Full Report
Siemens has released a new version for ST7 ScadaConnect and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Multiple Third-Party Component Flaws in ST7 ScadaConnect
## CVE Details
The advisory covers multiple CVEs stemming from vulnerabilities in third-party components used in affected software. The advisory indicates a high overall base score of **8.2 (CVSS v3.1)** / **8.7 (CVSS v4.0)**.
Specific High-Impact CVEs detailed in the excerpt:
* **CVE-2023-44487 (HTTP/2 DoS):** CVSS v3.1: 7.5 (High). CWE: CWE-400 (Uncontrolled Resource Consumption).
* **CVE-2023-38180 (.NET DoS):** CVSS v3.1: 7.5 (High). CWE: CWE-20 (Improper Input Validation).
* **CVE-2023-38178 (Potential DoS):** CVSS v3.1: 7.5 (High). CVSS Vector indicates **A:H** (High Availability Impact).
* **CVE-2023-38171 (Potential DoS):** CVSS v3.1: 7.5 (High). CVSS Vector indicates **A:H** (High Availability Impact). *(Note: Several other listed CVEs also share this 7.5 score, indicating potential significant impact).*
## Affected Systems
- **Products:** ST7 ScadaConnect (Part Number: 6NH7997-5DA10-0AA0)
- **Versions:** All versions **before V1.1** are affected by the listed CVEs.
- **Configurations:** Not specified; the flaws appear inherent to the bundled third-party libraries.
## Vulnerability Description
The advisory addresses multiple vulnerabilities residing in third-party components integrated within Siemens ST7 ScadaConnect. Based on the specific CVE examples provided (e.g., CVE-2023-44487 concerning HTTP/2 stream cancellation, and CVE-2023-39615 involving an out-of-bounds read in Libxml2), the vulnerabilities principally relate to **Denial of Service (DoS)** conditions, often resulting from improper input validation or resource consumption flaws within these components.
## Exploitation
- **Status:** Specific exploitation status for all 30+ associated CVEs is not universally detailed, but **CVE-2023-44487 is noted as 'exploited in the wild'** (via HTTP/2 rapid stream reset). For other listed CVEs, the E:P flag in the vectors suggests Proof-of-Concept existence or known exploitation potential is assumed by Siemens methodology.
- **Complexity:** The examples provided (e.g., CVE-2023-44487, CVE-2023-38180) show an attack complexity/privileges required of **Low** (`AC:L/PR:N/UI:N`).
- **Attack Vector:** Primarily **Network (AV:N)**.
## Impact
Since many high-scoring CVEs detailed point to significant Availability impact (A:H) and high CVSS scores:
- **Confidentiality:** Likely Low to None (based on observed DoS vectors).
- **Integrity:** Likely Low to None (based on observed DoS vectors).
- **Availability:** **High** (Due to multiple potential Denial of Service vulnerabilities).
## Remediation
### Patches
- **Required Action:** Users **must update to the latest version, V1.1 or later**.
- **Download Link:** hXXps://support.industry.siemens.com/cs/ww/en/view/109955597/
### Workarounds
- Siemens recommends following the **General Security Recommendations** and consulting product-specific mitigations listed in the vendor advisory.
- **General Mitigation:** Protect network access to the devices using appropriate mechanisms and configure the environment according to Siemens' operational guidelines for Industrial Security.
## Detection
- As this involves multiple underlying component flaws, specific IoCs are not widely published here.
- **Detection Methods:** Network monitoring focusing on unusual traffic patterns, resource exhaustion alerts on the SCADAConnect server, and ensuring only authorized network segments can reach the device.
## References
- **Vendor Advisory:** SSA-341067
- **General Security Information:** hXXps://www.siemens.com/cert/advisories