Siemens Industrial Devices using libcurl Use After Free (CVE-2021-22924)

low Tenable OT Security Plugin ID 501053

Synopsis

The remote OT asset is affected by a vulnerability.

Description

libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Siemens has released updates for several affected products and recommends updating to the latest versions. Siemens is preparing further updates and recommends countermeasures for products where updates are not yet available.

- RUGGEDCOM RM1224, SCALANCE M804PB, SCALANCE M812-1, SCALANCE M816-1, SCALANCE M826-2, SCALANCE M874-2, SCALANCE M874-3, SCALANCE M876-3, SCALANCE M876-4, SCALANCE MUM856-1, and SCALANCE S615: Update to v7.1 or later
- SIMATIC CP 1543-1 and SIPLUS NET CP 1543-1: Update to v3.0.22 or later
- SIMATIC RTU3010C, SIMATIC RTU3030C, SIMATIC RTU3031C, and SIMATIC RTU3041C: Update to v5.0 or later

- SIMATIC CP 1242-7 V2, SIMATIC CP 1243-1, SIMATIC CP 1243-7 LTE EU, SIMATIC CP 1243-7 LTE US, SIMATIC CP 1243-8 IRC, SIPLUS NET CP 1242-7 V2, SIPLUS S7-1200 CP 1243-1, and SIPLUS S7-1200 CP 1243-1 RAIL: Update to V3.3.46 or later

- SIMATIC CP 1545-1: Update to v1.1 or later version
- SINEMA Remote Connect Client: Update to v3.1 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and to follow the recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For additional information, please refer to Siemens Security Advisory SSA-732250

See Also

https://hackerone.com/reports/1223565

http://www.nessus.org/u?1527c2f4

https://lists.debian.org/debian-lts-announce/2021/08/msg00017.html

http://www.nessus.org/u?a7de169c

http://www.nessus.org/u?d9e232d6

http://www.nessus.org/u?8ad28351

http://www.nessus.org/u?8c671f18

https://security.netapp.com/advisory/ntap-20210902-0003/

https://www.cisa.gov/news-events/ics-advisories/icsa-22-132-13

https://www.oracle.com/security-alerts/cpuoct2021.html

https://www.oracle.com/security-alerts/cpujan2022.html

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

https://cert-portal.siemens.com/productcert/pdf/ssa-732250.pdf

https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf

https://www.debian.org/security/2022/dsa-5197

https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html

https://www.cisa.gov/news-events/ics-advisories/icsa-22-167-17

Plugin Details

Severity: Low

ID: 501053

Version: 1.7

Type: remote

Family: Tenable.ot

Published: 4/11/2023

Updated: 9/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Low

Score: 2.2

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2021-22924

CVSS v3

Risk Factor: Low

Base Score: 3.7

Temporal Score: 3.4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:siemens:scalance_mum856-1_firmware, cpe:/o:siemens:ruggedcom_rm1224_lte%284g%29_nam_firmware, cpe:/o:siemens:scalance_m874-3_firmware, cpe:/o:siemens:ruggedcom_rm1224_lte%284g%29_eu_firmware, cpe:/o:siemens:logo%21_cmr2040_firmware, cpe:/o:siemens:scalance_m812-1_adsl-router_firmware, cpe:/o:siemens:siplus_s7-1200_cp_1243-1_firmware, cpe:/o:siemens:simatic_cp_1242-7_v2_firmware, cpe:/o:siemens:scalance_m826-2_shdsl-router_firmware, cpe:/o:siemens:logo%21_cmr2020_firmware, cpe:/o:siemens:simatic_cp_1243-7_lte_eu_firmware, cpe:/o:siemens:scalance_m816-1_adsl-router_firmware, cpe:/o:siemens:simatic_cp_1545-1_firmware, cpe:/o:siemens:simatic_cp_1243-7_lte_us_firmware, cpe:/o:siemens:siplus_s7-1200_cp_1243-1_rail_firmware, cpe:/o:siemens:scalance_m874-2_firmware, cpe:/o:siemens:scalance_m876-3_firmware, cpe:/o:siemens:siplus_net_cp_1543-1_firmware, cpe:/o:siemens:scalance_m876-4_firmware, cpe:/o:siemens:scalance_s615_firmware, cpe:/o:siemens:simatic_cp_1243-8_irc_firmware, cpe:/o:siemens:simatic_cp_1243-1_firmware, cpe:/o:siemens:siplus_net_cp_1242-7_v2_firmware, cpe:/o:siemens:scalance_m804pb_firmware, cpe:/o:siemens:simatic_cp_1543-1_firmware

Required KB Items: Tenable.ot/Siemens

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/5/2021

Vulnerability Publication Date: 8/5/2021

Reference Information

CVE: CVE-2021-22924

CWE: 706

DSA: DSA-5197

FEDORA: FEDORA-2021-5d21b90a30

ICSA: 22-132-13, 22-167-17