Detections
Analytics
Siemens SIMATIC S7-1500 and S7-1200 Use After Free (CVE-2021-22901)
high Tenable OT Security Plugin ID 503086
Synopsis
The remote OT asset is affected by a vulnerability.Description
curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.
Solution
Refer to the vendor advisory.See Also
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-732250.pdf
https://cert-portal.siemens.com/productcert/html/ssa-398330.html
https://support.industry.siemens.com/cs/ww/en/view/109808678
https://support.industry.siemens.com/cs/ww/en/view/109811116/
https://support.industry.siemens.com/cs/ww/en/view/109812218
https://support.industry.siemens.com/cs/ww/en/view/109806100/
Plugin Details
Severity: High
ID: 503086
Version: 1.1
Type: remote
Family: Tenable.ot
Published: 3/13/2025
Updated: 3/13/2025
Supported Sensors: Tenable OT Security
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v3
Risk Factor: High
Base Score: 8.1
Temporal Score: 7.3
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
CPE: cpe:/o:siemens:simatic_cp_1545-1_firmware:1.1, cpe:/o:siemens:siplus_s7-1200_cp_1243-1_firmware:3.3.46, cpe:/o:siemens:simatic_cp_1243-1_firmware:3.3.46, cpe:/o:siemens:simatic_cp_1243-7_lte_eu_firmware:3.3.46, cpe:/o:siemens:simatic_cp_1242-7_v2_firmware:3.3.46, cpe:/o:siemens:simatic_cp_1543-1_firmware:3.0.22, cpe:/o:siemens:siplus_net_cp_1242-7_v2_firmware:3.3.46, cpe:/o:siemens:simatic_cp_1243-7_lte_us_firmware:3.3.46, cpe:/o:siemens:simatic_s7-1500_cpu_firmware:3.1.0, cpe:/o:siemens:siplus_net_cp_1543-1_firmware:3.0.22, cpe:/o:siemens:siplus_s7-1200_cp_1243-1_rail_firmware:3.3.46, cpe:/o:siemens:siplus_s7-1500_cpu_firmware:3.1.0, cpe:/o:siemens:simatic_cp_1243-8_irc_firmware:3.3.46
Required KB Items: Tenable.ot/Siemens
Exploit Ease: No known exploits are available
Patch Publication Date: 3/8/2022
Vulnerability Publication Date: 3/8/2022
Reference Information
CVE: CVE-2021-22901
CWE: 416
ICSA: 23-348-10