Full Report
Siemens BFCClient contains multiple vulnerabilities in the integrated OpenSSL component that could allow an attacker to read memory contents, to change the application behaviour or to create a denial of service condition. Siemens has released a new version for BFCClient and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Multiple OpenSSL Vulnerabilities in Siemens BFCClient
## CVE Details
- **CVE ID:** CVE-2021-3711, CVE-2021-3712, CVE-2022-0778, CVE-2023-0286, CVE-2023-0464
- **CVSS Score:** 9.8 (Critical) - *Based on CVSS v3.1 for CVE-2021-3711*
- **CWE:**
- CWE-120 (Buffer Overflow)
- CWE-843 (Type Confusion)
- CWE-295 (Improper Certificate Validation)
## Affected Systems
- **Products:** Siemens BFCClient
- **Versions:** All versions < V2.17
- **Configurations:** Systems where BFCClient is used for secure communication; specifically impacts configurations where CRL (Certificate Revocation List) checking or policy constraints are enabled.
## Vulnerability Description
BFCClient integrates versions of OpenSSL that contain several security flaws:
1. **Heap Buffer Overflow (CVE-2021-3711):** A flaw in SM2 decryption allows an attacker to overflow a buffer by up to 62 bytes, potentially leading to remote code execution or crashes.
2. **Read Overruns (CVE-2021-3712):** Improper handling of ASN.1 strings (missing NUL termination) can lead to memory disclosure.
3. **Infinite Loop (CVE-2022-0778):** A flaw in parsing elliptic curve certificates can trigger an infinite loop, causing a Denial of Service (DoS).
4. **Type Confusion (CVE-2023-0286):** A confusion between X.400 addresses and ASN1_STRINGs during CRL checking allows arbitrary pointer comparisons, potentially leaking memory contents.
5. **Resource Exhaustion (CVE-2023-0464):** Verification of malicious X.509 certificate chains with policy constraints can result in exponential computational overhead (DoS).
## Exploitation
- **Status:** PoC available (OpenSSL vulnerabilities are well-documented and widely studied).
- **Complexity:** Low to High (Varies by CVE; CVE-2021-3711 is Low complexity).
- **Attack Vector:** Network (Most vulnerabilities can be triggered via malicious certificates or encrypted data sent over the network).
## Impact
- **Confidentiality:** High (Memory contents can be read via CVE-2021-3712 and CVE-2023-0286).
- **Integrity:** High (Application behavior can be altered via buffer overflows).
- **Availability:** High (Denial of Service via infinite loops or resource exhaustion).
## Remediation
### Patches
- **Update to BFCClient V2.17 or later.** Users should contact Siemens customer support to obtain the latest update.
### Workarounds
- **For CVE-2023-0286:** Disable CRL (Certificate Revocation List) checking within the application if possible.
- **General Security:** Follow Siemens' operational guidelines for Industrial Security to protect network access to devices.
## Detection
- **Indicators of Compromise:** Unusual application crashes (DoS) or unexpected network traffic patterns involving SM2 or X.509 certificate exchanges.
- **Detection methods and tools:** Use vulnerability scanners to identify outdated OpenSSL libraries within the BFCClient installation directory. Monitor for exploitation attempts targeting the identified CVEs using Intrusion Detection Systems (IDS).
## References
- **Siemens Security Advisory:** hxxps://cert-portal.siemens[.]com/productcert/html/ssa-028723.html
- **Siemens Industrial Security:** hxxps://www.siemens[.]com/industrialsecurity
- **Operational Guidelines:** hxxps://www.siemens[.]com/cert/operational-guidelines-industrial-security