-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# SSA-497656: Multiple NTP Vulnerabilities in TIM 4R-IE Devices

Publication Date:        2021-04-13
Last Update:             2021-04-13
Current Version:         1.0
CVSS v3.1 Base Score:    9.8

SUMMARY
=======

There are multiple vulnerabilities in the underlying NTP component of
the affected TIM 4R-IE.

Siemens recommends specific countermeasures for products where updates
are not, or not yet available.


AFFECTED PRODUCTS AND SOLUTION
==============================


* TIM 4R-IE (incl. SIPLUS NET variants) 
  - Affected versions:
       All versions
  - Remediation:
        See recommendations from section Workarounds and Mitigations

* TIM 4R-IE DNP3 (incl. SIPLUS NET variants) 
  - Affected versions:
       All versions
  - Remediation:
        See recommendations from section Workarounds and Mitigations


WORKAROUNDS AND MITIGATIONS
===========================

Siemens has identified the following specific workarounds and mitigations that
customers can apply to reduce the risk:

* Deactivate NTP-based time syncronization of the device, if enabled. The
feature is disabled by default.

* Configure an additional firewall to prevent communication to the port
udp/123 of an affected device.

* Migrate to a successor product.



GENERAL SECURITY RECOMMENDATIONS
================================

As a general security measure, Siemens strongly recommends to protect
network access to devices with appropriate mechanisms. In order to
operate the devices in a protected IT environment, Siemens recommends to
configure the environment according to Siemens' operational guidelines
for Industrial Security (Download:
https://www.siemens.com/cert/operational-guidelines-industrial-security),
and to follow the recommendations in the product manuals.

Additional information on Industrial Security by Siemens can be found
at: https://www.siemens.com/industrialsecurity

PRODUCT DESCRIPTION
===================

The TIM 4R-IE is a SINAUT ST7 communications module for the SIMATIC
S7-300 with an RS232 interface for SINAUT communication via a classic
WAN and an RJ45 interface for SINAUT communication via an IP-based
network (WAN or LAN).

The TIM 4R-IE DNP3 communication module for SIMATIC S7-300 with an RS232
interface for DNP3 communication via a classic WAN and an RJ45 interface
for DNP3 communication via a IP-based network (WAN or LAN).

SIPLUS extreme products are designed for reliable operation under
extreme conditions and are based on SIMATIC, LOGO!, SITOP, SINAMICS,
SIMOTION, SCALANCE or other devices. SIPLUS devices use the same
firmware as the product they are based on.

VULNERABILITY CLASSIFICATION
============================

The vulnerability classification has been performed by using the CVSS scoring
system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS
environmental score is specific to the customer's environment and will impact
the overall CVSS score. The environmental score should therefore be
individually defined by the customer to accomplish final scoring.

An additional classification has been performed using the CWE classification, a
community-developed list of common software security weaknesses. This serves as
a common language and as a baseline for weakness identification, mitigation,
and prevention efforts. A detailed list of CWE classes can be found at:
https://cwe.mitre.org/.



* Vulnerability CVE-2015-5219

  The ULOGTOD function in ntp.d in SNTP before 4.2.7p366 does not properly
  perform type conversions from a precision value to a double, which
  allows remote attackers to cause a denial of service (infinite loop) via
  a crafted NTP packet.

  CVSS v3.1 Base Score: 7.5
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
  CWE:                  CWE-704: Incorrect Type Conversion or Cast

* Vulnerability CVE-2015-7855

  The decodenetnum function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x
  before 4.3.77 allows remote attackers to cause a denial of service
  (assertion failure) via a 6 or mode 7 packet containing a long data
  value.

  CVSS v3.1 Base Score: 6.5
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
  CWE:                  CWE-20: Improper Input Validation

* Vulnerability CVE-2015-7871

  Crypto-NAK packets in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before
  4.3.77 allows remote attackers to bypass authentication.

  CVSS v3.1 Base Score: 9.8
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
  CWE:                  CWE-287: Improper Authentication

* Vulnerability CVE-2015-7973

  NTP before 4.2.8p6 and 4.3.x before 4.3.90, when configured in broadcast
  mode, allows man-in-the-middle attackers to conduct replay attacks by
  sniffing the network.

  CVSS v3.1 Base Score: 6.5
  CVSS Vector:          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H/E:U/RL:O/RC:C
  CWE:                  CWE-254: 7PK - Security Features

* Vulnerability CVE-2015-7974

  NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer
  associations of symmetric keys when authenticating packets, which might
  allow remote attackers to conduct impersonation attacks via an arbitrary
  trusted key, aka a "skeleton key."

  CVSS v3.1 Base Score: 7.7
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N/E:U/RL:O/RC:C
  CWE:                  CWE-287: Improper Authentication

* Vulnerability CVE-2015-7977

  ntpd in NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote
  attackers to cause a denial of service (NULL pointer dereference) via a
  ntpdc reslist command.

  CVSS v3.1 Base Score: 5.9
  CVSS Vector:          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
  CWE:                  CWE-476: NULL Pointer Dereference

* Vulnerability CVE-2015-7979

  NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to
  cause a denial of service (client-server association tear down) by
  sending broadcast packets with invalid authentication to a broadcast
  client.

  CVSS v3.1 Base Score: 7.5
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
  CWE:                  CWE-19: Data Processing Errors

* Vulnerability CVE-2015-7705

  The rate limiting feature in NTP 4.x before 4.2.8p4 and 4.3.x before
  4.3.77 allows remote attackers to have unspecified impact via a large
  number of crafted requests.

