Siemens SIMATIC S7-1500 Improper Check for Unusual or Exceptional Conditions (CVE-2023-5678)

2024-04-2200:00:00

www.tenable.com

siemens simatic s7-1500

cve-2023-5678

dh key

denial-of-service

openssl

tenable.ot

fips

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

44.8%

JSON

Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source, this may lead to a denial-of-service condition. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a denial-of-service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. Also vulnerable are the OpenSSL pkey command line application when using the ‘-pubcheck’ option, as well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(502219);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/03");

  script_cve_id("CVE-2023-5678");

  script_name(english:"Siemens SIMATIC S7-1500 Improper Check for Unusual or Exceptional Conditions (CVE-2023-5678)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. 
Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check 
an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being 
checked have been obtained from an untrusted source, this may lead to a denial-of-service condition. 
An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained 
from an untrusted source could be vulnerable to a denial-of-service attack. DH_generate_key() and 
DH_check_pub_key() are also called by a number of other OpenSSL functions. Also vulnerable are the OpenSSL pkey 
command line application when using the '-pubcheck' option, as well as the OpenSSL genpkey command line application. 
The OpenSSL SSL/TLS implementation is not affected by this issue. 
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-24-102-01");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-265688.html");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-794697.html");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-398330.html");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssb-439005.html");
  script_set_attribute(attribute:"solution", value:
"Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk: 

- Only build and run applications from trusted sources 

Product-specific remediations or mitigations can be found in the section 'Affected Products and Solution' of 
the vendor advisory. 

For more information, see the associated Siemens security advisory in HTML and CSAF.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-5678");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/04/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/04/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/04/22");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_tm_mfp");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1518-4_pn%2fdp_mfp_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1518f-4_pn%2fdp_mfp_firmware");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:simatic_s7-1500_tm_mfp" :
        {"family" : "S71500", "orderNumbers": ["6ES7558-1AA00-0AB0"]},
    "cpe:/o:siemens:cpe:/o:siemens:simatic_s7-1500_cpu_1518-4_pn%2fdp_mfp_firmware" :
        {"versionStartIncluding" : "3.0", "versionEndIncluding" : "3.1", "family" : "S71500", "orderNumbers" : ["6ES7518-4AX00-1AB0","6ES7518-4AX00-1AC0","6AG1518-4AX00-4AC0"]},
    "cpe:/o:siemens:cpe:/o:siemens:simatic_s7-1500_cpu_1518f-4_pn%2fdp_mfp_firmware" :
        {"versionStartIncluding" : "3.0", "versionEndIncluding" : "3.1", "family" : "S71500", "orderNumbers" : ["6ES7518-4FX00-1AB0","6ES7518-4FX00-1AC0"]}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);

VendorProductVersionCPE
siemenssimatic_s7-1500_tm_mfpcpe:/o:siemens:simatic_s7-1500_tm_mfp
siemenssimatic_s7-1500_cpu_1518-4_pn%2fdp_mfp_firmwarecpe:/o:siemens:simatic_s7-1500_cpu_1518-4_pn%2fdp_mfp_firmware
siemenssimatic_s7-1500_cpu_1518f-4_pn%2fdp_mfp_firmwarecpe:/o:siemens:simatic_s7-1500_cpu_1518f-4_pn%2fdp_mfp_firmware

Vendor	Product	CPE
siemens	simatic_s7-1500_tm_mfp	cpe:/o:siemens:simatic_s7-1500_tm_mfp
siemens	simatic_s7-1500_cpu_1518-4_pn%2fdp_mfp_firmware	cpe:/o:siemens:simatic_s7-1500_cpu_1518-4_pn%2fdp_mfp_firmware
siemens	simatic_s7-1500_cpu_1518f-4_pn%2fdp_mfp_firmware	cpe:/o:siemens:simatic_s7-1500_cpu_1518f-4_pn%2fdp_mfp_firmware