CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
5.1%
A vulnerability has been identified in SIMATIC CP 1604 (All versions), SIMATIC CP 1616 (All versions), SIMATIC CP 1623 (All versions), SIMATIC CP 1626 (All versions), SIMATIC CP 1628 (All versions). The kernel memory of affected devices is exposed to user-mode via direct memory access (DMA) which could allow a local attacker with administrative privileges to execute arbitrary code on the host system without any restrictions.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(502001);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/02/21");
script_cve_id("CVE-2023-37194");
script_name(english:"Siemens SIMATIC CP products Improper Access Control (CVE-2023-37194)");
script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"A vulnerability has been identified in SIMATIC CP 1604 (All versions),
SIMATIC CP 1616 (All versions), SIMATIC CP 1623 (All versions),
SIMATIC CP 1626 (All versions), SIMATIC CP 1628 (All versions). The
kernel memory of affected devices is exposed to user-mode via direct
memory access (DMA) which could allow a local attacker with
administrative privileges to execute arbitrary code on the host system
without any restrictions.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-784849.pdf");
script_set_attribute(attribute:"solution", value:
"Refer to the vendor advisory.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:M/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-37194");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(284);
script_set_attribute(attribute:"vuln_publication_date", value:"2023/10/10");
script_set_attribute(attribute:"patch_publication_date", value:"2023/10/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/02/20");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp_1604_firmware:-");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp_1616_firmware:-");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp_1623_firmware:-");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp_1626_firmware:-");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_cp_1628_firmware:-");
script_set_attribute(attribute:"generated_plugin", value:"former");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tenable.ot");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tenable_ot_api_integration.nasl");
script_require_keys("Tenable.ot/Siemens");
exit(0);
}
include('tenable_ot_cve_funcs.inc');
get_kb_item_or_exit('Tenable.ot/Siemens');
var asset = tenable_ot::assets::get(vendor:'Siemens');
var vuln_cpes = {
"cpe:/o:siemens:simatic_cp_1604_firmware:-" :
{"family" : "NETCP1600", "orderNumbers" : ["6GK1160-4AA01"]},
"cpe:/o:siemens:simatic_cp_1616_firmware:-" :
{"family" : "NETCP1600", "orderNumbers" : ["6GK1161-6AA02"]},
"cpe:/o:siemens:simatic_cp_1623_firmware:-" :
{"family" : "NETCP1600", "orderNumbers" : ["6GK1162-3AA00"]},
"cpe:/o:siemens:simatic_cp_1626_firmware:-" :
{"family" : "NETCP1600", "orderNumbers" : ["6GK1162-6AA01"]},
"cpe:/o:siemens:simatic_cp_1628_firmware:-" :
{"family" : "NETCP1600", "orderNumbers" : ["6GK1162-8AA00"]}
};
tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
5.1%