AusCERT - Security Bulletins
Latest published security bulletins. See https://www.auscert.org.au/rss/ for feed information.
Frissítve: 2 óra 41 perc
ESB-2022.5802 - [Appliance] Siemens SINUMERIK ONE and SINUMERIK MC: CVSS (Max): 9.3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5802
Advisory (icsa-22-314-04) Siemens SINUMERIK ONE and SINUMERIK MC
11 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens SINUMERIK ONE
Siemens SINUMERIK MC
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Mitigation
CVE Names: CVE-2022-38465
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-314-04
Comment: CVSS (Max): 9.3 CVE-2022-38465 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-314-04)
Siemens SINUMERIK ONE and SINUMERIK MC
Original release date: November 10, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 9.3
o ATTENTION: Low attack complexity
o Vendor: Siemens
o Equipment: SINUMERIK ONE and SINUMERIK MC
o Vulnerability: Insufficiently Protected Credentials
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow attackers to discover
the private key of a given CPU product family via an offline attack against a
single CPU from the family. Attackers could then use this knowledge to extract
confidential configuration data from projects.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of SINUMERIK CNC systems are affected:
o SINUMERIK ONE All Versions
o SINUMERIK MC All Versions
3.2 VULNERABILITY OVERVIEW
3.2.1 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522
All versions of Siemens SINUMERIK ONE and SINUMERIK MC use an insecure method
to store authentication credentials, which are therefore susceptible to being
retrieved.
CVE-2022-38465 has been assigned to this vulnerability. A CVSS v3 base score of
9.3 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:N/S:C/
C:H/I:H/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported this vulnerability to CISA.
4. MITIGATIONS
Siemens identified the following specific workarounds and mitigations that
customers can apply to reduce the risk:
o Expose the communication between the S7-1500 CPU and the HMI of the
affected products only to trusted network environments.
o Protect access to the TIA Portal project and SINUMERIK NCU (including
related memory cards) from unauthorized actors.
As a general security measure, Siemens recommends protecting network access to
devices with appropriate mechanisms. In order to operate the devices in a
protected IT environment, Siemens recommends configuring the environment
according to Siemens' operational guidelines for industrial security and
following the recommendations in the product manuals.
For more information, see Siemens security advisory SSA-568428 in HTML or CSAF.
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability these vulnerabilities. Specifically, users
should:
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from business networks.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber
defense best practices are available for reading and download, including
Improving Industrial Control Systems Cybersecurity with Defense-in-Depth
Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage at cisa.gov/ics in the technical information paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing suspected malicious activity should follow established
internal procedures and report findings to CISA for tracking and correlation
against other incidents.
No known public exploits specifically target this vulnerability. This
vulnerability is not exploitable remotely.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY23HiMkNZI30y1K9AQjy1Q//dLJvTtMjZnriBxPewXjWM1lHdBoIjTew
1YigHj+a2EIgVlHit/Ho6jhjN/cjDant+bye35KLreO6G7LKbJNzfIcgsm7bO0eR
kBMQSVNiwV6ExjboQEmAjhz3Bzcz+XnPV0P5xiC1l+uv10W1uwrMfQuddoxdC19X
jdz77Mdl0aU5ZZsc/oJbci/ZVig91WaAkHsUclAGnj++ZCC/n43TXGk/28ZMfxWM
JwhZZnqjLYl6N9sTrHsXaliqvW1vNfqGQDiI/vj8e9Esj0DcQMe4vVLCn/d9PpOG
yjUj1KPIDnsJYSNDqJ1Aaf2LsLazndTygolf+D5iGxbvszkR5Fp0SVeOFzp9aL0g
V6VRMqCb5C/tYjpnoejuNNVSbZWA9MgzxpD4fSHOn2hPwc9VccFZc7y1Ib0ZmLJ5
38L72BwGQPsQN3AFBkGBwS8lh60ZRsxy4ezbk6Oh0hm+kr65MDyZrSySqTkiXrfV
fxPuHIa2I9m+EzT++TZrKfCMkIwwe6lar1gQO58zxj5rdZhxWI0gtH6y5epryxpn
pHv8muq3t9KlzW9fXqrofmS6IEAlh+KA+po2o5a8ZDwByvOUMY5ewtJDTvQERYuy
5DtWqtSvytxyQeNPJszGN+ssPpgqnfsqiNZedHTEcBOps+kTrFA151T/y9noOCcF
WTiqzi+Ccx8=
=nSLd
-----END PGP SIGNATURE-----
