Full Report
Multiple vulnerabilities in the third-party components cURL, BusyBox, libtirpc, Expat as well as in the Linux Kernel could allow an attacker to impact the SCALANCE XCM332 device’s confidentiality, integrity and availability. Siemens has released an update for the SCALANCE XCM332 and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Third-Party Component Vulnerabilities in SCALANCE XCM332
## CVE Details
This advisory addresses multiple vulnerabilities. Key identifiers include:
- **CVE-2022-40674**: 9.8 (Critical) | CWE-416 (Use After Free in libexpat)
- **CVE-2022-32207**: 9.8 (Critical) | CWE-276 (Incorrect Default Permissions in cURL)
- **CVE-2022-1652**: 7.8 (High) | CWE-416 (Use After Free in Linux Kernel)
- **CVE-2022-30065**: 7.8 (High) | CWE-416 (Use After Free in BusyBox)
- **CVE-2021-46828**: 7.5 (High) | CWE-770 (Resource Exhaustion in libtirpc)
- **CVE-2022-35252**: 7.5 (High) | CWE-1286 (Improper Input Validation in cURL)
- **CVE-2022-1729**: 7.0 (High) | CWE-362 (Race Condition in Linux Kernel)
- **CVE-2022-32208**: 5.9 (Medium) | CWE-787 (Out-of-bounds Write in cURL)
- **CVE-2022-32205**: 4.3 (Medium) | (Resource Management in cURL)
## Affected Systems
- **Products**: SCALANCE XCM332 (6GK5332-0GA01-2AC2)
- **Versions**: All versions prior to V2.2
- **Configurations**: Devices using default third-party libraries for networking (cURL), XML parsing (Expat), and system utilities (BusyBox/Linux Kernel).
## Vulnerability Description
The SCALANCE XCM332 firmware incorporates several third-party components containing security flaws:
* **libexpat/BusyBox/Linux Kernel**: Multiple **Use-After-Free** and **Race Conditions** allow for memory corruption, potentially leading to arbitrary code execution or system crashes.
* **cURL**: Flaws in cookie handling and file permission management. Specifically, one flaw allows cURL to accidentally "widen" file permissions during a rename operation, making sensitive files accessible to unauthorized users.
* **libtirpc**: Improper handling of idle TCP connections allows remote attackers to exhaust file descriptors, resulting in a Denial of Service (DoS) via an infinite loop.
## Exploitation
- **Status**: PoC available for several components (indicated by "E:P" in CVSS vectors for Linux Kernel, BusyBox, and cURL). No reports of active exploitation in the wild at the time of publication.
- **Complexity**: Variable (Low to High). Local exploits for kernel flaws require shell access; network exploits for libexpat/cURL depend on processing malicious traffic.
- **Attack Vector**: Network and Local (varies by CVE).
## Impact
- **Confidentiality**: High (Risk of data theft via kernel info leaks or incorrect file permissions).
- **Integrity**: High (Risk of arbitrary code execution).
- **Availability**: High (Risk of system-wide Denial of Service or infinite loops).
## Remediation
### Patches
- **Update to V2.2 or later**: Siemens recommends immediate transition to the latest firmware version.
- **Download Link**: [https://support.industry.siemens.com/cs/ww/en/view/109817513/](https://support.industry.siemens.com/cs/ww/en/view/109817513/)
### Workarounds
- No specific software workarounds provided; follow general security recommendations.
## Detection and Mitigation
- **Network Segmentation**: Protect network access to industrial devices with firewalls and VLANs.
- **Operational Guidelines**: Follow Siemens' operational guidelines for Industrial Security to ensure the device resides in a protected IT/OT environment.
- **Access Control**: Limit local user access to prevent exploitation of local Linux Kernel and BusyBox vulnerabilities.
## References
- **Siemens SSA-558014**: [https://cert-portal.siemens.com/productcert/pdf/ssa-558014.pdf](https://cert-portal.siemens.com/productcert/pdf/ssa-558014.pdf)
- **Siemens Industrial Security**: [https://www.siemens.com/industrialsecurity](https://www.siemens.com/industrialsecurity)
- **Siemens ProductCERT**: [https://www.siemens.com/cert/advisories](https://www.siemens.com/cert/advisories)