-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# SSA-265688: Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC
S7-1500 TM MFP V1.1

Publication Date:        2024-04-09
Last Update:             2024-05-14
Current Version:         1.1
CVSS v3.1 Base Score:    7.8


SUMMARY
=======

Multiple vulnerabilities have been identified in the additional
GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP V1.1.

Siemens is preparing fix versions and recommends specific
countermeasures for products where fixes are not, or not yet
available.


AFFECTED PRODUCTS AND SOLUTION
==============================

* SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
  - Affected versions:
       All versions
  - Remediation:
       Currently no fix is available

       See recommendations from section "Workarounds and Mitigations"


WORKAROUNDS AND MITIGATIONS
===========================

Siemens has identified the following specific workarounds and mitigations that
customers can apply to reduce the risk:

  * Only build and run applications from trusted sources


Please follow the "General Security Recommendations".

GENERAL SECURITY RECOMMENDATIONS
================================

As a general security measure, Siemens strongly recommends to protect
network access to devices with appropriate mechanisms. In order to
operate the devices in a protected IT environment, Siemens recommends
to configure the environment according to Siemens' operational
guidelines for Industrial Security (Download:

https://www.siemens.com/cert/operational-guidelines-industrial-
security), and to follow the recommendations in the product manuals.
Additional information on Industrial Security by Siemens can be found
at: https://www.siemens.com/industrialsecurity


PRODUCT DESCRIPTION
===================

SIMATIC S7-1500 TM MFP is a Technology module Multi functional
platform for SIMATIC S7-1500 PLCs based on SIMATIC Industrial OS

VULNERABILITY DESCRIPTION
=========================

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory.
Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.


* Vulnerability CVE-2023-5678

  Issue summary: Generating excessively long X9.42 DH keys or checking
  excessively long X9.42 DH keys or parameters may be very slow.
  Impact summary: Applications that use the functions
  DH_generate_key() to generate an X9.42 DH key may experience long
  delays. Likewise, applications that use DH_check_pub_key(),
  DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42
  DH key or X9.42 DH parameters may experience long delays. Where the
  key or parameters that are being checked have been obtained from an
  untrusted source this may lead to a Denial of Service. While
  DH_check() performs all the necessary checks (as of CVE-2023-3817),
  DH_check_pub_key() doesn't make any of these checks, and is
  therefore vulnerable for excessively large P and Q parameters.
  Likewise, while DH_generate_key() performs a check for an
  excessively large P, it doesn't check for an excessively large Q. An
  application that calls DH_generate_key() or DH_check_pub_key() and
  supplies a key or parameters obtained from an untrusted source could
  be vulnerable to a Denial of Service attack. DH_generate_key() and
  DH_check_pub_key() are also called by a number of other OpenSSL
  functions. An application calling any of those other functions may
  similarly be affected. The other functions affected by this are
  DH_check_pub_key_ex(), EVP_PKEY_public_check(), and
  EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command
  line application when using the "-pubcheck" option, as well as the
  OpenSSL genpkey command line application. The OpenSSL SSL/TLS
  implementation is not affected by this issue. The OpenSSL 3.0 and
  3.1 FIPS providers are not affected by this issue.

    CVSS v3.1 Base Score: 5.3
    CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
    CWE:                  CWE-754: Improper Check for Unusual or Exceptional Conditions

* Vulnerability CVE-2023-6121

  An out-of-bounds read vulnerability was found in the NVMe-oF/TCP
  subsystem in the Linux kernel. This issue may allow a remote
  attacker to send a crafted TCP packet, triggering a heap-based
  buffer overflow that results in kmalloc data being printed and
  potentially leaked to the kernel ring buffer (dmesg).

    CVSS v3.1 Base Score: 4.3
    CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
    CWE:                  CWE-20: Improper Input Validation

* Vulnerability CVE-2023-6817

  A use-after-free vulnerability in the Linux kernel's netfilter:
  nf_tables component can be exploited to achieve local privilege
  escalation.

    The function nft_pipapo_walk did not skip inactive elements during
  set walk which could lead double deactivations of PIPAPO (Pile
  Packet Policies) elements, leading to use-after-free.

    We recommend upgrading past commit
  317eb9685095678f2c9f5a8189de698c5354316a.

    CVSS v3.1 Base Score: 7.8
    CVSS Vector:          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    CWE:                  CWE-416: Use After Free

* Vulnerability CVE-2023-6931

  A heap out-of-bounds write vulnerability in the Linux kernel's
  Performance Events system component can be exploited to achieve
  local privilege escalation.

    A perf_event's read_size can overflow, leading to an heap out-of-
  bounds increment or write in perf_read_group().

    We recommend upgrading past commit
  382c27f4ed28f803b1f1473ac2d8db0afc795a1b.

    CVSS v3.1 Base Score: 7.8
    CVSS Vector:          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    CWE:                  CWE-787: Out-of-bounds Write

* Vulnerability CVE-2023-6932

  A use-after-free vulnerability in the Linux kernel's ipv4: igmp
  component can be exploited to achieve local privilege escalation.

    A race condition can be exploited to cause a timer be mistakenly
  registered on a RCU read locked object which is freed by another
  thread.

    We recommend upgrading past commit
  e2b706c691905fe78468c361aaabc719d0a496f1.

    CVSS v3.1 Base Score: 7.8
    CVSS Vector:          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    CWE:                  CWE-416: Use After Free

* Vulnerability CVE-2023-45898

  The Linux kernel before 6.5.4 has an es1 use-after-free in
  fs/ext4/extents_status.c, related to ext4_es_insert_extent.