ESB-2022.5801 - [Appliance] Siemens SCALANCE W1750D: CVSS (Max): 7.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5801
Advisory (icsa-22-314-10) Siemens SCALANCE W1750D
11 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens SCALANCE W1750D
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Mitigation
CVE Names: CVE-2022-37896 CVE-2022-37895 CVE-2022-37894
CVE-2022-37893 CVE-2022-37892 CVE-2022-37891
CVE-2022-37890 CVE-2022-37889 CVE-2022-37888
CVE-2022-37887 CVE-2022-37886 CVE-2022-37885
CVE-2002-20001
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-314-10
Comment: CVSS (Max): 7.8 CVE-2022-37885 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-314-10)
Siemens SCALANCE W1750D
Original release date: November 10, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 9.8
o ATTENTION: Exploitable remotely/low attack complexity
o Vendor: Siemens
o Equipment: SCALANCE W1750D
o Vulnerabilities: Uncontrolled Resource Consumption, Buffer Copy without
Checking Size of Input, Improper Neutralization of Input During Web Page
Generation, Improper Neutralization of Special Elements used in a Command,
Improper Input Validation
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to
inject commands or exploit buffer overflow vulnerabilities, which could lead to
denial of service, unauthenticated remote code execution. or stored XSS.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports these vulnerabilities affect the following versions of SCALANCE
W1750D, which is a brand-labeled access point device from Aruba:
o SCALANCE W1750D (JP) (6GK5750-2HX01-1AD0): All versions
o SCALANCE W1750D (ROW) (6GK5750-2HX01-1AA0): All versions
o SCALANCE W1750D (USA) (6GK5750-2HX01-1AB0): All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the
client side) to send arbitrary numbers (not actual public keys) and trigger
expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater
attack. The client requires few CPU resources and network bandwidth. The attack
may be more disruptive in cases where a client can require a server to select
its largest supported key size. The basic attack scenario is that the client
must claim that it can only communicate with DHE, and the server must be
configured to allow DHE.
CVE-2002-20001 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:N/A:H ).
3.2.2 CLASSIC BUFFER OVERFLOW CWE-120
A buffer overflow vulnerability in an underlying service could lead to
unauthenticated remote code execution by sending specially crafted packets
destined to the PAPI UDP port (8211).
CVE-2022-37885 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:H/I:H/A:H ).
3.2.3 CLASSIC BUFFER OVERFLOW CWE-120
A buffer overflow vulnerability in an underlying service could lead to
unauthenticated remote code execution by sending specially crafted packets
destined to the PAPI UDP port (8211).
CVE-2022-37886 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:H/I:H/A:H ).
3.2.4 CLASSIC BUFFER OVERFLOW CWE-120
A buffer overflow vulnerability in an underlying service could lead to
unauthenticated remote code execution by sending specially crafted packets
destined to the PAPI UDP port (8211).
CVE-2022-37887 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:H/I:H/A:H ).
3.2.5 CLASSIC BUFFER OVERFLOW CWE-120
A buffer overflow vulnerability in an underlying service could lead to
unauthenticated remote code execution by sending specially crafted packets
destined to the PAPI UDP port (8211).
CVE-2022-37888 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:H/I:H/A:H ).
3.2.6 CLASSIC BUFFER OVERFLOW CWE-120
A buffer overflow vulnerability in an underlying service could lead to
unauthenticated remote code execution by sending specially crafted packets
destined to the PAPI UDP port (8211).
CVE-2022-37889 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:H/I:H/A:H ).
3.2.7 CLASSIC BUFFER OVERFLOW CWE-120
An unauthenticated buffer overflow vulnerability exists within the web
management interface. Successful exploitation could result in the execution of
arbitrary commands on the underlying operating system.
CVE-2022-37890 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:H/I:H/A:H ).
3.2.8 CLASSIC BUFFER OVERFLOW CWE-120
An unauthenticated buffer overflow vulnerability exists within the web
management interface. Successful exploitation could result in the execution of
arbitrary commands on the underlying operating system.
