This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.TENABLE_OT_SIEMENS_CVE-2018-16557.NASLSiemens S7-400 CPUs Improper Verification of Cryptographic Signature (CVE-2018-16557)
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
AI Score
Confidence
High
EPSS
Percentile
42.5%
A vulnerability has been identified in SIMATIC S7-400 (incl. F) V6 and below (All versions), SIMATIC S7-400 PN/DP V7 (incl. F) (All versions), SIMATIC S7-400H V4.5 and below (All versions), SIMATIC S7-400H V6 (All versions < V6.0.9), SIMATIC S7-410 (All versions < V8.2.1). Sending of specially crafted packets to port 102/tcp via Ethernet interface via PROFIBUS or Multi Point Interfaces (MPI) could cause a Denial-of-Service condition on affected devices. Flashing with a firmware image may be required to recover the CPU. Successful exploitation requires an attacker to have network access to port 102/tcp via Ethernet interface or to be able to send messages via PROFIBUS or Multi Point Interfaces (MPI) to the device. No user interaction is required. If no access protection is configured, no privileges are required to exploit the security vulnerability. The vulnerability could allow causing a Denial-of-Service condition of the core functionality of the CPU, compromising the availability of the system. At the time of advisory publication no public exploitation of this security vulnerability was known.
This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(500227);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/09/04");
script_cve_id("CVE-2018-16557");
script_xref(name:"ICSA", value:"18-317-02");
script_name(english:"Siemens S7-400 CPUs Improper Verification of Cryptographic Signature (CVE-2018-16557)");
script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"A vulnerability has been identified in SIMATIC S7-400 (incl. F) V6 and below (All versions), SIMATIC S7-400 PN/DP V7
(incl. F) (All versions), SIMATIC S7-400H V4.5 and below (All versions), SIMATIC S7-400H V6 (All versions < V6.0.9),
SIMATIC S7-410 (All versions < V8.2.1). Sending of specially crafted packets to port 102/tcp via Ethernet interface via
PROFIBUS or Multi Point Interfaces (MPI) could cause a Denial-of-Service condition on affected devices. Flashing with a
firmware image may be required to recover the CPU. Successful exploitation requires an attacker to have network access
to port 102/tcp via Ethernet interface or to be able to send messages via PROFIBUS or Multi Point Interfaces (MPI) to
the device. No user interaction is required. If no access protection is configured, no privileges are required to
exploit the security vulnerability. The vulnerability could allow causing a Denial-of-Service condition of the core
functionality of the CPU, compromising the availability of the system. At the time of advisory publication no public
exploitation of this security vulnerability was known.
This plugin only works with Tenable.ot. Please visit
https://www.tenable.com/products/tenable-ot for more information.");
script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-113131.pdf");
script_set_attribute(attribute:"see_also", value:"https://ics-cert.us-cert.gov/advisories/ICSA-18-317-02");
script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.
Siemens recommends implementing the following mitigations:
- Configure protection Level 3 (read/write protection) to mitigate CVE-2018-16557
- Restrict network access to affected devices; restrict network access to Port 102/TCP for Ethernet interfaces.
- For SIMATIC S7-CPU 410 CPUs: Activate field interface security in PCS 7 v9.0, use a SIMATIC CP443-1 Adv. to
communicate with ES/OS, and update to Version 8.2.1:
https://support.industry.siemens.com/cs/ww/en/view/109476571
- For SIMATIC S7-400H V6: Update to Version 6.0.9
https://support.industry.siemens.com/cs/ww/en/view/109474550
- Apply defense-in-depth:
https://www.siemens.com/cert/operational-guidelines-industrial-security
As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate
mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the
environment according to SiemensΓ’ΒΒ operational guidelines for industrial security (download:
https://www.siemens.com/cert/operational-guidelines-industrial-security), and following the recommendations in the
product manuals.
For more information on these vulnerabilities and associated software updates, please see Siemens security advisory
SSA-113131 on their website:
https://www.siemens.com/cert/advisories");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-16557");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/13");
script_set_attribute(attribute:"patch_publication_date", value:"2018/12/13");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/02/07");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-400h_v4.5_firmware:4.5");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-400h_v6_firmware:6.0");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-400_pn%2fdp_v6_firmware:6.x");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-400_pn%2fdp_v7_firmware");
script_set_attribute(attribute:"generated_plugin", value:"former");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tenable.ot");
script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tenable_ot_api_integration.nasl");
script_require_keys("Tenable.ot/Siemens");
exit(0);
}
include('tenable_ot_cve_funcs.inc');
get_kb_item_or_exit('Tenable.ot/Siemens');
var asset = tenable_ot::assets::get(vendor:'Siemens');
var vuln_cpes = {
"cpe:/o:siemens:simatic_s7-400_pn%2fdp_v7_firmware" :
{"versionStartIncluding" : "v7.0", "versionEndExcluding" : "v7.0.3", "family" : "S7400"},
"cpe:/o:siemens:simatic_s7-400h_v6_firmware:6.0" :
{"versionStartIncluding" : "v6.0", "versionEndExcluding" : "6.0.9", "family" : "S7400"},
"cpe:/o:siemens:simatic_s7-400h_v4.5_firmware:4.5" :
{"versionStartIncluding" : "v4.5", "versionEndIncluding" : "4.5", "family" : "S7400"},
"cpe:/o:siemens:simatic_s7-400_pn%2fdp_v6_firmware:6.x" :
{"versionStartIncluding" : "v6.0", "versionEndIncluding" : "v6.x", "family" : "S7400"},
};
tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
AI Score
Confidence
High
EPSS
Percentile
42.5%