-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# SSA-099606: Multiple Vulnerabilities in SIMATIC MV500 before V3.3.5

Publication Date:        2023-11-14
Last Update:             2023-11-14
Current Version:         1.0
CVSS v3.1 Base Score:    9.8


SUMMARY
=======

SIMATIC MV500 before V3.3.5 is affected by multiple vulnerabilities.

Siemens has released an update for SIMATIC MV500 and recommends to
update to the latest version.


AFFECTED PRODUCTS AND SOLUTION
==============================


* SIMATIC MV500 family
  - Affected versions:
       All versions < V3.3.5
  - Remediation:
       Update to V3.3.5 or later version
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109825816/


WORKAROUNDS AND MITIGATIONS
===========================

Product-specific remediations or mitigations can be found in the section
"Affected Products and Solution".
Please follow the "General Security Recommendations".

GENERAL SECURITY RECOMMENDATIONS
================================

As a general security measure, Siemens strongly recommends to protect
network access to devices with appropriate mechanisms. In order to
operate the devices in a protected IT environment, Siemens recommends
to configure the environment according to Siemens' operational
guidelines for Industrial Security (Download:

https://www.siemens.com/cert/operational-guidelines-industrial-
security), and to follow the recommendations in the product manuals.
Additional information on Industrial Security by Siemens can be found
at: https://www.siemens.com/industrialsecurity


PRODUCT DESCRIPTION
===================

SIMATIC MV500 products are stationary optical readers, used to
reliably capture printed, lasered, drilled, punched and dotpeen codes
on a variety of different surfaces.

VULNERABILITY CLASSIFICATION
============================

The vulnerability classification has been performed by using the CVSS scoring
system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS
environmental score is specific to the customer's environment and will impact
the overall CVSS score. The environmental score should therefore be
individually defined by the customer to accomplish final scoring.

An additional classification has been performed using the CWE classification, a
community-developed list of common software security weaknesses. This serves as
a common language and as a baseline for weakness identification, mitigation,
and prevention efforts. A detailed list of CWE classes can be found at:
https://cwe.mitre.org/.



* Vulnerability CVE-2022-23218

  The deprecated compatibility function svcunix_create in the sunrpc
  module of the GNU C Library (aka glibc) through 2.34 copies its path
  argument on the stack without validating its length, which may
  result in a buffer overflow, potentially resulting in a denial of
  service or (if an application is not built with a stack protector
  enabled) arbitrary code execution.

    CVSS v3.1 Base Score: 9.8
    CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
    CWE:                  CWE-120: Buffer Copy without Checking Size of Input ('Classic
                          Buffer Overflow')

* Vulnerability CVE-2022-23219

  The deprecated compatibility function clnt_create in the sunrpc
  module of the GNU C Library (aka glibc) through 2.34 copies its
  hostname argument on the stack without validating its length, which
  may result in a buffer overflow, potentially resulting in a denial
  of service or (if an application is not built with a stack protector
  enabled) arbitrary code execution.

    CVSS v3.1 Base Score: 9.8
    CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
    CWE:                  CWE-120: Buffer Copy without Checking Size of Input ('Classic
                          Buffer Overflow')

* Vulnerability CVE-2022-44792

  handle_ipDefaultTTL in agent/mibgroup/ip-mib/ip_scalars.c in Net-
  SNMP 5.8 through 5.9.3 has a NULL Pointer Exception bug that can be
  used by a remote attacker (who has write access) to cause the
  instance to crash via a crafted UDP packet, resulting in Denial of
  Service.

    CVSS v3.1 Base Score: 6.5
    CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
    CWE:                  CWE-476: NULL Pointer Dereference

* Vulnerability CVE-2022-44793

  handle_ipv6IpForwarding in agent/mibgroup/ip-mib/ip_scalars.c in
  Net- SNMP 5.4.3 through 5.9.3 has a NULL Pointer Exception bug that
  can be used by a remote attacker to cause the instance to crash via
  a crafted UDP packet, resulting in Denial of Service.

    CVSS v3.1 Base Score: 6.5
    CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
    CWE:                  CWE-476: NULL Pointer Dereference

* Vulnerability CVE-2023-2975

  Issue summary: The AES-SIV cipher implementation contains a bug that
  causes it to ignore empty associated data entries which are
  unauthenticated as a consequence. Impact summary: Applications that
  use the AES-SIV algorithm and want to authenticate empty data
  entries as associated data can be mislead by removing adding or
  reordering such empty entries as these are ignored by the OpenSSL
  implementation. We are currently unaware of any such applications.
  The AES-SIV algorithm allows for authentication of multiple
  associated data entries along with the encryption. To authenticate
  empty data the application has to call EVP_EncryptUpdate() (or
  EVP_CipherUpdate()) with NULL pointer as the output buffer and 0 as
  the input buffer length. The AES-SIV implementation in OpenSSL just
  returns success for such a call instead of performing the associated
  data authentication operation. The empty data thus will not be
  authenticated. As this issue does not affect non-empty associated
  data authentication and we expect it to be rare for an application
  to use empty associated data entries this is qualified as Low
  severity issue.

