Siemens Security Shockwave: How to Shield Your RUGGEDCOM APE1808 from Cyber Threats

In a world where “heap-based buffer overflow” is less a tech term and more a hot new dance move, Siemens waves goodbye to updates on RUGGEDCOM APE1808’s vulnerabilities. For fresh intel, it’s Siemens ProductCERT or bust! Keep your cyber socks on; these bugs could let hackers cha-cha into your system.

Hot Take:

It seems like Siemens is opting for the “out with the old, in with the new” strategy when it comes to their cybersecurity advisories. They’re handing over the reins to their own ProductCERT Security Advisories for the latest gossip on vulnerabilities. CISA, on the other hand, is like the wise elder reminding us to keep our digital doors locked and maybe not plaster our IP addresses on the internet’s equivalent of a highway billboard.

Key Points:

  • Siemens is stepping back from updating ICS security advisories after the first alert—Siemens ProductCERT is your new go-to for vulnerability chit-chat.
  • The RUGGEDCOM APE1808 is like Swiss cheese with vulnerabilities ranging from buffer overflows to improper privilege management—yum!
  • Exploiting these vulnerabilities could give attackers a golden ticket to do pretty much anything they want, from crashing the party (denial-of-service) to executing their own code.
  • Siemens has some band-aids and bubble gum fixes, which include contacting customer support for patches and disabling certain features.
  • CISA’s playing the role of the cautious parent, advising everyone to minimize network exposure and use VPNs, but with the caveat they’re not the digital panacea we wish they were.
Cve id: CVE-2023-38545
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 10/18/2023
Cve description: This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.

Cve id: CVE-2024-23113
Cve state: PUBLISHED
Cve assigner short name: fortinet
Cve date updated: 02/15/2024
Cve description: A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, FortiPAM versions 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiSwitchManager versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.3 allows attacker to execute unauthorized code or commands via specially crafted packets.

Cve id: CVE-2023-38546
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 10/18/2023
Cve description: This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as `none` (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course.

Cve id: CVE-2024-21762
Cve state: PUBLISHED
Cve assigner short name: fortinet
Cve date updated: 02/09/2024
Cve description: A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests

Cve id: CVE-2023-44487
Cve state: PUBLISHED
Cve assigner short name: mitre
Cve date updated: 12/02/2023
Cve description: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Cve id: CVE-2023-44250
Cve state: PUBLISHED
Cve assigner short name: fortinet
Cve date updated: 01/10/2024
Cve description: An improper privilege management vulnerability [CWE-269] in a Fortinet FortiOS HA cluster version 7.4.0 through 7.4.1 and 7.2.5 and in a FortiProxy HA cluster version 7.4.0 through 7.4.1 allows an authenticated attacker to perform elevated actions via crafted HTTP or HTTPS requests.

Cve id: CVE-2023-47537
Cve state: PUBLISHED
Cve assigner short name: fortinet
Cve date updated: 02/15/2024
Cve description: An improper certificate validation vulnerability in Fortinet FortiOS 7.0.0 - 7.0.13, 7.2.0 - 7.2.6 and 7.4.0 - 7.4.1 allows a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the FortiLink communication channel between the FortiOS device and FortiSwitch.

Need to know more?

Buffer Overflows and Cookie Monsters

Imagine you're trying to stuff a giant marshmallow into a tiny cup of hot chocolate. That's kind of what's happening with the heap-based buffer overflow in the Curl package. It's trying to fit a novel-sized hostname into a tweet-sized buffer. And if you thought cookies were just for snacking, think again. There's a vulnerability that could let attackers slip cookies into your code, like a sneaky kid slipping broccoli to the dog under the dinner table.

Privilege Party Crashers and Energy Vampires

There's also a vulnerability that's like giving a nosy neighbor a key to your house and finding them hosting a Tupperware party in your living room. It's called improper privilege management, and it's as bad as it sounds. Then there's the uncontrolled resource consumption issue, which is basically like a digital vampire sucking the life out of your server resources. Not ideal.

Man-in-the-Middle Mayhem and Out-of-Bounds Ouchies

Improper certificate validation is like trusting a fake ID at a bar—someone could intercept your communications and stir up trouble. And the out-of-bounds write vulnerability is like an artist deciding your white living room wall is the perfect canvas for their new spray paint masterpiece—without your permission, of course.

When Strings Attack

Lastly, the use of externally-controlled format string vulnerability is like someone rewriting your autocorrect to turn all your texts into Shakespearean insults. It's not just annoying; it could let attackers run arbitrary code or commands. In digital terms, that's a standing ovation-worthy performance of mischief.

Siemens' Patchwork and CISA's Cautionary Tales

Siemens suggests reaching out to their customer support for patches, while also providing some DIY tips like disabling SSL VPN and fgfm access. It's like patching up a leaky boat with whatever you've got on hand. Meanwhile, CISA is doubling down on defense. They're all about minimizing network exposure, isolating systems, and using VPNs (though they remind us VPNs are as vulnerable as their latest update). It's the cybersecurity equivalent of "trust no one, always wear sunscreen."

Remember, folks, in the world of cybersecurity, staying informed is like having an umbrella in a rainstorm—it won't stop the rain, but it'll keep you from getting soaked.

Tags: critical infrastructure security, CVSS Scoring, industrial control systems, Remote Access Protection, Siemens RUGGEDCOM APE1808, Siemens Security Advisory, vulnerability management