Full Report
Multiple vulnerabilities affecting third-party components libexpat and libcurl of SINEC NMS before V1.0.3.1 could allow an attacker to impact SINEC NMS confidentiality, integrity and availability. Siemens has released an update for SINEC NMS and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Third-Party Component Vulnerabilities (libcurl, libexpat) in SINEC NMS
## CVE Details
- **CVE ID:** CVE-2022-40674 (Primary Critical), CVE-2022-32221, CVE-2022-35252, CVE-2022-35260, CVE-2022-42915, CVE-2022-43548, CVE-2022-43552, CVE-2022-43680
- **CVSS Score:** 9.8 (Critical) - applies to CVE-2022-40674
- **CWE:** CWE-416 (Use After Free), CWE-121 (Stack-based Buffer Overflow), CWE-440 (Expected Behavior Violation), CWE-1286 (Improper Validation), CWE-319 (Cleartext Transmission)
## Affected Systems
- **Products:** SINEC NMS (Network Management System)
- **Versions:** All versions prior to V1.0.3.1
- **Configurations:** Systems utilizing default third-party libraries libcurl and libexpat for network management, monitoring, and configuration.
## Vulnerability Description
Multiple vulnerabilities exist within the third-party components integrated into SINEC NMS:
- **libexpat (XML Parser):** Contains critical Use-After-Free flaws (CVE-2022-40674, CVE-2022-43680) in the `doContent` function and `XML_ExternalEntityParserCreate` during memory-intensive operations.
- **libcurl (Transfer Library):** Multiple flaws including stack-based buffer overflows via `.netrc` files (CVE-2022-35260), double-free errors during proxy failures (CVE-2022-42915), HSTS bypasses via IDN characters (CVE-2022-43548), and improper handle reuse between PUT/POST requests (CVE-2022-32221).
## Exploitation
- **Status:** PoC Available (Proof-of-Concept code exists for several identified CVEs, though no widespread "in the wild" exploitation is currently reported by the vendor).
- **Complexity:** Low to High (Varies by CVE; most libcurl flaws are Low complexity).
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Potential for sensitive data exposure via HSTS bypass or memory leaks).
- **Integrity:** High (Potential for unauthorized data modification).
- **Availability:** High (Potential for service crashes/Denial of Service via buffer overflows and use-after-free).
## Remediation
### Patches
- **SINEC NMS V1.0.3.1:** Siemens recommends updating to this version or any later version immediately.
- Download link: hxxps://support.industry.siemens.com/cs/ww/en/view/109818269/
### Workarounds
- No specific software workarounds are provided; users are directed to apply the general security recommendations below.
## Detection
- **Indicators of Compromise:** Unexpected segfaults in SINEC NMS processes, unusual 400-series error responses from "sister sites" due to corrupted cookies, or unauthorized cleartext HTTP traffic where HTTPS is expected.
- **Detection Methods:** Monitor network traffic for anomalous SMB/TELNET tunneling through proxies and audit for the presence of unauthorized `.netrc` files on the host system.
## References
- **Siemens Advisory:** hxxps://cert-portal.siemens.com/productcert/html/ssa-892048.html
- **Industrial Security Guidelines:** hxxps://www.siemens.com/cert/operational-guidelines-industrial-security
- **CWE Database:** hxxps://cwe.mitre.org/