Siemens has updates available to handle multiple vulnerabilities in its SIMATIC HMIs/WinCC products, according to a report with CISA.

The vulnerabilities include improper initialization, out-of-bounds read, heap-based buffer overflow, stack-based buffer overflow, access of memory location after end of buffer, and improper null termination.

The following Siemens SIMATIC HMIs/WinCC products suffer from the vulnerabilities:

  • SIMATIC HMI Comfort Outdoor Panels 7’ and 15’ (incl. SIPLUS variants): All versions prior to v16 Update 4
  • SIMATIC HMI Comfort Panels 4’to 22’ (incl. SIPLUS variants): All versions prior to v16 Update 4
  • SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900, and KTP900F: All versions prior to v16 Update 4
  • SIMATIC WinCC Runtime Advanced: All versions prior to v16 Update 4

Successful exploitation of these remotely exploitable vulnerabilities, which Siemens self-reported, could allow remote code execution, information disclosure, and denial-of-service attacks under certain conditions.

Schneider Bold

In one issue, UltraVNC revision 1198 contains multiple memory leaks in VNC client code, which could allow an attacker to read stack memory and allow for information disclosure. Combined with another vulnerability, it can be used to leak stack memory and bypass ASLR.

CVE-2019-8259 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

In addition, UltraVNC revision 1199 has an out-of-bounds read vulnerability in VNC client RRE decoder code caused by multiplication overflow.

CVE-2019-8260 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

Also, UltraVNC revision 1199 has an out-of-bounds read vulnerability in VNC code inside client CoRRE decoder caused by multiplication overflow.

CVE-2019-8261 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

In another issue, UltraVNC revision 1203 has multiple heap buffer overflow vulnerabilities in VNC client code inside Ultra decoder, which could result in code execution.

CVE-2019-8262 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

In addition, UltraVNC revision 1205 has a stack-based buffer overflow vulnerability in VNC client code inside ShowConnInfo routine, which could lead to a denial-of-service condition.

CVE-2019-8263 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.

Also, UltraVNC revision 1203 has an out-of-bounds access vulnerability in VNC client inside Ultra2 decoder, which could result in code execution.

CVE-2019-8264 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

In another issue, UltraVNC revision 1207 has multiple out-of-bounds access vulnerabilities connected with improper usage of SETPIXELS macro in VNC client code, which could result in code execution.

CVE-2019-8265 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

In addition, UltraVNC revision 1211 has multiple improper null termination vulnerabilities in VNC server code, which could result in out-of-bound data being accessed by remote users.

CVE-2019-8275 is the case number assigned to these vulnerabilities, which has a CVSS v3 base score of 9.8.

Also, UltraVNC revision 1211 contains multiple memory leaks in VNC server code, which could allow an attacker to read stack memory and be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory and bypass ASLR.

CVE-2019-8277 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

In another issue, UltraVNC revision 1203 has an out-of-bounds access vulnerability in VNC client inside RAW decoder, which could result in code execution.

CVE-2019-8280 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

The product sees use in multiple industry sectors, and on a global basis.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

Siemens recommends applying updates where available:

Siemens identified the following specific workarounds and mitigations users can apply to reduce the risk: Restrict access to Port 5900/TCP to trusted IP addresses only.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to the Siemens operational guidelines for industrial security and following the recommendations in the product manuals.

For additional information, please refer to Siemens Security Advisory SSA-940818.

ISSSource

Pin It on Pinterest

Share This