CVE-2022-37891 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:H/I:H/A:H ).
3.2.9 CROSS-SITE SCRIPTING CWE-79
A vulnerability in the web management interface could allow an unauthenticated
remote attacker to conduct a stored cross-site scripting (XSS) attack against a
user of the interface. A successful exploit could allow an attacker to execute
arbitrary script code in a victim's browser in the context of the affected
interface.
CVE-2022-37892 has been assigned to this vulnerability. A CVSS v3 base score of
5.4 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/
UI:R/S:C/C:L/I:L/A:N ).
3.2.10 CROSS-SITE SCRIPTING CWE-79
A vulnerability in the web management interface could allow a remote attacker
to conduct a reflected cross-site scripting (XSS) attack against a user of the
interface. A successful exploit could allow an attacker to execute arbitrary
script code in a victim's browser in the context of the affected interface.
CVE-2022-37896 has been assigned to this vulnerability. A CVSS v3 base score of
6.1 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:R/S:C/C:L/I:L/A:N ).
3.2.11 COMMAND INJECTION CWE-77
An authenticated command injection vulnerability exists in the command line
interface. Successful exploitation of this vulnerability could result in the
ability to execute arbitrary commands as a privileged user on the underlying
operating system.
CVE-2022-37893 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/
UI:N/S:U/C:H/I:H/A:H ).
3.2.12 IMPROPER INPUT VALIDATION CWE-20
An unauthenticated denial of service (DoS) vulnerability exists in the handling
of certain SSID strings. Successful exploitation of this vulnerability could
result in the ability to interrupt the normal operation of the affected Access
Point.
CVE-2022-37894 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:A/AC:L/PR:N/
UI:N/S:U/C:N/I:N/A:H ).
3.2.13 IMPROPER INPUT VALIDATION CWE-20
An authenticated denial of service (DoS) vulnerability exists in the web
management interface. Successful exploitation of this vulnerability could
result in the ability to interrupt the normal operation of the affected Access
Point.
CVE-2022-37895 has been assigned to this vulnerability. A CVSS v3 base score of
4.9 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:H/
UI:N/S:U/C:N/I:N/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens identified the following specific workarounds and mitigations to reduce
risk:
o CVE-2022-37885, CVE-2022-37886, CVE-2022-37887, CVE-2022-37888, and
CVE-2022-37889: Enable CPSec via the cluster-security command.
o CVE-2022-37890, CVE-2022-37891, CVE-2022-37892, CVE-2022-37895, and
CVE-2022-37896: Restrict the web-based management interface to a dedicated
layer 2 segment/VLAN and/or control the interface by firewall policies at
layer 3 and above.
o CVE-2022-37893: Restrict the command line interface to a dedicated layer 2
segment/VLAN and/or control the interface by firewall policies at layer 3
and above.
As a general security measure, Siemens recommends protecting network access to
devices with appropriate mechanisms. In order to operate the devices in a
protected IT environment, Siemens recommends configuring the environment
according to Siemens' operational guidelines for industrial security and
following the recommendations in the product manuals.
Additional information on Industrial Security by Siemens can be found at the
Siemens website .
For more information, see the associated Siemens security advisory SSA-506569
in HTML and CSAF .
Siemens SCALANCE W1750D is a brand-labeled device from Aruba. For more
information regarding these vulnerabilities, see the Aruba security advisory
ARUBA-PSA-2022-014 .
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability these vulnerabilities. Specifically, users
should:
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from business networks.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber
defense best practices are available for reading and download, including
Improving Industrial Control Systems Cybersecurity with Defense-in-Depth
Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage at cisa.gov/ics in the technical information paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing suspected malicious activity should follow established
internal procedures and report findings to CISA for tracking and correlation
against other incidents.
CISA also recommends users take the following measures to protect themselves
from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding
email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information
on social engineering attacks.
