Full Report
SIMATIC CP 1542SP-1 and CP 1543SP-1 before V2.3 are affected by multiple vulnerabilities in third-party components and the integrated web server. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Multiple Flaws in SIMATIC CP 1542SP-1/1543SP-1 Web Server and Third-Party Components
## CVE Details
The advisory covers multiple CVEs, with the severity for three highlighted examples detailed below. The overall advisory score references a CVSS v3.1 Base Score of **9.8** (Critical).
| CVE ID | CVSS v3.1 Score | Severity | CWE |
| :--- | :--- | :--- | :--- |
| CVE-2023-41910 | 9.8 | Critical | CWE-125: Out-of-bounds Read |
| *Unnamed (Likely Missing Free/Allocation Issue)* | 7.5 | High | CWE-401: Missing Release of Memory after Effective Lifetime |
| CVE-2023-50763 | 4.9 | Medium | CWE-835: Loop with Unreachable Exit Condition |
## Affected Systems
- **Products:**
- SIMATIC CP 1542SP-1 (6GK7542-6UX00-0XE0)
- SIMATIC CP 1542SP-1 IRC (6GK7542-6VX00-0XE0)
- SIMATIC CP 1543SP-1 (Implied, based on advisory title)
- **Versions:** All versions **< V2.3**
- **Configurations:** Some vulnerabilities may be contingent on specific configurations (e.g., allowing PKCS12 import or specific network protocols being active).
## Vulnerability Description
The affected products contain multiple vulnerabilities stemming from outdated or vulnerable third-party components and weaknesses in the integrated web server.
Specific technical details summarized from the provided excerpts include:
1. **CVE-2023-41910 (Out-of-bounds Read):** Crafting a malicious CDP PDU packet can force the `lldpd` daemon to perform an out-of-bounds read on heap memory when processing specific TLVs.
2. **Unnamed Vulnerability (Memory Leak/DoS):** A vulnerability related to missing memory release, allowing a network-based attacker to cause a Denial-of-Service (DoS) condition in the webserver.
3. **CVE-2023-50763 (Infinite Loop DoS):** If the web server is configured to allow the import of PKCS12 containers, processing specially crafted, incomplete certificate chains can cause the web server to enter an infinite loop, resulting in DoS for authenticated remote attackers.
## Exploitation
- **Status (General):** Evidence suggests Proof-of-Concept (PoC) code or high exploitability is present, as several CVEs list `E:P` (Proof-of-Concept code exists) in their vectors.
- CVE-2023-41910: PoC available (`E:P`)
- CVE-2023-50763: PoC available (`E:P`)
- **Complexity:** Generally **Low** for the high-severity issues (e.g., network-based, unauthenticated access required for some flaws).
- **Attack Vector (General):** Primarily **Network (AV:N)**, often without user interaction required (`UI:N`).
## Impact
The vulnerabilities pose significant risk across the board, particularly impacting system availability and potentially leading to code execution due to memory corruption.
| Impact Area | Summary |
| :--- | :--- |
| **Confidentiality (C)** | High impact possible for CVE-2023-41910 (Out-of-bounds Read often leads to information disclosure). |
| **Integrity (I)** | High impact possible due to heap manipulation from memory errors. |
| **Availability (A)** | High impact across multiple flaws (Infinite Loop, Memory Leak, Out-of-bounds Read) leading to Denial of Service (DoS). |
## Remediation
### Patches
The principal remediation method is updating the affected product.
- **Required Action:** Update to **V2.3 or a later version**.
- **Vendor Link:** Refer to the Siemens support page for detailed update instructions: `https://support.industry.siemens.com/cs/ww/en/view/109954475/` (defanged)
### Workarounds
No specific workarounds are detailed in the summary context, but mitigation generally involves segmenting network access.
## Detection
- **Indicators of Compromise:** Monitoring for abnormal behavior related to the integrated web server (e.g., repeated failed login attempts, high CPU load corresponding to web server processes, or attempts to upload malformed PKCS12 files).
- **Detection Methods and Tools:** Network traffic analysis should look for unusual CDP PDU packets (for CVE-2023-41910). Standard vulnerability scanning tools should be updated to detect the presence of vulnerable firmware versions (< V2.3).
## References
- **Vendor Advisories:** Siemens Security Advisory SSA-625862 Release Date: 2024-06-11
- **Relevant Links:**
- Siemens CERT Portal: `https://www.siemens.com/cert/advisories` (defanged)