.siemens.com/cs/ww/en/109773547>) or later\n * SCALANCE XF-200BA: [Update to v4.1](<https://support.industry.siemens.com/cs/ww/en/109773547>) or later\n * SCALANCE XP-200: [Update to v4.1](<https://support.industry.siemens.com/cs/ww/en/109773547>) or later\n * RUGGEDCOM RM1224: [Update to v6.4](<https://support.industry.siemens.com/cs/ww/en/109794349/>) or later\n * SCALANCE M-800: [Update to v6.4](<https://support.industry.siemens.com/cs/ww/en/109794349/>) or later\n * SCALANCE S615: [Update to v6.4](<https://support.industry.siemens.com/cs/ww/en/109794349/>) or later\n\n**\\--------- End Update A Part 2 of 2 --------**\n\nSiemens has identified the following specific workarounds and mitigations users can apply to reduce the risk:\n\n * Deactivate the STP passive listening feature of the vulnerable devices.\n\nAs a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to [Siemens operational guidelines for Industrial Security](<https://cert-portal.siemens.com/operational-guidelines-industrial-security.pdf>) and following the recommendations in the product manuals.\n\nFor additional information, please refer to Siemens Security Advisory [SSA-979775](<https://cert-portal.siemens.com/productcert/pdf/ssa-979775.pdf>)\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target this vulnerability.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-21-068-03>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-13T00:00:00", "type": "ics", "title": "Siemens SCALANCE and RUGGEDCOM Devices (Update A)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25667"], "modified": "2021-04-13T00:00:00", "id": "ICSA-21-068-03", "href": "https://www.us-cert.gov/ics/advisories/icsa-21-068-03", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-26T00:14:16", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 7.3**\n * **ATTENTION:** Exploitable remotely/low attack complexity\n * **Vendor: **Siemens\n * **Equipment: **SIMATIC RFID terminals\n * **Vulnerability: **Out-of-bounds Write\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of this vulnerability could allow an attacker to remotely execute code.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nThe following versions of SIMATIC RFID are affected:\n\n * SIMATIC RF350M: All versions\n * SIMATIC RF650M: All versions\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [OUT-OF-BOUNDS WRITE CWE-787](<https://cwe.mitre.org/data/definitions/787.html>)\n\nIn FreeBSD 12.1-STABLE before r365010, 11.4-STABLE before r365011, 12.1-RELEASE before p9, 11.4-RELEASE before p3, and 11.3-RELEASE before p13, dhclient(8) fails to handle certain malformed input related to handling of DHCP option 119, resulting a heap overflow. The heap overflow could be exploited to achieve remote code execution. The affected process runs with reduced privileges in a Capsicum sandbox, limiting the immediate impact of an exploit.\n\n[CVE-2020-7461](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7461>) has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS: **Multiple\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **Germany\n\n### 3.4 RESEARCHER\n\nSiemens reported this vulnerability to CISA.\n\n## 4\\. MITIGATIONS\n\nSiemens has identified the following specific workarounds and mitigations users can apply to reduce the risk:\n\n * Use trusted DNS servers in internal network and restrict DNS traffic to this network only through firewalls.\n * Protect network access to affected devices.\n\nAs a general security measure, Siemens strongly recommends users protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends users configure the environment according to [Siemens operational guidelines for industrial security](<https://cert-portal.siemens.com/operational-guidelines-industrial-security.pdf>) and follow the recommendations in the product manuals.\n\nAdditional information on industrial security by Siemens can be found at: h<ttps://www.siemens.com/industrialsecurity>\n\nFor more information about this issue, please see Siemens Security Advisory [SSA-288459](<https://cert-portal.siemens.com/productcert/pdf/ssa-288459.pdf>)\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target this vulnerability. \n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-21-257-11>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2021-09-14T00:00:00", "type": "ics", "title": "Siemens SIMATIC RFID", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7461"], "modified": "2021-09-14T00:00:00", "id": "ICSA-21-257-11", "href": "https://www.us-cert.gov/ics/advisories/icsa-21-257-11", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-08-05T19:23:31", "description": "A vulnerability has been identified in Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.3), Nucleus ReadyStart V4 (All versions < V4.1.0), Nucleus Source Code (Versions including affected DNS modules), SIMOTICS CONNECT 400 (All versions < V0.5.0.0). The DNS domain name label parsing functionality does not properly validate the null-terminated name in DNS-responses. The parsing of malformed responses could result in a read past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to cause a denial-of-service condition or leak the read memory.