No known public exploits specifically target these vulnerabilities. These
vulnerabilities are exploitable remotely. These vulnerabilities have a low
attack complexity.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY23DLckNZI30y1K9AQg5dw/9FaPKY/zQ0bAErTwzyrTj21hQsZMyYVLd
BB9AdRtfn0dT1aFYNAxAy/6yHE1+HPyqCGtuNANZmUekCR6hmqV+xl/ZhUX3zmMG
gkWfCEP5VhSVGAqhMZ3ctts8PfGfbtSRSwrR4f3obL24yiN07sk1K2NTSfEd/7Sc
J3NNbz4yLbE+ixXNiv9lKBLcZ/QN+tweI3IncbYLeJUhxlh7YZVQlyaQINg0moH8
GX7GwnKAxSkfpsqes4Rs9Roz9c+6HyBTVYG3jPNV/8ZRsWvkPZD+C5ih6daRn/4I
+qN7MXXL/MBJ0CnBcOxStqQOA0ZRe5AJTJYHrb6RqOYlcseJl0lBdiQzCanaNM37
5d7/wgXd3p1GO54uVFjPK47lpLZmJB3WkXAH+La98PvPTx3iMwRUfvPIadbU1DEf
aTw3QWP9oxKJS7k5W47ochGpEimw5pAS0d0PKz03DZD6vIpMx1Twb4YjWHZvwhDw
CoOD+b+wLYReMgNQkspWHG56Ll/TYI7+crAevLN++bnrQslZkXC4ZkpSe6BYcFHj
eJ0ZLxn/McArhQ2sY1A+N6qrVfxEVrV0HbkCfvgc/6yL46JZxmKYHXY1rEYMDp7s
rcEbsasKUOXz+LG5KT2eFcQvxqywGs4kx+lzKVb3HpQNlRQW55Sq9ilOFsCviRAs
EfhnvUfQE0A=
=vUad
-----END PGP SIGNATURE-----
ESB-2022.5800 - [Appliance] Siemens Teamcenter Visualization and JT2Go: CVSS (Max): 7.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5800
Advisory (icsa-22-314-09) Siemens Teamcenter Visualization and JT2Go
11 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens Teamcenter Visualization
Siemens JT2Go
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2022-41664 CVE-2022-41663 CVE-2022-41662
CVE-2022-41661 CVE-2022-41660 CVE-2022-39136
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-314-09
Comment: CVSS (Max): 7.8 CVE-2022-39136 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-314-09)
Siemens Teamcenter Visualization and JT2Go
Original release date: November 10, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 7.8
o ATTENTION: Low attack complexity
o Vendor: Siemens
o Equipment: Teamcenter Visualization and JT2Go
o Vulnerabilities: Heap-based Buffer Overflow, Out-of-bounds Write,
Out-of-bounds Read, Use After Free, Stack-based Buffer Overflow
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to
execute arbitrary code in the context of the current process.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following software from Siemens is affected:
o JT2Go: All versions prior to V14.1.0.4
o Teamcenter Visualization V13.3: All versions (only affected by
CVE-2022-39136)
o Teamcenter Visualization V13.3: All versions prior to V13.3.0.7
o Teamcenter Visualization V14.0: All versions prior to V14.0.0.3
o Teamcenter Visualization V14.1: All versions prior to V14.1.0.4
3.2 VULNERABILITY OVERVIEW
3.2.1 HEAP-BASED BUFFER OVERFLOW CWE-122
The affected application is vulnerable to fixed-length heap-based buffer while
parsing specially crafted TIF files. An attacker could leverage this
vulnerability to execute code in the context of the current process.
CVE-2022-39136 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/
C:H/I:H/A:H )
3.2.2 OUT-OF-BOUNDS WRITE CWE-787
The affected products contain an out-of-bounds write vulnerability when parsing
a CGM file. An attacker could leverage this vulnerability to execute code in
the context of the current process.
CVE-2022-41660 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/
C:H/I:H/A:H )
3.2.3 OUT-OF-BOUNDS READ CWE-125
The affected products contain an out-of-bounds read vulnerability when parsing
a CGM file. An attacker could leverage this vulnerability to execute code in
the context of the current process.
CVE-2022-41661 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/
C:H/I:H/A:H ).
3.2.4 OUT-OF-BOUNDS READ CWE-125
The affected products contain an out-of-bounds read vulnerability when parsing
a CGM file. An attacker could leverage this vulnerability to execute code in
the context of the current process.
