Siemens SIMATIC S7-1500 Alert: Defend Your Data from Cybersecurity Threats!

Siemens SIMATIC S7-1500 is playing ‘hard to exploit’ with a CVSS score of 7.8. Peekaboo, vulnerabilities, we see you! Patch up or face a cyber boo-boo.

Hot Take:

Oh Siemens, you had one job! Create impenetrable SIMATIC fortresses, not Swiss cheese! With a buffet of vulnerabilities from “Use After Free” to “Out-of-bounds Write,” it’s like you’re hosting a hacker housewarming party. And let’s not forget the CVEs popping up like whack-a-moles; it’s a cybersecurity arcade game where nobody wins but the moles. But fear not, for Siemens has a plan: “Only build and run applications from trusted sources.” Because, of course, nobody’s ever thought of that before…

Key Points:

  • Siemens SIMATIC S7-1500 is more vulnerable than an open diary on a teenager’s desk.
  • Attackers could turn your system into their own playground with heap-based buffer overflows and privilege escalations.
  • The vulnerabilities have more CVEs than a hypochondriac has symptoms – including classics like CVE-2023-5678 and CVE-2023-6931.
  • If you thought a secure VPN was your knight in shining armor, think again – it’s only as tough as the weakest link.
  • Siemens’ pro tip to avoid disaster: Use stuff from people you trust (insert facepalm here).
Title: Use-after-free in Linux kernel's netfilter: nf_tables component
Cve id: CVE-2023-6817
Cve state: PUBLISHED
Cve assigner short name: Google
Cve date updated: 12/18/2023
Cve description: A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The function nft_pipapo_walk did not skip inactive elements during set walk which could lead double deactivations of PIPAPO (Pile Packet Policies) elements, leading to use-after-free. We recommend upgrading past commit 317eb9685095678f2c9f5a8189de698c5354316a.

Cve id: CVE-2023-45898
Cve state: PUBLISHED
Cve assigner short name: mitre
Cve date updated: 10/16/2023
Cve description: The Linux kernel before 6.5.4 has an es1 use-after-free in fs/ext4/extents_status.c, related to ext4_es_insert_extent.

Title: Kernel: nvme: info leak due to out-of-bounds read in nvmet_ctrl_find_get
Cve id: CVE-2023-6121
Cve state: PUBLISHED
Cve assigner short name: redhat
Cve date updated: 01/23/2024
Cve description: An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This issue may allow a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data being printed and potentially leaked to the kernel ring buffer (dmesg).

Title: PKCS12 Decoding crashes
Cve id: CVE-2024-0727
Cve state: PUBLISHED
Cve assigner short name: openssl
Cve date updated: 01/26/2024
Cve description: Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.

Title: Out-of-bounds write in Linux kernel's Performance Events system component
Cve id: CVE-2023-6931
Cve state: PUBLISHED
Cve assigner short name: Google
Cve date updated: 12/19/2023
Cve description: A heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component can be exploited to achieve local privilege escalation. A perf_event's read_size can overflow, leading to an heap out-of-bounds increment or write in perf_read_group(). We recommend upgrading past commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b.

Title: Use-after-free in Linux kernel's ipv4: igmp component
Cve id: CVE-2023-6932
Cve state: PUBLISHED
Cve assigner short name: Google
Cve date updated: 12/19/2023
Cve description: A use-after-free vulnerability in the Linux kernel's ipv4: igmp component can be exploited to achieve local privilege escalation. A race condition can be exploited to cause a timer be mistakenly registered on a RCU read locked object which is freed by another thread. We recommend upgrading past commit e2b706c691905fe78468c361aaabc719d0a496f1.

Title: Excessive time spent in DH check / generation with large Q parameter value
Cve id: CVE-2023-5678
Cve state: PUBLISHED
Cve assigner short name: openssl
Cve date updated: 11/07/2023
Cve description: Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

Need to know more?

The Digital Jenga Tower: Siemens Edition

Welcome to the latest episode of "How Vulnerable Is Your Industrial Control System?" starring Siemens SIMATIC S7-1500. It's like watching someone play Jenga with network security – pull the wrong block, and the whole thing comes crashing down. And guess what? It's not just one block; it's a whole section of the tower. With vulnerabilities that sound like a recipe for disaster (heap-based buffer overflow, anyone?), it's clear that the 'build it and they will come' philosophy is alive and well – if "they" are hackers, that is.

Kernel Panic at the Disco

It's not just the SIMATIC systems getting down to the vulnerability groove. The Linux kernel is throwing its own party with privileges escalating faster than a rocket during liftoff. If you're using anything before kernel version 6.5.4, it might be time to consider an upgrade, unless you enjoy the thrill of living on the digital edge where use-after-free issues are as common as cat videos on the internet.

OpenSSL or OpenSesame?

Meanwhile, OpenSSL is serving up denial-of-service conditions like a bad waiter. Processing a PKCS12 file from the sketchy corners of the internet? Brace yourself for a potential crash landing. But don't worry, the OpenSSL genpkey command line application is only vulnerable if you use the "-pubcheck" option, so feel free to roll those dice if you're feeling lucky.

Pro Tips from the Pros

And now for some sage advice from Siemens: To avoid being digitally burgled, just use applications from trusted sources. It's groundbreaking, really. Next, they'll be telling us that to avoid getting wet in the rain, we should consider using an umbrella. CISA, on the other hand, is giving us the real talk — minimize exposure, isolate your systems, and maybe, just maybe, use a VPN (but keep it updated, folks).

Click Me If You Dare

Finally, in a shocking twist that no one saw coming, CISA recommends not clicking on links or opening attachments in unsolicited emails. It's the cybersecurity equivalent of "don't take candy from strangers," but apparently, we still need to be reminded. So there you have it, folks. Stay safe, stay suspicious, and maybe send a thank you card to Siemens for keeping the cybersecurity community on its toes.

Tags: CVE-2023-5678, Heap-based Buffer Overflow, Linux kernel vulnerabilities, OpenSSL vulnerability, privilege escalation, Siemens, SIMATIC S7-1500