-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# SSA-669158: DNS Client Vulnerabilities in SIMOTICS CONNECT 400

Publication Date:        2021-04-13
Last Update:             2022-03-08
Current Version:         1.1
CVSS v3.1 Base Score:    6.5

SUMMARY
=======

SIMOTICS CONNECT 400 is affected by DNS Client vulnerabilities as
initially reported in Siemens Security Advisory SSA-705111
(https://cert-portal.siemens.com/productcert/pdf/ssa-705111.pdf) for the
DNS Module in Nucleus RTOS.

Siemens has released updates for the SIMOTICS CONNECT 400 and recommends
to update to the latest version.


AFFECTED PRODUCTS AND SOLUTION
==============================


* SIMOTICS CONNECT 400
  - Affected versions:
       All versions < V0.5.0.0
  - Remediation:
       Update to V0.5.0.0 or later version
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109778383/

* SIMOTICS CONNECT 400
  - Affected versions:
       All versions >= V0.5.0.0 < V1.0.0.0
  - Affected by vulnerabilities:
    - CVE-2021-25677
  - Remediation:
       Update to V1.0.0.0 or later version
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109778383/


WORKAROUNDS AND MITIGATIONS
===========================


Siemens has not identified any additional specific workarounds or mitigations.
Please follow the "General Security Recommendations".

Product specific mitigations can be found in the section "Affected Products and Solution".

GENERAL SECURITY RECOMMENDATIONS
================================

As a general security measure, Siemens strongly recommends to protect
network access to devices with appropriate mechanisms. In order to
operate the devices in a protected IT environment, Siemens recommends to
configure the environment according to Siemens' operational guidelines
for Industrial Security (Download:
https://www.siemens.com/cert/operational-guidelines-industrial-security),
and to follow the recommendations in the product manuals.

Additional information on Industrial Security by Siemens can be found
at: https://www.siemens.com/industrialsecurity

PRODUCT DESCRIPTION
===================

SIMOTICS CONNECT 400 is a connector and sensor box, mounted on
low-voltage motors to provide analytics data for the MindSphere
application SIDRIVE IQ Fleet.

VULNERABILITY CLASSIFICATION
============================

The vulnerability classification has been performed by using the CVSS scoring
system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS
environmental score is specific to the customer's environment and will impact
the overall CVSS score. The environmental score should therefore be
individually defined by the customer to accomplish final scoring.

An additional classification has been performed using the CWE classification, a
community-developed list of common software security weaknesses. This serves as
a common language and as a baseline for weakness identification, mitigation,
and prevention efforts. A detailed list of CWE classes can be found at:
https://cwe.mitre.org/.



* Vulnerability CVE-2020-27736

  The DNS domain name label parsing functionality does not properly
  validate the null-terminated name in DNS-responses. The parsing of
  malformed responses could result in a read past the end of an allocated
  structure. An attacker with a privileged position in the network could
  leverage this vulnerability to cause a denial-of-service condition or
  leak the read memory.

  CVSS v3.1 Base Score: 6.5
  CVSS Vector:          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-170: Improper Null Termination

* Vulnerability CVE-2020-27737

  The DNS response parsing functionality does not properly validate
  various length and counts of the records. The parsing of malformed
  responses could result in a read past the end of an allocated structure.
  An attacker with a privileged position in the network could leverage
  this vulnerability to cause a denial-of-service condition or leak the
  memory past the allocated structure.

  CVSS v3.1 Base Score: 6.5
  CVSS Vector:          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-125: Out-of-bounds Read

* Vulnerability CVE-2020-27738

  The DNS domain name record decompression functionality does not properly
  validate the pointer offset values. The parsing of malformed responses
  could result in a read access past the end of an allocated structure. An
  attacker with a privileged position in the network could leverage this
  vulnerability to cause a denial-of-service condition.

  CVSS v3.1 Base Score: 6.5
  CVSS Vector:          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-788: Access of Memory Location After End of Buffer

* Vulnerability CVE-2021-25677

  The DNS client does not properly randomize DNS transaction IDs. That
  could allow an attacker to poison the DNS cache or spoof DNS resolving.

  CVSS v3.1 Base Score: 5.3
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
  CWE:                  CWE-330: Use of Insufficiently Random Values


ACKNOWLEDGMENTS
===============

Siemens thanks the following parties for their efforts:

   * Daniel dos Santos from Forescout Technologies Inc. for coordinated disclosure



ADDITIONAL INFORMATION
======================

For further inquiries on security vulnerabilities in Siemens products and
solutions, please contact the Siemens ProductCERT:

https://www.siemens.com/cert/advisories


HISTORY DATA
============

V1.0 (2021-04-13): Publication Date
V1.1 (2022-03-08): Added solution for CVE-2021-25677

TERMS OF USE
============

Siemens Security Advisories are subject to the terms and conditions contained
in Siemens' underlying license terms or other applicable agreements previously
agreed to with Siemens (hereinafter "License Terms"). To the extent applicable
to information, software or documentation made available in or through a
Siemens Security Advisory, the Terms of Use of Siemens' Global Website
(https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in
particular Sections 8-10 of the Terms of Use, shall apply additionally. In case
of conflicts, the License Terms shall prevail over the Terms of Use.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEHyx/myPwjH9jB9tDlm7gTEmyujQFAmImnIAACgkQlm7gTEmy
ujRf9w//b9y4hbkflpNAaKuVNFdgVMrODgIYFa5QSIwBvIJsW3pX5VPxGYWvj+0Q
vmZfarlsI6N71inWs/Ek6gPnYXmc1JYMx1m+aIv24zFSuPd8rTqfxnc54D/FYPcv
aCXuO/+Y4jgjftc4cEP7ROv3vKxxGUV2WFLej/SAQHg0Wrf8lQiXIgF+12v4kSvP
I6luuh44XoUumbDE36vlXn8Ykap2L3MM/5b6G9g6QdFk7MyZH2Gjwok1xs96FG1f
gw2st3eRfPsZHPMYH5/Ww22l/XOexTUtSeoCdK20fxk7hVMleMMiWgCtXlyb0YKq
r3CML9VLM/C2RjkwKo8t7r70+vv/CTYkhbRDwIZ4VC3JXFDPblcHkBbbYBHdevXg
tGuMIyOyxcOOt2OBQxftH5WQLMNxABrjpl4yaU6jRPZ1iRvpzDGsWOk2rUVG4nKG
ft2s4rEGPz1nq/CYt6i/erXeqh3Ehi4h3sXpGSzKdDC1ayjCCX56YZpMKb+/eSee
HsAPCd8S0jYRFtS4OCE5mEsl0s3LuC+88+cenE4fijUAYBAR7toeGEM63SeklkH4
xQJ9TAgEvio0t1fcGiOAcbchjFNeY3FTHKH05o9HO9EcaRrWQ8mvTEzcvwGh55rA
GBsQ9SLvhhO/ytKnb17Va6EyWlYKr20tYLxIPpt39uBI0/jhE2Y=
=dMSO
-----END PGP SIGNATURE-----