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2021-04-22T21:15:00", "type": "cve", "title": "CVE-2020-27736", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27736"], "modified": "2022-08-05T17:13:00", "cpe": ["cpe:/a:siemens:nucleus_net:*", "cpe:/a:siemens:nucleus_source_code:-"], "id": "CVE-2020-27736", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27736", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P"}, "cpe23": ["cpe:2.3:a:siemens:nucleus_net:*:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:nucleus_source_code:-:*:*:*:*:*:*:*"]}, {"lastseen": "2022-04-29T07:00:13", "description": "A vulnerability has been identified in Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.3), Nucleus ReadyStart V4 (All versions < V4.1.0), Nucleus Source Code (Versions including affected DNS modules), SIMOTICS CONNECT 400 (All versions < V0.5.0.0). The DNS response parsing functionality does not properly validate various length and counts of the records. The parsing of malformed responses could result in a read past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to cause a denial-of-service condition or leak the memory past the allocated structure.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2021-04-22T21:15:00", "type": "cve", "title": "CVE-2020-27737", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27737"], "modified": "2022-04-29T02:03:00", "cpe": ["cpe:/a:siemens:nucleus_net:*", "cpe:/a:siemens:nucleus_source_code:-"], "id": "CVE-2020-27737", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27737", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P"}, "cpe23": ["cpe:2.3:a:siemens:nucleus_net:*:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:nucleus_source_code:-:*:*:*:*:*:*:*"]}, {"lastseen": "2022-08-05T19:23:32", "description": "A vulnerability has been identified in Nucleus NET (All versions < V5.2), Nucleus Source Code (Versions including affected DNS modules). The DNS domain name record decompression functionality does not properly validate the pointer offset values. The parsing of malformed responses could result in a write past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to execute code in the context of the current process or cause a denial-of-service condition.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-22T21:15:00", "type": "cve", "title": "CVE-2020-27009", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27009"], "modified": "2022-08-05T17:13:00", "cpe": ["cpe:/a:siemens:nucleus_source_code:-"], "id": "CVE-2020-27009", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27009", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:siemens:nucleus_source_code:-:*:*:*:*:*:*:*"]}, {"lastseen": "2022-04-22T21:42:26", "description": "A vulnerability has been identified in Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.3), Nucleus ReadyStart V4 (All versions < V4.1.0), Nucleus Source Code (Versions including affected DNS modules), SIMOTICS CONNECT 400 (All versions < V0.5.0.0). The DNS domain name record decompression functionality does not properly validate the pointer offset values. The parsing of malformed responses could result in a read access past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to cause a denial-of-service condition.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-04-22T21:15:00", "type": "cve", "title": "CVE-2020-27738", "cwe": ["CWE-788"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27738"], "modified": "2022-04-22T19:44:00", "cpe": ["cpe:/a:siemens:nucleus_net:*", "cpe:/a:siemens:nucleus_source_code:-"], "id": "CVE-2020-27738", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27738", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P"}, "cpe23": ["cpe:2.3:a:siemens:nucleus_source_code:-:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:nucleus_net:*:*:*:*:*:*:*:*"]}, {"lastseen": "2022-04-22T21:42:24", "description": "A vulnerability has been identified in Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.3), Nucleus ReadyStart V4 (All versions < V4.1.0), Nucleus Source Code (Versions including affected DNS modules), SIMOTICS CONNECT 400 (All versions < V0.5.0.0), SIMOTICS CONNECT 400 (All versions >= V0.5.0.0 < V1.0.0.0). The DNS client does not properly randomize DNS transaction IDs. That could allow an attacker to poison the DNS cache or spoof DNS resolving.