Accessibility Options |  Sitemap |  Contact Us
   
 
 
 
HOME space ABOUTCERTIn space KNOWLEDGEBASE space TRAINING space ADVISORIES space VULNOTES space space Facebook space x space insta space youtube space Linkedin
WLine
DigitalIndia
WLine
csk
WLine
Full Member FIRST
Line
Operational Member TFCSIRT
Line
Accredited Member APCERT
Line
Global Research Partner APWG
Line
Associate Partner Charter
Line
CNA
WLine
 Directions by CERT-In under  Section 70B, Information  Technology Act 2000
WLine
 Guidelines on Information  Security Practices for  Government Entities
WLine
 Technical Guidelines on NEW  SOFTWARE BILL OF MATERIALS  (SBOM)
WLine
 Cyber Security GuidelinesNEW  for Smart City Infrastructure
About CERT-in
Line
point point Client's /Citizen's Charter
Line
point point Roles & Functions
Line
point point Advisory Committee
Line
point point Act/Rules/Regulations
Line
point point Internal Complaint Committee         (ICC) 
Line
point point RFC2350 
line
point point Press  
Line
point point Tender 
Line
point point Subscribe Mailing List
Line
point point Contact Us
Line
Line
Reporting
point
 Incident Reporting
point
Line
point
 Vulnerability Reporting
point
Line
point
 Feedback
point
Line
KnowledgeBase
Line
point Point Guidelines
Line
point Point Presentations
Line
point Point White Papers 
Line
point Point Annual Report 
Line
Line
Line
line
Line
line
line
Advisories
Line
VulnerabilityNotes
Line
RelatedLinks
Line
point Point World CERTs
Line
point point Antivirus Resources
line
point point FAQ
line
line
Line
Line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
spacer
Home - Vulnerability NotesPrint
point
CERT-In Vulnerability Note CIVN-2018-0217
Multiple Vulnerabilities in Siemens SINUMERIK Controllers

Original Issue Date:December 19, 2018

Severity Rating: HIGH

Software Affected

  • SINUMERIK 808D v4.7 all versions,
  • SINUMERIK 808D v4.8 all versions,
  • SINUMERIK 828D v4.7 all versions prior to v4.7 SP6 HF1,
  • SINUMERIK 840D sl v4.7 all versions prior to v4.7 SP6 HF5, and
  • SINUMERIK 840D sl v4.8 all versions prior to v4.8 SP3

Overview

Multiple vulnerabilities exist in Siemens SINUMERIK Controllers which could lead to Heap-based Buffer Overflow, Integer Overflow or Wraparound, Protection Mechanism Failure, Permissions, Privileges, and Access Controls, Stack-based Buffer Overflow, Uncaught Exception.

Description

1. Heap-Based Buffer Overflow ( CVE-2018-11457   )

A remote attacker can exploit this vulnerability by Sending specially crafted network requests to Port 4842/TCP of the integrated web server and it is only exploitable if Port 4842/TCP is manually opened in the firewall configuration of network Port X130.
Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code with elevated privileges which could lead to system compromise.

2. Integer Overflow Or Wraparound ( CVE-2018-11458   )

This vulnerability exists due to Integer Overflow when handling malicious input. A remote attacker could exploit this vulnerability by Sending specially crafted network requests to Port 5900/TCP of the integrated VNC server and it is only exploitable if Port 5900/TCP is manually opened in the firewall configuration of network Port X130.
Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code with elevated privileges which could lead to system compromise.

3. Protection Mechanism Failure ( CVE-2018-11459   )

This vulnerability exists due to Protection Mechanism Failure. A local attacker could exploit this vulnerability by modify a user-writeable configuration file so that after reboot or manual initiation the system reloads the modified configuration file.
Successful exploitation of this vulnerability could allow the attacker to execute attacker-controlled code with elevated privileges which could lead to system compromise.

4. Protection Mechanism Failure ( CVE-2018-11460   )

This vulnerability exists due to Protection Mechanism Failure. A local attacker with elevated user privileges (manufact) could exploit this vulnerability by modifies a CRAMFS archive so that after reboot the system loads the modified CRAMFS file.
Successful exploitation of this vulnerability could allow the attacker to execute attacker-controlled code with root privileges which could lead to system compromise.

5. Permissions, Privileges, And Access Controls ( CVE-2018-11461   CVE-2018-11462   )

A local attacker could exploit this vulnerability to use the service command application for privilege escalation and remote attacker could exploit it by sending a specially crafted authentication request
Successful exploitation of this vulnerability could escalate privileges to an elevated user account, but not to root.

6. Stack-Based Buffer Overflow ( CVE-2018-11463   )

This vulnerability exists due to improper bounds checking by the service command application. A local attacker could exploit this vulnerability by sending a specially crafted request, to overflow a buffer and execute arbitrary code on the system with elevated privileges, which could lead to system compromise.

7. Uncaught Exception ( CVE-2018-11464   )

This vulnerability exists in integrated VNC server on Port 5900/TCP and it is only exploitable if Port 5900/TCP manually opened in the firewall configuration of network Port X130.
Successful exploitation of this vulnerability could allow  remote attacker to cause a denial-of-service condition of the VNC server.

8. Uncaught Exception ( CVE-2018-11465   )

A local attacker could exploit this vulnerability by using IOCTL calls to do out of bounds reads, arbitrary writes, or execute code in kernel mode.

9. Uncaught Exception ( CVE-2018-11466   )

A remote attacker can exploit this vulnerability by sending specially crafted network packets sent to Port 102/TCP (ISO-TSAP).
Successful exploitation of this vulnerability could allow a remote attacker to either cause a Denial-of-Service condition of the integrated software firewall or allow to execute code in the context of the firewall.

Best Practices

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.


Solution

Apply the updates as mentioned in the vendor advisory SSA-170881

Vendor Information

Siemens
https://cert-portal.siemens.com/productcert/txt/ssa-170881.txt

References

Siemens
https://cert-portal.siemens.com/productcert/txt/ssa-170881.txt

ICS-CERT
https://ics-cert.us-cert.gov/advisories/ICSA-18-345-02

CVE Name
CVE-2018-11457
CVE-2018-11458
CVE-2018-11459
CVE-2018-11460
CVE-2018-11461
CVE-2018-11462
CVE-2018-11463
CVE-2018-11464
CVE-2018-11465
CVE-2018-11466

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India

 
Indian Computer Emergency Response Team - CERT-In, Ministry of Electronics and Information Technology, Government of India.
Website Policies |  Terms of Use |  Help Last Updated On May 01, 2025