    CVSS v3.1 Base Score: 7.8
    CVSS Vector:          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    CWE:                  CWE-20: Improper Input Validation

* Vulnerability CVE-2024-0584

  A use-after-free issue was found in igmp_start_timer in
  net/ipv4/igmp.c in the network sub-component in the Linux Kernel.
  This flaw allows a local user to observe a refcnt use-after-free
  issue when receiving an igmp query packet, leading to a kernel
  information leak.

    CVSS v3.1 Base Score: 5.5
    CVSS Vector:          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    CWE:                  CWE-416: Use After Free

* Vulnerability CVE-2024-0727

  Issue summary: Processing a maliciously formatted PKCS12 file may
  lead OpenSSL to crash leading to a potential Denial of Service
  attack

    Impact summary: Applications loading files in the PKCS12 format from
  untrusted sources might terminate abruptly.

    A file in PKCS12 format can contain certificates and keys and may
  come from an untrusted source. The PKCS12 specification allows
  certain fields to be NULL, but OpenSSL does not correctly check for
  this case. This can lead to a NULL pointer dereference that results
  in OpenSSL crashing. If an application processes PKCS12 files from
  an untrusted source using the OpenSSL APIs then that application
  will be vulnerable to this issue.

    OpenSSL APIs that are vulnerable to this are: PKCS12_parse(),
  PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(),
  PKCS12_unpack_authsafes() and PKCS12_newpass().

    We have also fixed a similar issue in SMIME_write_PKCS7(). However
  since this function is related to writing data we do not consider it
  security significant.

    The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.

    CVSS v3.1 Base Score: 5.5
    CVSS Vector:          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
    CWE:                  CWE-20: Improper Input Validation

* Vulnerability CVE-2024-2511

  Issue summary: Some non-default TLS server configurations can cause
  unbounded memory growth when processing TLSv1.3 sessions Impact
  summary: An attacker may exploit certain server configurations to
  trigger unbounded memory growth that would lead to a Denial of
  Service This problem can occur in TLSv1.3 if the non-default
  SSL_OP_NO_TICKET option is being used (but not if early_data support
  is also configured and the default anti-replay protection is in
  use). In this case, under certain conditions, the session cache can
  get into an incorrect state and it will fail to flush properly as it
  fills. The session cache will continue to grow in an unbounded
  manner. A malicious client could deliberately create the scenario
  for this failure to force a Denial of Service. It may also happen by
  accident in normal operation. This issue only affects TLS servers
  supporting TLSv1.3. It does not affect TLS clients. The FIPS modules
  in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is
  also not affected by this issue.

    CVSS v3.1 Base Score: 3.7
    CVSS Vector:          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
    CWE:                  CWE-400: Uncontrolled Resource Consumption


ADDITIONAL INFORMATION
======================

For further inquiries on security vulnerabilities in Siemens products and
solutions, please contact the Siemens ProductCERT:

https://www.siemens.com/cert/advisories


HISTORY DATA
============

V1.0 (2024-04-09): Publication Date
V1.1 (2024-05-14): Added CVE-2024-2511

TERMS OF USE
============

Siemens Security Advisories are subject to the terms and conditions contained
in Siemens' underlying license terms or other applicable agreements previously
agreed to with Siemens (hereinafter "License Terms"). To the extent applicable
to information, software or documentation made available in or through a
Siemens Security Advisory, the Terms of Use of Siemens' Global Website
(https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in
particular Sections 8-10 of the Terms of Use, shall apply additionally. In case
of conflicts, the License Terms shall prevail over the Terms of Use.

Copyright: Siemens 2024
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEch+g+vCfo0skv7l6x5aGHHWng/oFAmZCqYAACgkQx5aGHHWn
g/rMLg//Yqr/w0vnK4/9jH9wB+K2bvd9o/A+GeVhPPgsJ3tT3r++9uXXdrCU6DeM
4cbeqBox8hUsACei7UnRKxWsDhz7OQjc6mYWYEJBeahGQLH018GNCoEKnurbdt3c
z8fr56yKfFaMkLOA26T7dmNAV4GQ9zEg/YgymQSG9keaotDaR4tZsFWP6MYq1jPH
v4hKjnZfhDg2Sn3g2FtJ3koavaDc6BROPeKuqyEwsNUKK11K9RblqvffUWK+Inv6
pAkiBD6A31FxeSvUFNKwhuQsUHJhJoPrFeSl78dEHRQBmrE65d4Nc9aSN6m7lSAb
RE5akAHOhTnjuqwwHJZXxYODaqB9rJZFy5BqRRB/PtDnIHWncW91Hc+KMtupq0W0
87/Hp+vg0JCWEm8Ag+R9y/221gIrtshI2+CZsUsfNieANK8oxBd4Ndx4XJh2cF8H
TqnCu8OnSBL1PG7ocWS7uXJxtbnOVQLh8fZ6NvHFmxAAZFYvvkEyciaWl+QdsC7/
DkHEOaTNYPqWpRoI2RCGaqtgKr15+dK9IpqOaDlLIkPeRmYiLNey36Nf8SNtaRPe
WqJQ6xX5RFWhr7uImcMAbl34fJruAUAv1K5dEDeCFNeS+cmOWGqYP0dPYd5nGnYh
QB1iisT6Yx3UgcWlJzGnfQ+FM6g5EFOTMiEwIfbPUCiFLQtqF/s=
=RKkb
-----END PGP SIGNATURE-----