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-04-22T21:15:00", "type": "cve", "title": "CVE-2021-25677", "cwe": ["CWE-330"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25677"], "modified": "2022-04-22T19:41:00", "cpe": ["cpe:/o:siemens:simotics_connect_400_firmware:*", "cpe:/a:siemens:nucleus_net:*", "cpe:/a:siemens:nucleus_source_code:-"], "id": "CVE-2021-25677", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25677", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:siemens:nucleus_net:*:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:nucleus_source_code:-:*:*:*:*:*:*:*", "cpe:2.3:o:siemens:simotics_connect_400_firmware:*:*:*:*:*:*:*:*"]}, {"lastseen": "2022-04-05T18:53:45", "description": "** UNSUPPORTED WHEN ASSIGNED ** A DNS client stack-based buffer overflow in ipdnsc_decode_name() affects Wind River VxWorks 6.5 through 7. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-11T22:15:00", "type": "cve", "title": "CVE-2016-20009", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-20009"], "modified": "2022-04-05T17:24:00", "cpe": ["cpe:/o:siemens:sgt-200_firmware:*", "cpe:/o:siemens:sgt-a35_firmware:*", "cpe:/o:siemens:sgt-a65_firmware:*", "cpe:/o:siemens:sgt-a20_firmware:*", "cpe:/o:windriver:vxworks:7.0", "cpe:/o:siemens:sgt-100_firmware:*", "cpe:/o:siemens:sgt-300_firmware:*", "cpe:/o:siemens:sgt-400_firmware:*"], "id": "CVE-2016-20009", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-20009", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:windriver:vxworks:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:siemens:sgt-200_firmware:*:*:*:*:*:*:*:*", "cpe:2.3:o:siemens:sgt-300_firmware:*:*:*:*:*:*:*:*", "cpe:2.3:o:siemens:sgt-100_firmware:*:*:*:*:*:*:*:*", "cpe:2.3:o:siemens:sgt-a20_firmware:*:*:*:*:*:*:*:*", "cpe:2.3:o:siemens:sgt-a65_firmware:*:*:*:*:*:*:*:*", "cpe:2.3:o:siemens:sgt-a35_firmware:*:*:*:*:*:*:*:*", "cpe:2.3:o:siemens:sgt-400_firmware:*:*:*:*:*:*:*:*"]}, {"lastseen": "2022-10-19T20:47:07", "description": "A vulnerability has been identified in RUGGEDCOM RM1224 (All versions >= V4.3 and < V6.4), SCALANCE M-800 (All versions >= V4.3 and < V6.4), SCALANCE S615 (All versions >= V4.3 and < V6.4), SCALANCE SC-600 Family (All versions >= V2.0 and < V2.1.3), SCALANCE XB-200 (All versions < V4.1), SCALANCE XC-200 (All versions < V4.1), SCALANCE XF-200BA (All versions < V4.1), SCALANCE XM400 (All versions < V6.2), SCALANCE XP-200 (All versions < V4.1), SCALANCE XR-300WG (All versions < V4.1), SCALANCE XR500 (All versions < V6.2). Affected devices contain a stack-based buffer overflow vulnerability in the handling of STP BPDU frames that could allow a remote attacker to trigger a denial-of-service condition or potentially remote code execution. Successful exploitation requires the passive listening feature of the device to be active.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-15T17:15:00", "type": "cve", "title": "CVE-2021-25667", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25667"], "modified": "2022-10-19T19:26:00", "cpe": ["cpe:/o:siemens:scalance_sc636-2c_firmware:2.0", "cpe:/o:siemens:scalance_sc632-2c_firmware:2.0", "cpe:/o:siemens:scalance_sc646-2c_firmware:2.0", "cpe:/o:siemens:scalance_sc642-2c_firmware:2.0", "cpe:/o:siemens:scalance_sc622-2c_firmware:2.0"], "id": "CVE-2021-25667", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25667", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:siemens:scalance_sc632-2c_firmware:2.0:*:*:*:*:*:*:*", "cpe:2.3:o:siemens:scalance_sc646-2c_firmware:2.0:*:*:*:*:*:*:*", "cpe:2.3:o:siemens:scalance_sc642-2c_firmware:2.0:*:*:*:*:*:*:*", "cpe:2.3:o:siemens:scalance_sc636-2c_firmware:2.0:*:*:*:*:*:*:*", "cpe:2.3:o:siemens:scalance_sc622-2c_firmware:2.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T18:53:18", "description": "In FreeBSD 12.1-STABLE before r365010, 11.4-STABLE before r365011, 12.1-RELEASE before p9, 11.4-RELEASE before p3, and 11.3-RELEASE before p13, dhclient(8) fails to handle certain malformed input related to handling of DHCP option 119 resulting a heap overflow. The heap overflow could in principle be exploited to achieve remote code execution. The affected process runs with reduced privileges in a Capsicum sandbox, limiting the immediate impact of an exploit.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2021-03-26T21:15:00", "type": "cve", "title": "CVE-2020-7461", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7461"], "modified": "2021-09-16T16:03:00", "cpe": ["cpe:/o:freebsd:freebsd:12.1", "cpe:/o:freebsd:freebsd:11.4", "cpe:/o:freebsd:freebsd:11.3", "cpe:/o:siemens:simatic_rf650m_firmware:*", "cpe:/o:siemens:simatic_rf350m_firmware:*"], "id": "CVE-2020-7461", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7461", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:freebsd:freebsd:11.3:p7:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:12.1:p4:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.3:p10:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