CVE-2022-41662 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/
C:H/I:H/A:H )
3.2.5 USE AFTER FREE CWE-416
The affected applications contain a use-after-free vulnerability that could be
triggered while parsing specially crafted CGM files. An attacker could leverage
this vulnerability to execute code in the context of the current process.
CVE-2022-41663 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/
C:H/I:H/A:H ).
3.2.6 STACK-BASED BUFFER OVERFLOW CWE-121
The affected application contains a stack-based buffer overflow vulnerability
potentially triggered while parsing specially crafted PDF files. This could
allow an attacker to execute code in the context of the current process.
CVE-2022-41664 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/
C:H/I:H/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Nafiez and Michael Heinzl reported these vulnerabilities to Siemens.
4. MITIGATIONS
Siemens released updates for the following products and recommends updating to
the latest versions:
o JT2Go: Update to V14.1.0.4 or later version.
o Teamcenter Visualization V14.1: Update to V14.1.0.4 or later version.
o Teamcenter Visualization V14.0: U pdate to V14.0.0.3 or later version.
o Teamcenter Visualization V13.3: Update to V13.3.0.7 or later version.
o Teamcenter Visualization V13.3: Currently no fix is available for
CVE-2022-39136.
Siemens has identified the following specific workarounds and mitigations users
can apply to reduce risk:
o Do not open untrusted CGM, TIF, or PDF files in JT2Go and Teamcenter
Visualization.
As a general security measure, Siemens recommends protecting network access to
devices with appropriate mechanisms. To operate devices in a protected IT
environment, Siemens recommends configuring the environment according to
Siemens' Operational Guidelines for Industrial Security and following
recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the
Siemens industrial security webpage .
For further inquiries on security vulnerabilities in Siemens products and
solutions, users can contact the Siemens ProductCERT .
For more information see the associated Siemens security advisory SSA-120378 in
HTML and CSAF .
CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. CISA reminds organizations to perform
proper impact analysis and risk assessment prior to deploying defensive
measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber
defense best practices are available for reading and download, including
Improving Industrial Control Systems Cybersecurity with Defense-in-Depth
Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage at cisa.gov/ics in the technical information paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing suspected malicious activity should follow established
internal procedures and report findings to CISA for tracking and correlation
against other incidents.
No known public exploits specifically target these vulnerabilities. These
vulnerabilities are not exploitable remotely.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY23DJskNZI30y1K9AQgj1g//UyHB6OQ5qMqXgGgxJrZo2gZjouV1uC5N
BJm937XmjJgdR+tkLLpnhPRRCmothzCY8kQzZnPsk8o5uNin0HYenOof51a8sIbP
nTedsaMtMo48VKNCdRCn4fFMm03yWWk+QiZJ4r6Buu6XBWbQLMNiRLqi7lI+VZBN
X+Dm+Zp7c1zysdK7gubkAf67ie398zux8xR7Cbr8O847uOii6yfrq6Uiltex+kht
xtOS9D+tmnYNXyGvy5MdZ1zAc1uxwmfOYltj/YSl2P1tNy3iPxQAfF9Ubbfzbi/X
Vvd6hii7ZcnaWP1P15quLvBk8BjiLkDT8lv89Uqzofo8XYcqnjdFT9WKJaxtzPeK
BTfXnngFJRuQlZZ+G1sM0SIgf8NT6gtv9NHIOD06OPHZOdpx93Mho5sfDuJaAkr8
6g5Coe32UEikrLrEgIHyuz5MJLUA2ijh9hrGrHWX/JEHSfWlIFGqaZdKpYafM6yE
pYHaPRIP1/eVAVd//t6eQW551iygxL/MB+qHwV3Uq6H2LVEUdEBbs0F0W0kvv/NM
lbZ2v7Tq9/4t4euQKtOIJM+RfqgaJRlzIsiJiAuKlqRkUh8+RgyDzJjBSszdv41r
RJC17no3KfnyZuUORrjC5A6Sgq6z5El2PojJIhtq4mDzLlBaoPKduTJaCt7zRaFU
8lbe4/0APL8=
=aVGZ
-----END PGP SIGNATURE-----
ESB-2022.5799 - [Appliance] Siemens QMS Automotive: CVSS (Max): 7.6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5799
ICS Advisory (ICSA-22-314-06) Siemens QMS Automotive
11 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens QMS Automotive
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Mitigation
CVE Names: CVE-2022-43958
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-314-06
Comment: CVSS (Max): 7.6 CVE-2022-43958 (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-314-06)
Siemens QMS Automotive
Original release date: November 10, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 7.6
o ATTENTION: Exploitable remotely/low attack complexity
o Vendor: Siemens
o Equipment: QMS Automotive
o Vulnerability: Cleartext Storage of Sensitive Information in Memory
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to read
credentials and impersonate authorized users.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Siemens QMS Automotive, a quality management system,
are affected:
All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 CLEARTEXT STORAGE OF SENSITIVE INFORMATION IN MEMORY CWE-316
All versions of Siemens QMS Automotive contain a vulnerability that stores user
credentials in plaintext inside the user database. This could allow an attacker
to read credentials from memory.
