Full Report
Multiple NULL pointer dereference vulnerabilities in the affected products could allow an attacker with network access to the webserver, to perform a denial of service attack. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Multiple NULL Pointer Dereference Vulnerabilities in Siemens Industrial Products
## CVE Details
- CVE ID: CVE-2023-28827, CVE-2023-30755, CVE-2023-30756
- CVSS Score: 5.9 (Medium) / 8.2 (High) (Based on CVSS v3.1 / CVSS v4.0 respectively)
- CWE: CWE-476: NULL Pointer Dereference Vulnerability
## Affected Systems
- Products: SIMATIC CP 1242-7 V2 (incl. SIPLUS variants), SIMATIC CP 1243-1 (incl. SIPLUS variants), SIMATIC CP 1243-1 DNP3 (incl. SIPLUS variants), SIMATIC CP 1243-1 IEC (incl. SIPLUS variants), SIMATIC CP 1243-7 LTE, SIMATIC CP 1243-8 IRC (6GK7243-8RX30-0XE0) (and SIPLUS variants where applicable)
- Versions: All versions < V3.5.20 for all listed products.
- Configurations: Affected by exploiting the web server component.
## Vulnerability Description
The advisory covers multiple NULL pointer dereference vulnerabilities affecting the web servers in the listed Siemens products.
1. **CVE-2023-28827**: Related to improper cleanup of pointers during an unexpected event, leading to a NULL dereference.
2. **CVE-2023-30755**: The web server does not properly handle shutdown or reboot requests, leading to flawed resource clean-up and subsequent NULL dereference.
3. **CVE-2023-30756**: The web server fails to properly handle errors when processing HTTP `Expect` requests, resulting in a NULL dereference.
## Exploitation
- Status: PoC available (Implied by CVSS E:P for CVE-2023-28827 and CVE-2023-30756)
- Complexity: **High** (Based on AV:N/AC:H indicating network attack complexity is high, likely due to specific sequencing or payload required).
- Attack Vector: Network
## Impact
- Confidentiality: No impact
- Integrity: No impact
- Availability: **High** (All vulnerabilities can lead to Denial of Service (DoS) due to the nature of NULL pointer dereference crashing the process).
## Remediation
### Patches
- Update all affected SIMATIC CP 124X products to **Version V3.5.20 or later**.
- Specific update URL reference: https://support.industry.siemens.com/cs/ww/en/view/109972735/
### Workarounds
- Siemens recommends specific countermeasures for products where fixes are not or not yet available. Users must consult the advisory's "Workarounds and Mitigations" section (not fully detailed in the provided text snippet) for specific implementation details.
- General recommendation is likely network segmentation and access restriction to the web interface.
## Detection
- Indicators of compromise: System crashes or unexpected restarts on the affected device, particularly following web server activity or shutdown attempts.
- Detection methods and tools: Monitoring network traffic directed to the web server interface of the impacted devices for unusual requests or error patterns associated with HTTP Expect headers (for CVE-2023-30756).
## References
- Vendor advisories: SSA-423808
- Relevant links - defanged:
- https://cert-portal.siemens.com/productcert/html/ssa-423808.html
- https://www.siemens.com/cert/advisories
- https://www.siemens.com/terms_of_use