.3:p2:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.3:-:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.3:p1:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:12.1:p2:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.3:p4:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.3:p3:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.3:p8:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.4:p1:*:*:*:*:*:*", "cpe:2.3:o:siemens:simatic_rf650m_firmware:*:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.3:p11:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:12.1:p3:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:12.1:p5:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:12.1:p6:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:12.1:p7:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:12.1:p8:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.4:p2:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:12.1:-:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.3:p12:*:*:*:*:*:*", "cpe:2.3:o:siemens:simatic_rf350m_firmware:*:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.4:-:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.3:p5:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:12.1:p1:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.3:p6:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.3:p9:*:*:*:*:*:*"]}, {"lastseen": "2022-04-29T07:00:14", "description": "A vulnerability has been identified in Nucleus NET (All versions < V5.2), Nucleus Source Code (Versions including affected DNS modules). The DNS domain name label parsing functionality does not properly validate the names in DNS-responses. The parsing of malformed responses could result in a write past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to execute code in the context of the current process or cause a denial-of-service condition.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-22T21:15:00", "type": "cve", "title": "CVE-2020-15795", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15795"], "modified": "2022-04-29T01:52:00", "cpe": ["cpe:/a:siemens:nucleus_source_code:-"], "id": "CVE-2020-15795", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15795", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:siemens:nucleus_source_code:-:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2023-01-26T00:09:02", "description": "A vulnerability has been identified in RUGGEDCOM RM1224 (All versions >= V4.3 and < V6.4), SCALANCE M-800 (All versions >= V4.3 and < V6.4), SCALANCE S615 (All versions >= V4.3 and < V6.4), SCALANCE SC-600 Family (All versions >= V2.0 and < V2.1.3), SCALANCE XB-200 (All versions < V4.1), SCALANCE XC-200 (All versions < V4.1), SCALANCE XF-200BA (All versions < V4.1), SCALANCE XM400 (All versions < V6.2), SCALANCE XP-200 (All versions < V4.1), SCALANCE XR-300WG (All versions < V4.1), SCALANCE XR500 (All versions < V6.2). Affected devices contain a stack-based buffer overflow vulnerability in the handling of STP BPDU frames that could allow a remote attacker to trigger a denial-of-service condition or potentially remote code execution.\nSuccessful exploitation requires the passive listening feature of the device to be active.\n\nThis plugin only works with Tenable.ot.\nPlease visit https://www.tenable.com/products/tenable-ot for more information.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-25T00:00:00", "type": "nessus", "title": "Siemens (CVE-2021-25667)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25667"], "modified": "2023-01-25T00:00:00", "cpe": ["cpe:/o:siemens:scalance_x300wg_firmware"], "id": "TENABLE_OT_SIEMENS_CVE-2021-25667.NASL", "href": "https://www.tenable.com/plugins/ot/500782", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(500782);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/25\");\n\n script_cve_id(\"CVE-2021-25667\");\n\n script_name(english:\"Siemens (CVE-2021-25667)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote OT asset is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A vulnerability has been identified in RUGGEDCOM RM1224 (All versions\n>= V4.3 and < V6.4), SCALANCE M-800 (All versions >= V4.3 and < V6.4),\nSCALANCE S615 (All versions >= V4.3 and < V6.4), SCALANCE SC-600\nFamily (All versions >= V2.0 and < V2.1.3), SCALANCE XB-200 (All\nversions < V4.1), SCALANCE XC-200 (All versions < V4.1), SCALANCE\nXF-200BA (All versions < V4.1), SCALANCE XM400 (All versions < V6.2),\nSCALANCE XP-200 (All versions < V4.1), SCALANCE XR-300WG (All versions\n< V4.1), SCALANCE XR500 (All versions < V6.2). Affected devices\ncontain a stack-based buffer overflow vulnerability in the handling of\nSTP BPDU frames that could allow a remote attacker to trigger a\ndenial-of-service condition or potentially remote code execution.