Full Report
Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities Affecting Siemens SCALANCE XM-400/XR-500 (SSA-879734)
## CVE Details
This advisory covers multiple CVEs. The excerpt below details specific information for two of the listed vulnerabilities:
- **CVE ID:** CVE-2023-0465
- **CVSS Score:** 5.3 (Medium)
- **CWE:** CWE-295: Improper Certificate Validation
- **CVE ID:** CVE-2023-0466
- **CVSS Score:** 5.3 (Medium)
- **CWE:** CWE-295: Improper Certificate Validation
*(Note: Full details for all associated CVEs are not present in the excerpt, only the general severity score of 7.5 is provided for the advisory summary.)*
## Affected Systems
- **Products:** SCALANCE XM408-4C, SCALANCE XM408-4C (L3 int.), SCALANCE XM408-8C, SCALANCE XM408-8C (L3 int.), SCALANCE XM416-4C, and potentially others in the SCALANCE XM-400/XR-500 series.
- **Versions:** All versions prior to V6.6.1.
- **Configurations:** Specific configuration details relate to applications using OpenSSL and relying on certificate policy checks via the `X509_VERIFY_PARAM_add0_policy()` function.
## Vulnerability Description
The general advisory covers multiple vulnerabilities. The detailed flaws for CVE-2023-0465 and CVE-2023-0466 relate to OpenSSL certificate validation:
**CVE-2023-0465 (Improper Certificate Validation):** A weakness in how OpenSSL handles certificate policies allows an attacker to bypass policy checking by using the `X509_VERIFY_PARAM_add0_policy()` function. While policy processing is disabled by default, enabling it via command-line arguments or function calls did not consistently enforce policy checks, potentially allowing certificates with invalid policies to be accepted.
**CVE-2023-0466 (Improper Certificate Validation):** The function `X509_VERIFY_PARAM_add0_policy()` is documented to implicitly enable certificate policy checking during verification, but the implementation failed to enable this check. This flaw means that applications relying on this function for policy enforcement would accept certificates with invalid or incorrect policies.
## Exploitation
- **Status:** PoC available (Based on the context provided by the E:P tag in the CVSS vector for CVEs 2023-0465/0466, indicating Proof-of-Concept existence).
- **Complexity:** Low (Based on CVSS vector: AC:L)
- **Attack Vector:** Network (Based on CVSS vector: AV:N)
## Impact
*(Impact scores based on the CVE-2023-0465/0466 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)*
- **Confidentiality:** No Impact (C:N)
- **Integrity:** Low Impact (I:L) - Successful exploitation could lead to incorrect certificate trust, potentially allowing integrity manipulation during communication.
- **Availability:** No Impact (A:N)
## Remediation
### Patches
- **Action:** Update to the latest version.
- **Fixed Versions:** V6.6.1 or later versions.
- **Reference:** [https://support.industry.siemens.com/cs/ww/en/view/109955252/](https://support.industry.siemens.com/cs/ww/en/view/109955252/)
### Workarounds
For users requiring certificate policy checks until patching:
- Explicitly enable policy checking by calling `X509_VERIFY_PARAM_set1_policies()` instead of using `X509_VERIFY_PARAM_add0_policy()`.
- Alternatively, explicitly enable the flag by calling `X509_VERIFY_PARAM_set_flags()` with the `X509_V_FLAG_POLICY_CHECK` argument.
## Detection
- **Indicators of Compromise:** Not detailed in the provided text, but would involve monitoring for unusual connection attempts or certificate validation failures/successes against the affected devices.
- **Detection Methods and Tools:** Monitoring network traffic for suspicious certificate usage patterns, especially if configuration hardening related to certificate validation was previously attempted.
## References
- **Vendor Advisories:** SSA-879734
- **Relevant Links:**
- Siemens ProductCERT Advisories: [https://www.siemens.com/cert/advisories](https://www.siemens.com/cert/advisories)
- Product Support Link: [https://support.industry.siemens.com/cs/ww/en/view/109955252/](https://support.industry.siemens.com/cs/ww/en/view/109955252/)