Siemens SIMATIC and SCALANCE Products Encryption Strength (CVE-2022-4304)

medium Tenable OT Security Plugin ID 501840

Synopsis

The remote OT asset is affected by a vulnerability.

Description

A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:
- CVE-2022-4304: Disable the use of RSA ciphers in the web server configuration; note that RSA ciphers are disabled by default.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for Industrial Security. Additional information on Siemens Industrial Security can be found here.

For more information, see the associated Siemens security advisory SSA-203374 in HTML and CSAF.

See Also

https://www.openssl.org/news/secadv/20230207.txt

https://cert-portal.siemens.com/productcert/html/ssa-203374.html

https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-04

https://cert-portal.siemens.com/productcert/html/ssa-699386.html

https://cert-portal.siemens.com/productcert/html/ssa-398330.html

https://cert-portal.siemens.com/productcert/html/ssa-794697.html

https://cert-portal.siemens.com/productcert/html/ssa-625862.html

https://cert-portal.siemens.com/productcert/html/ssa-879734.html

https://www.cisa.gov/news-events/ics-advisories/icsa-24-165-10

https://www.cisa.gov/news-events/ics-advisories/icsa-24-165-11

https://cert-portal.siemens.com/productcert/html/ssa-264814.html

Plugin Details

Severity: Medium

ID: 501840

Version: 1.4

Type: remote

Family: Tenable.ot

Published: 12/19/2023

Updated: 9/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2022-4304

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:siemens:scalance_xp208eec_firmware, cpe:/o:siemens:scalance_xc216_firmware, cpe:/o:siemens:scalance_w1750d_firmware, cpe:/o:siemens:siplus_et_200sp_cp_1543sp-1_isec_firmware, cpe:/o:siemens:scalance_xc208g_firmware, cpe:/o:siemens:simatic_et200pro_firmware:3.2.19, cpe:/o:siemens:siplus_net_scalance_xc206-2_firmware, cpe:/o:siemens:scalance_xc208g_poe_firmware, cpe:/o:siemens:scalance_xr324wg_firmware, cpe:/o:siemens:simatic_drive_controller_cpu_1504d_tf_firmware:3.0.3, cpe:/o:siemens:simatic_s7-300_cpu_firmware:3.3.19, cpe:/o:siemens:simatic_s7-1500_firmware:2.9.7, cpe:/o:siemens:scalance_xc206-2sfp_eec_firmware, cpe:/o:siemens:simatic_drive_controller_cpu_1504d_tf_firmware:2.9.7, cpe:/o:siemens:scalance_xb216_firmware, cpe:/o:siemens:simatic_s7-1200_firmware:-, cpe:/o:siemens:siplus_et_200sp_cp_1543sp-1_isec_tx_rail_firmware, cpe:/o:siemens:simatic_s7-300_cpu_firmware:3.2.19, cpe:/o:siemens:scalance_xp216poe_eec_firmware, cpe:/o:siemens:scalance_xc206-2sfp_firmware, cpe:/o:siemens:scalance_xf204-2ba_dna_firmware, cpe:/o:siemens:scalance_xc216-4c_g_firmware, cpe:/o:siemens:scalance_xc216-4c_g_eec_firmware, cpe:/o:siemens:scalance_xc224-4c_g_firmware, cpe:/o:siemens:scalance_xr326-2c_poe_firmware, cpe:/o:siemens:scalance_xm408-4c_firmware, cpe:/o:siemens:siplus_net_scalance_xc206-2sfp_firmware, cpe:/o:siemens:scalance_xc208g_eecfirmware, cpe:/o:siemens:scalance_xr526-8c_firmware, cpe:/o:siemens:scalance_xb205-3ld_firmware, cpe:/o:siemens:scalance_xc206-2g_poe_firmware, cpe:/o:siemens:scalance_xc216eec_firmware, cpe:/o:siemens:scalance_xb208_firmware, cpe:/o:siemens:scalance_xc208_eec_firmware, cpe:/o:siemens:scalance_xc224-4c_g_eec_firmware, cpe:/o:siemens:scalance_xr552-12m_firmware, cpe:/o:siemens:siplus_et_200sp_cp_1542sp-1_irc_tx_rail_firmware, cpe:/o:siemens:scalance_xc208_firmware, cpe:/o:siemens:simatic_et200pro_firmware:2.9.7, cpe:/o:siemens:scalance_xc206-2_firmware, cpe:/o:siemens:scalance_xc216-4c_firmware, cpe:/o:siemens:scalance_xc206-2g_poe_eec_firmware, cpe:/o:siemens:scalance_xc206-2sfp_g_firmware, cpe:/o:siemens:siplus_net_scalance_xc216-4c_firmware, cpe:/o:siemens:scalance_xf204_dna_firmware, cpe:/o:siemens:scalance_xb205-3_firmware, cpe:/o:siemens:simatic_s7-1500_tm_mfp, cpe:/o:siemens:scalance_xp208poe_eec_firmware, cpe:/o:siemens:scalance_xc224_firmware, cpe:/o:siemens:scalance_xr528-6m_firmware, cpe:/o:siemens:siplus_net_scalance_xc208_firmware, cpe:/o:siemens:simatic_et200sp_firmware:-, cpe:/o:siemens:simatic_s7-1500_firmware:3.0.3, cpe:/o:siemens:scalance_xp208_firmware, cpe:/o:siemens:scalance_xr328-4c_wg_firmware, cpe:/o:siemens:scalance_xc206-2sfp_g_eec_firmware, cpe:/o:siemens:scalance_xm416-4c_firmware, cpe:/o:siemens:simatic_drive_controller_cpu_1507d_tf_firmware:3.0.3, cpe:/o:siemens:simatic_s7-1500_firmware:3.1.0, cpe:/o:siemens:scalance_xr524-8c_firmware, cpe:/o:siemens:simatic_et200sp_firmware:2.9.7, cpe:/o:siemens:scalance_xf204-2ba_firmware, cpe:/o:siemens:scalance_xb213-3_firmware, cpe:/o:siemens:simatic_cp_1542sp-1_firmware, cpe:/o:siemens:scalance_xb213-3ld_firmware, cpe:/o:siemens:scalance_xc216-3g_poe_firmware, cpe:/o:siemens:scalance_xf204_firmware, cpe:/o:siemens:scalance_xp216_firmware, cpe:/o:siemens:scalance_xm408-8c_firmware, cpe:/o:siemens:scalance_xp216eec_firmware, cpe:/o:siemens:simatic_cp_1543sp-1_firmware, cpe:/o:siemens:simatic_cp_1542sp-1_irc_firmware, cpe:/o:siemens:simatic_s7-1500_firmware:-, cpe:/o:siemens:simatic_drive_controller_cpu_1507d_tf_firmware:2.9.7

Required KB Items: Tenable.ot/Siemens

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 3/14/2023

Reference Information

CVE: CVE-2022-4304

CWE: 203, 326

ICSA: 23-075-04, 24-165-10, 24-165-11