    CVSS v3.1 Base Score: 5.3
    CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
    CWE:                  CWE-287: Improper Authentication

* Vulnerability CVE-2023-3446

  Issue summary: Checking excessively long DH keys or parameters may
  be very slow. Impact summary: Applications that use the functions
  DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH
  key or DH parameters may experience long delays. Where the key or
  parameters that are being checked have been obtained from an
  untrusted source this may lead to a Denial of Service. The function
  DH_check() performs various checks on DH parameters. One of those
  checks confirms that the modulus ('p' parameter) is not too large.
  Trying to use a very large modulus is slow and OpenSSL will not
  normally use a modulus which is over 10,000 bits in length. However
  the DH_check() function checks numerous aspects of the key or
  parameters that have been supplied. Some of those checks use the
  supplied modulus value even if it has already been found to be too
  large. An application that calls DH_check() and supplies a key or
  parameters obtained from an untrusted source could be vulernable to
  a Denial of Service attack. The function DH_check() is itself called
  by a number of other OpenSSL functions. An application calling any
  of those other functions may similarly be affected. The other
  functions affected by this are DH_check_ex() and
  EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and
  pkeyparam command line applications when using the '-check' option.
  The OpenSSL SSL/TLS implementation is not affected by this issue.
  The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this
  issue.

    CVSS v3.1 Base Score: 5.3
    CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
    CWE:                  CWE-1333: Inefficient Regular Expression Complexity

* Vulnerability CVE-2023-3817

  Issue summary: Checking excessively long DH keys or parameters may
  be very slow. Impact summary: Applications that use the functions
  DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH
  key or DH parameters may experience long delays. Where the key or
  parameters that are being checked have been obtained from an
  untrusted source this may lead to a Denial of Service. The function
  DH_check() performs various checks on DH parameters. After fixing
  CVE-2023-3446 it was discovered that a large q parameter value can
  also trigger an overly long computation during some of these checks.
  A correct q value, if present, cannot be larger than the modulus p
  parameter, thus it is unnecessary to perform these checks if q is
  larger than p. An application that calls DH_check() and supplies a
  key or parameters obtained from an untrusted source could be
  vulnerable to a Denial of Service attack. The function DH_check() is
  itself called by a number of other OpenSSL functions. An application
  calling any of those other functions may similarly be affected. The
  other functions affected by this are DH_check_ex() and
  EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and
  pkeyparam command line applications when using the "-check" option.
  The OpenSSL SSL/TLS implementation is not affected by this issue.
  The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this
  issue.

    CVSS v3.1 Base Score: 5.3
    CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
    CWE:                  CWE-834: Excessive Iteration

* Vulnerability CVE-2023-35788

  An issue was discovered in fl_set_geneve_opt in
  net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows
  an out-of-bounds write in the flower classifier code via
  TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of
  service or privilege escalation.

    CVSS v3.1 Base Score: 7.8
    CVSS Vector:          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
    CWE:                  CWE-787: Out-of-bounds Write




ADDITIONAL INFORMATION
======================

For further inquiries on security vulnerabilities in Siemens products and
solutions, please contact the Siemens ProductCERT:

https://www.siemens.com/cert/advisories


HISTORY DATA
============

V1.0 (2023-11-14): Publication Date

TERMS OF USE
============

Siemens Security Advisories are subject to the terms and conditions contained
in Siemens' underlying license terms or other applicable agreements previously
agreed to with Siemens (hereinafter "License Terms"). To the extent applicable
to information, software or documentation made available in or through a
Siemens Security Advisory, the Terms of Use of Siemens' Global Website
(https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in
particular Sections 8-10 of the Terms of Use, shall apply additionally. In case
of conflicts, the License Terms shall prevail over the Terms of Use.

Copyright: Siemens 2023
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEch+g+vCfo0skv7l6x5aGHHWng/oFAmVSuIAACgkQx5aGHHWn
g/oLMRAAm0/bsWzlk8rz3z5CpH54CwKZ4PB8npojmG3IXjm9m6w2NyFBcgGbPFil
DhJJft6nZJBH8RTIpuqcoTxvF2VEKoeVoiCfqNnT+2Gg/jnzQWCMw9ItKF7mCEuk
UtftC394+Kzcy0G6XjgJ1PlfbfKluNMKGvPDHpvBrrJtwhnUPyfHy78nUIfGgxDV
y0Ae4uhPJUVqyq9AtJgECO7RyTU3w+A2lKy8ePqjOQYdBJLDNvmNqNBFaxGOCp57
MnspgVCNqZy5eIBIMqa6ABas30kjGQ6MYbuJqSdo80rTt6W0Up2ve71ozJJyhnEb
elYXs3IDBc4bD68IR6YZtytR9zWhUZIlwr+dZ5jUmXMHz4AWcRUIl4miVYJjH7rN
0dO3obzHL+FHitABfn0lUgNDz8M7Htsj/qduGifUp8mV70hemz586w+SfQ+6O1a0
Twu8fMwGEwMIAd7HC2uBd/ysDn6+jGR2I9/yXTok0fG4nwMYO9Q0ANMPzvOvvAsG
kGswE7R83cFfoPqFhLLwewuyOAh5rYn8KIbelVnNKWqaWCqavmkvanABcuSa2Wqu
7aWkvDUaNvaiimz9pZb/WffVeF+3fnPn2Qr5tIt1et2BMLd4yGtnEERb1SdiNtzz
5QXQpIgrm/6E0rXzrpuUFW3Z/dkqjf05WWpFzMQwsNBky7ileSg=
=PTAZ
-----END PGP SIGNATURE-----