Siemens S7-400 CPUs Improper Input Validation (CVE-2018-16556)

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(500284);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/09/04");

  script_cve_id("CVE-2018-16556");
  script_xref(name:"ICSA", value:"18-317-02");

  script_name(english:"Siemens S7-400 CPUs Improper Input Validation (CVE-2018-16556)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A vulnerability has been identified in SIMATIC S7-400 (incl. F) V6 and below (All versions), SIMATIC S7-400 PN/DP V7
(incl. F) (All versions), SIMATIC S7-400H V4.5 and below (All versions), SIMATIC S7-400H V6 (All versions < V6.0.9),
SIMATIC S7-410 (All versions < V8.2.1). Specially crafted packets sent to port 102/tcp via Ethernet interface, via
PROFIBUS, or via Multi Point Interfaces (MPI) could cause the affected devices to go into defect mode. Manual reboot is
required to resume normal operation. Successful exploitation requires an attacker to be able to send specially crafted
packets to port 102/tcp via Ethernet interface, via PROFIBUS or Multi Point Interfaces (MPI). No user interaction and no
user privileges are required to exploit the security vulnerability. The vulnerability could allow causing a Denial-of-
Service condition of the core functionality of the CPU, compromising the availability of the system. At the time of
advisory publication no public exploitation of this security vulnerability was known.  

This plugin only works with
Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-113131.pdf");
  script_set_attribute(attribute:"see_also", value:"https://ics-cert.us-cert.gov/advisories/ICSA-18-317-02");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Siemens recommends implementing the following mitigations:

- Configure protection Level 3 (read/write protection) to mitigate CVE-2018-16557
- Restrict network access to affected devices; restrict network access to Port 102/TCP for Ethernet interfaces.
- For SIMATIC S7-CPU 410 CPUs: Activate field interface security in PCS 7 v9.0, use a SIMATIC CP443-1 Adv. to
communicate with ES/OS, and update to Version 8.2.1:

https://support.industry.siemens.com/cs/ww/en/view/109476571

- For SIMATIC S7-400H V6: Update to Version 6.0.9

https://support.industry.siemens.com/cs/ww/en/view/109474550

- Apply defense-in-depth:

https://www.siemens.com/cert/operational-guidelines-industrial-security

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate
mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the
environment according to Siemens’ operational guidelines for industrial security (download:
https://www.siemens.com/cert/operational-guidelines-industrial-security), and following the recommendations in the
product manuals.

For more information on these vulnerabilities and associated software updates, please see Siemens security advisory
SSA-113131 on their website:

https://www.siemens.com/cert/advisories");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-16556");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20);

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/12/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/02/07");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-400h_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-400h_v6_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-400_pn%2fdp_v6_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-400_pn%2fdp_v7_firmware");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:simatic_s7-400_pn%2fdp_v7_firmware" :
        {"versionStartIncluding" : "v7.0", "versionEndExcluding" : "v7.0.3", "family" : "S7400"},
    "cpe:/o:siemens:simatic_s7-400h_firmware" :
        {"versionEndIncluding" : "v4.5", "family" : "S7400"},
    "cpe:/o:siemens:simatic_s7-400h_v6_firmware" :
        {"versionStartIncluding" : "v6.0", "versionEndExcluding" : "v6.0.9", "family" : "S7400"},
    "cpe:/o:siemens:simatic_s7-400_pn%2fdp_v6_firmware" :
        {"versionStartIncluding" : "v6.0", "versionEndExcluding" : "v6.x", "family" : "S7400"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);