\nSuccessful exploitation requires the passive listening feature of the\ndevice to be active.\n\nThis plugin only works with Tenable.ot.\nPlease visit https://www.tenable.com/products/tenable-ot for more information.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cert-portal.siemens.com/productcert/pdf/ssa-979775.pdf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://us-cert.cisa.gov/ics/advisories/icsa-21-068-03\");\n script_set_attribute(attribute:\"solution\", value:\n\"Refer to the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-25667\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(121);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/01/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:siemens:scalance_x300wg_firmware\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Tenable.ot\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"tenable_ot_api_integration.nasl\");\n script_require_keys(\"Tenable.ot/Siemens\");\n\n exit(0);\n}\n\n\ninclude('tenable_ot_cve_funcs.inc');\n\nget_kb_item_or_exit('Tenable.ot/Siemens');\n\nvar asset = tenable_ot::assets::get(vendor:'Siemens');\n\nvar vuln_cpes = {\n \"cpe:/o:siemens:scalance_x300wg_firmware\" :\n {\"versionEndExcluding\" : \"4.1\", \"family\" : \"SCALANCE\"}\n};\n\ntenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);\n", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-21T14:35:33", "description": "When parsing option 119 data, dhclient(8) computes the uncompressed domain list length so that it can allocate an appropriately sized buffer to store the uncompressed list. The code to compute the length failed to handle certain malformed input, resulting in a heap overflow when the uncompressed list is copied into in inadequately sized buffer. Impact : The heap overflow could in principle be exploited to achieve remote code execution. The affected process runs with reduced privileges in a Capsicum sandbox, limiting the immediate impact of an exploit. However, it is possible the bug could be combined with other vulnerabilities to escape the sandbox.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-09-04T00:00:00", "type": "nessus", "title": "FreeBSD : FreeBSD -- dhclient heap overflow (762b7d4a-ec19-11ea-88f8-901b0ef719ab)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7461"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:FreeBSD", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_762B7D4AEC1911EA88F8901B0EF719AB.NASL", "href": "https://www.tenable.com/plugins/nessus/140236", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140236);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2020-7461\");\n script_xref(name:\"FreeBSD\", value:\"SA-20:26.dhclient\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0023\");\n\n script_name(english:\"FreeBSD : FreeBSD -- dhclient heap overflow (762b7d4a-ec19-11ea-88f8-901b0ef719ab)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"When parsing option 119 data, dhclient(8) computes the uncompressed\ndomain list length so that it can allocate an appropriately sized\nbuffer to store the uncompressed list. The code to compute the length\nfailed to handle certain malformed input, resulting in a heap overflow\nwhen the uncompressed list is copied into in inadequately sized\nbuffer. Impact : The heap overflow could in principle be exploited to\nachieve remote code execution. The affected process runs with reduced\nprivileges in a Capsicum sandbox, limiting the immediate impact of an\nexploit. However, it is possible the bug could be combined with other\nvulnerabilities to escape the sandbox.\");\n # https://vuxml.freebsd.org/freebsd/762b7d4a-ec19-11ea-88f8-901b0ef719ab.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9dfa738b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-7461\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:FreeBSD\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"FreeBSD>=12.1<12.1_9\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"FreeBSD>=11.4<11.4_3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"FreeBSD>=11.3<11.3_13\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-08-17T10:22:40", "description": "# CVE-2020-7461\nPoC for DHCP vulnerability (NAME:WRECK) in FreeB...