  CVSS v3.1 Base Score: 9.8
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
  CWE:                  CWE-20: Improper Input Validation

* Vulnerability CVE-2015-8138

  NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to
  bypass the origin timestamp validation via a packet with an origin
  timestamp set to zero.

  CVSS v3.1 Base Score: 5.3
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C
  CWE:                  CWE-20: Improper Input Validation

* Vulnerability CVE-2016-1547

  An off-path attacker can cause a preemptible client association to be
  demobilized in NTP 4.2.8p4 and earlier and NTPSec
  a5fb34b9cc89b92a8fef2f459004865c93bb7f92 by sending a crypto NAK packet
  to a victim client with a spoofed source address of an existing
  associated peer. This is true even if authentication is enabled.

  CVSS v3.1 Base Score: 5.3
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
  CWE:                  CWE-20: Improper Input Validation

* Vulnerability CVE-2016-1548

  An attacker can spoof a packet from a legitimate ntpd server with an
  origin timestamp that matches the peer->dst timestamp recorded for that
  server. After making this switch, the client in NTP 4.2.8p4 and earlier
  and NTPSec aa48d001683e5b791a743ec9c575aaf7d867a2b0c will reject all
  future legitimate server responses. It is possible to force the victim
  client to move time after the mode has been changed. ntpq gives no
  indication that the mode has been switched.

  CVSS v3.1 Base Score: 7.2
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L/E:U/RL:O/RC:C
  CWE:                  CWE-19: Data Processing Errors

* Vulnerability CVE-2016-1550

  An exploitable vulnerability exists in the message authentication
  functionality of libntp in ntp 4.2.8p4 and NTPSec
  a5fb34b9cc89b92a8fef2f459004865c93bb7f92. An attacker can send a series
  of crafted messages to attempt to recover the message digest key.

  CVSS v3.1 Base Score: 5.3
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
  CWE:                  CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

* Vulnerability CVE-2016-4953

  ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial
  of service (ephemeral-association demobilization) by sending a spoofed
  crypto-NAK packet with incorrect authentication data at a certain time.

  CVSS v3.1 Base Score: 7.5
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
  CWE:                  CWE-287: Improper Authentication

* Vulnerability CVE-2016-4954

  The process_packet function in ntp_proto.c in ntpd in NTP 4.x before
  4.2.8p8 allows remote attackers to cause a denial of service
  (peer-variable modification) by sending spoofed packets from many source
  IP addresses in a certain scenario, as demonstrated by triggering an
  incorrect leap indication.

  CVSS v3.1 Base Score: 7.5
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
  CWE:                  CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization
('Race Condition')




ADDITIONAL INFORMATION
======================

For further inquiries on security vulnerabilities in Siemens products and
solutions, please contact the Siemens ProductCERT:

https://www.siemens.com/cert/advisories


HISTORY DATA
============

V1.0 (2021-04-13): Publication Date

TERMS OF USE
============

Siemens Security Advisories are subject to the terms and conditions contained
in Siemens' underlying license terms or other applicable agreements previously
agreed to with Siemens (hereinafter "License Terms"). To the extent applicable
to information, software or documentation made available in or through a
Siemens Security Advisory, the Terms of Use of Siemens' Global Website
(https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in
particular Sections 8-10 of the Terms of Use, shall apply additionally. In case
of conflicts, the License Terms shall prevail over the Terms of Use.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEElTRCLAVwzKf/b8X80/SB6hFKr+QFAmB03wAACgkQ0/SB6hFK
r+RaxA/+JfvcMGR2mtvak7N+WuIt1YIbPDl9Io04/N6lUlZzWMUwRmQ2jc6ntZpw
wHw9+NKBN4ogt5+//oLz+4lxY1j44TU1k1Y2X8hKOIMliXY9ekpunww3waW6auf8
3fa5AT49rSzPWCS3dxYpxMQE9fld4DSFvC3FFX1W5p4dvTr1CLUfV/D0WpvqtJQG
Zpkkzt+OySbZH89/3U1nYgX9TSa/IXUPSzGnRBtms03l0zbkMOilnriD+imo+NDt
IJqhTey6SgkYjrwBtRPrXAX+C70fKXbqXaj8iCNrnap1i9QDIW4W+NARxoJHynZ2
snCLSN33QGnsUGN2nPmDrOb+9SjCbmLv3DpgC3mTOYFBUtlzu5ce8xW0YnJJZvYK
HJdmzGKIN5FNn9exl64u1ZBlSsTWbnXk9UzXcSvDFjwX2EM+82QptX3kx4TT1Zca
lWCJ/3QB3TJh6yGbhZDFIxRpCiHiKoxoiZzYA3keMRb1usrcvzKTFnJTYJ3H7b4E
6J7KKUdwhkR+yn5HS/gLCyiVcShQLo5hu2Cs8e24s9sVCC1EIrgRUg00WCZEQcew
u05GDfoBXvLmeE2f38K2Q2fqkpZ64nxWqMlFx2GDOVqI2oe8l8I/mon21JdqhlyQ
9xFYSLkuQ/bX0sjGFjMhI31gK/SScnzj6mx1xtSm2jCsmPbfmcU=
=Y/78
-----END PGP SIGNATURE-----