Lucene search

HistoryJul 23, 2024 - 12:00 a.m.

Siemens SIMATIC and SCALANCE Products Inadequate Encryption Strength (CVE-2022-2097)

2024-07-2300:00:00

www.tenable.com

siemens

encryption strength

aes ocb

32-bit x86

data disclosure

openssl

tenable.ot

scanner

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

High

EPSS

0.004

Percentile

72.8%

JSON

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn’t written. In the special case of ‘in place’ encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(502322);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/09/04");

  script_cve_id("CVE-2022-2097");
  script_xref(name:"ICSA", value:"23-017-03");
  script_xref(name:"ICSA", value:"24-165-10");
  script_xref(name:"ICSA", value:"24-165-11");

  script_name(english:"Siemens SIMATIC and SCALANCE Products Inadequate Encryption Strength (CVE-2022-2097)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised 
implementation will not encrypt the entirety of the data under some circumstances. 
This could reveal sixteen bytes of data that was preexisting in the memory that 
wasn't written. In the special case of 'in place' encryption, sixteen bytes of 
the plaintext would be revealed. Since OpenSSL does not support OCB based cipher 
suites for TLS and DTLS, they are both unaffected.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-398330.html");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-879734.html");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-625862.html");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-794697.html");
  script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/news/secadv/20230207.txt");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-23-017-03");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-24-165-10");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-24-165-11");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Siemens released V1.0 SP2 Update 1 for SINEC INS and recommends updating to the latest version.

Siemens identified the following specific workarounds and mitigations users can apply to reduce risk:

- CVE-2022-45094: Disable the DHCP service of the affected product, if not required.
- CVE-2022-45093: Disable the SFTP service of the affected product, if not required.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To
operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens'
operational guidelines for industrial security and following the recommendations in the product manuals. Siemens has
published additional information on industrial security.

For further inquiries on security vulnerabilities in Siemens products, users should contact Siemens ProductCERT.

For more information, see the associated Siemens security advisory SSA-332410 in HTML and CSAF.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-2097");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(326);

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/01/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/01/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/07/23");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_xm408-4c_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_xm408-8c_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_xm416-4c_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_xr524-8c_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_xr526-8c_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_xr528-6m_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_xr552-12m_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp_1542sp-1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp_1542sp-1_irc_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp_1543sp-1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:siplus_et_200sp_cp_1542sp-1_irc_tx_rail_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:siplus_et_200sp_cp_1543sp-1_isec_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:siplus_et_200sp_cp_1543sp-1_isec_tx_rail_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_tm_mfp");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
  "cpe:/o:siemens:simatic_s7-1500_firmware" :
      {"versionStartIncluding" : "3.1.0", "family" : "S71500", "orderNumbers" : ["6ES7518-4AX00-1AB0","6ES7518-4AX00-1AC0","6ES7518-4FX00-1AB0","6ES7518-4FX00-1AC0","6AG1518-4AX00-4AC0"]},
  "cpe:/o:siemens:scalance_xm408-4c_firmware:-" :
      {"versionEndExcluding" : "6.6.1", "family" : "SCALANCEX400", "orderNumbers": ["6GK5408-4GP00-2AM2", "6GK5408-4GQ00-2AM2"]},
  "cpe:/o:siemens:scalance_xm408-8c_firmware:-" :
      {"versionEndExcluding" : "6.6.1", "family" : "SCALANCEX400", "orderNumbers": ["6GK5408-8GS00-2AM2", "6GK5408-8GR00-2AM2"]},
  "cpe:/o:siemens:scalance_xm416-4c_firmware:-" :
      {"versionEndExcluding" : "6.6.1", "family" : "SCALANCEX400", "orderNumbers": ["6GK5416-4GS00-2AM2", "6GK5416-4GR00-2AM2"]},
  "cpe:/o:siemens:scalance_xr524-8c_firmware:-" :
      {"versionEndExcluding" : "6.6.1", "family" : "SCALANCEX500", "orderNumbers": ["6GK5524-8GS00-3AR2", "6GK5524-8GR00-3AR2", "6GK5524-8GS00-4AR2", "6GK5524-8GR00-4AR2", "6GK5524-8GS00-2AR2", "6GK5524-8GR00-2AR2"]},
  "cpe:/o:siemens:scalance_xr526-8c_firmware:-" :
      {"versionEndExcluding" : "6.6.1", "family" : "SCALANCEX500", "orderNumbers": ["6GK5526-8GS00-3AR2", "6GK5526-8GR00-3AR2", "6GK5526-8GR00-4AR2", "6GK5526-8GS00-4AR2", "6GK5526-8GS00-2AR2", "6GK5526-8GR00-2HR2"]},
  "cpe:/o:siemens:scalance_xr528-6m_firmware:-" :
      {"versionEndExcluding" : "6.6.1", "family" : "SCALANCEX500", "orderNumbers": ["6GK5528-0AA00-2HR2", "6GK5528-0AR00-2HR2", "6GK5528-0AA00-2AR2", "6GK5528-0AR00-2AR2"]},
  "cpe:/o:siemens:scalance_xr552-12m_firmware:-" :
      {"versionEndExcluding" : "6.6.1", "family" : "SCALANCEX500", "orderNumbers": ["6GK5552-0AA00-2HR2", "6GK5552-0AR00-2HR2", "6GK5552-0AR00-2AR2", "6GK5552-0AA00-2AR2"]},
  "cpe:/o:siemens:simatic_cp_1542sp-1_firmware" :
      {"versionEndExcluding" : "2.3", "family" : "S71500", "orderNumbers" : ["6GK7542-6UX00-0XE0"]},
  "cpe:/o:siemens:simatic_cp_1542sp-1_irc_firmware" :
      {"versionEndExcluding" : "2.3", "family" : "S71500", "orderNumbers" : ["6GK7542-6VX00-0XE0"]},
  "cpe:/o:siemens:simatic_cp_1543sp-1_firmware" :
      {"versionEndExcluding" : "2.3", "family" : "S71500", "orderNumbers" : ["6GK7543-6WX00-0XE0"]},
  "cpe:/o:siemens:siplus_et_200sp_cp_1542sp-1_irc_tx_rail_firmware" :
      {"versionEndExcluding" : "2.3", "family" : "S71500", "orderNumbers" : ["6AG2542-6VX00-4XE0"]},
  "cpe:/o:siemens:siplus_et_200sp_cp_1543sp-1_isec_firmware" :
      {"versionEndExcluding" : "2.3", "family" : "ET200", "orderNumbers" : ["6AG1543-6WX00-7XE0"]},
  "cpe:/o:siemens:siplus_et_200sp_cp_1543sp-1_isec_tx_rail_firmware" :
      {"versionEndExcluding" : "2.3", "family" : "ET200", "orderNumbers" : ["6AG2543-6WX00-4XE0"]},
  "cpe:/o:siemens:simatic_s7-1500_tm_mfp" :
      {"versionEndExcluding" : "1.1", "family" : "S71500", "orderNumbers": ["6ES7558-1AA00-0AB0"]}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);