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2021-04-14T20:37:38", "type": "githubexploit", "title": "Exploit for Out-of-bounds Write in Freebsd", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7461"], "modified": "2022-07-08T00:56:33", "id": "8933576F-30F9-528A-836D-62A581226FAA", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "freebsd_advisory": [{"lastseen": "2023-01-09T15:24:35", "description": "\\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-20:26.dhclient Security Advisory The FreeBSD Project Topic: dhclient heap overflow Category: core Module: dhclient Announced: 2020-09-02 Credits: Shlomi Oberman, JSOF Moshe Kol, JSOF Affects: All supported versions of FreeBSD. Corrected: 2020-08-31 21:28:09 UTC (stable/12, 12.1-STABLE) 2020-09-02 16:25:31 UTC (releng/12.1, 12.1-RELEASE-p9) 2020-08-31 21:28:57 UTC (stable/11, 11.4-STABLE) 2020-09-02 16:25:31 UTC (releng/11.4, 11.4-RELEASE-p3) 2020-09-02 16:25:31 UTC (releng/11.3, 11.3-RELEASE-p13) CVE Name: CVE-2020-7461 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background dhclient(8) is the default IPv4 DHCP client used on FreeBSD. It is responsible for contacting DHCP servers on a network segment, and for initializing and configuring network interfaces and configuring name resolution based on received information. dhclient(8) handles DHCP option 119, the Domain Search Option, which provides a list of domains to search when resolving names using DNS. The option data format uses a compression scheme to avoid transmitting duplicate domain name labels. II. Problem Description When parsing option 119 data, dhclient(8) computes the uncompressed domain list length so that it can allocate an appropriately sized buffer to store the uncompressed list. The code to compute the length failed to handle certain malformed input, resulting in a heap overflow when the uncompressed list is copied into in inadequately sized buffer. III. Impact The heap overflow could in principle be exploited to achieve remote code execution. The affected process runs with reduced privileges in a Capsicum sandbox, limiting the immediate impact of an exploit. However, it is possible the bug could be combined with other vulnerabilities to escape the sandbox. IV. Workaround No workaround is available. To trigger the bug, a system must be running dhclient(8) on the same network as a malicious DHCP server. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and restart dhclient or reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min \"Rebooting for a security update\" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-20:26/dhclient.patch # fetch https://security.FreeBSD.org/patches/SA-20:26/dhclient.patch.asc # gpg --verify dhclient.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision \\- ------------------------------------------------------------------------- stable/12/ r365010 releng/12.1/ r365257 stable/11/ r365011 releng/11.4/ r365257 releng/11.3/ r365257 \\- ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at \\-----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9VAvlfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLdkBAAny+0h94iQA7oB15VA53c53IFS385b0Ik7JnKYQIphkuSTio+vfCUgrGJ vYg0Ry+HQ+asGCsCtL/SDJKnxtzcLzu+j5AV6WSbojSz8iQOoq50qWrOCulQoN/B ghPxT0TSoQMF5hl8XV221Q15q+an/1rk275K53IXMYppbhoJ6UtLzdqssVkhw2VC sx2NYpqXKmdipY0g0kdLxp105GevIEW0gSm7LMGESMh760ZDGKkk6YG8AO7jdhqg u/rwwY7JIom9qddg0vmGcD5LpOoWigJRorsZYU+gNdt69Qx5q2Lv1dvFP04X1ET/ BnxxJG/ETUKk3uaBsa3QhWnb4/KkTbx4TArxo8yqAqIyOF67ZDUNsa4G8rWudNb+ 9RFI8atHsdb4cpdMBZjLhMiKofJ6ICIuH2VcB+l+JQvdF/kHVamCsLQ79TBefBDc s2ubbnmkIzSN5Jm9EfEs2dV48I7e6YDpNifGNKkvRLncf/fcsYxHXq78rufvKTby aZbtN+daSz35yQqbIzWHwb/AaVzD7VfZUi/oeOC5ZXpVSVgyYWbG2zwN+LPkTVaa SbuAWPG4Ngf1kpdFypA0UNW8jLNHNxBFwpKMSKAfraj0puKaX/t7kxHZvNl0EQ7v qtJd/M9tjELQXEQrm5y/SepSPekJL6b6hW86Fpmy8EMEFshezug= =ttv2 \\-----END PGP SIGNATURE----- \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-09-02T00:00:00", "type": "freebsd_advisory", "title": "\nFreeBSD-SA-20:26.dhclient", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7461"], "modified": "2020-09-02T00:00:00", "id": "FREEBSD_ADVISORY:FREEBSD-SA-20:26.DHCLIENT", "href": "https://www.freebsd.org/security/advisories/FreeBSD-SA-20:26.dhclient.asc", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:30", "description": "\n\nProblem Description:\nWhen parsing option 119 data, dhclient(8) computes the uncompressed domain\n\tlist length so that it can allocate an appropriately sized buffer to store\n\tthe uncompressed list. The code to compute the length failed to handle\n\tcertain malformed input, resulting in a heap overflow when the uncompressed\n\tlist is copied into in inadequately sized buffer.\nImpact:\nThe heap overflow could in principle be exploited to achieve remote code\n\texecution. The affected process runs with reduced privileges in a Capsicum\n\tsandbox, limiting the immediate impact of an exploit. However, it is\n\tpossible the bug could be combined with other vulnerabilities to escape the\n\tsandbox.\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 7.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.4}, "published": "2020-09-02T00:00:00", "type": "freebsd", "title": "FreeBSD -- dhclient heap overflow", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7461"], "modified": "2020-09-02T00:00:00", "id": "762B7D4A-EC19-11EA-88F8-901B0EF719AB", "href": "https://vuxml.freebsd.org/freebsd/762b7d4a-ec19-11ea-88f8-901b0ef719ab.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}