CVE-2022-43958 has been assigned to this vulnerability. A CVSS v3 base score of
7.6 has been calculated; the CVSS vector string is ( AV:A/AC:L/PR:L/UI:N/S:U/
C:H/I:H/A:L ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported this vulnerability to CISA.
4. MITIGATIONS
Siemens has identified the following specific workarounds and mitigations users
can apply to reduce the risk:
o Enable encryption for user passwords.
As a general security measure, Siemens strongly recommends protecting network
access to devices with appropriate mechanisms. In order to operate the devices
in a protected IT environment, Siemens recommends configuring the environment
according to Siemens' operational guidelines for industrial security and to
follow the recommendations in the product manuals.
For more information, see Siemens Security Advisory SSA-587547 in HTML or CSAF
.
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability these vulnerabilities. Specifically, users
should:
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from business networks.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber
defense best practices are available for reading and download, including
Improving Industrial Control Systems Cybersecurity with Defense-in-Depth
Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage at cisa.gov/ics in the technical information paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing suspected malicious activity should follow established
internal procedures and report findings to CISA for tracking and correlation
against other incidents.
No known public exploits specifically target this vulnerability.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY23DHckNZI30y1K9AQic1xAArf1Fjjjqrd29F+Ll78WEDL+3EQNVWvdk
+SSMQdjy7jD9Uv47pR/VzOsQKoGN+XHrX3CZzqf5Ydv++YGJs0sINDjLdFYV5eqF
QB9cvZrfrv9ZZ+Y9zl8qgY0O+XphtANqEP3YNUcCKwoh5ZSDvFiC0jh2+bly41Lw
7kNILiIbx9S4OR4cOjvVJ/fe5PD+SdkSYg3JMPpahAcETBHraXVwZ16nBTVTIcCX
AXeH5bayr2cMAKnl35B6za5WHthcdpkTuk8mADrN9Ft3oruo0tz7IusF1U7+qT20
HVPl+H9y9l9pmAKgI7CppzwDiBmff44VQkTMdIqS4gbCksb2HyutONRbTj+tmcB4
4L82gDv2ApuwDp4lW80tvzQ0xMML/YdjUtVa3Iy9X0FJmO10ZgTIgZVotLi+cH6m
IC5dYuHOuYj2i7UJiorSZNbvi+XL1UAjl8o3XrkJp/5fPK3ibNlx4dKrnZKe1D9e
+oms3FtznGA/yOsnX4vKm9CYaG/EoLM/XPk+u3SygKfy2xWSuf6JxNDpZzSGrEHt
/Q54UskydPG62h/PG/PsIVNJOqjaAgHPkgUlg0BWjfdMuIkendZR4eCZtuLy1eDm
MRfMTRUIpIxMtn3XYVCTmhyUfyZDsLw8wthyjFHS/SgIIsuCGkugQjEvsGe29MjK
5WH8WgCo94Q=
=XpAL
-----END PGP SIGNATURE-----
ESB-2022.5798 - [Appliance] Siemens RUGGEDCOM ROS: CVSS (Max): 5.3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5798
ICS Advisory (ICSA-22-314-05) Siemens RUGGEDCOM ROS
11 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens RUGGEDCOM ROS
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Mitigation
CVE Names: CVE-2022-39158
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-314-05
Comment: CVSS (Max): 5.3 CVE-2022-39158 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-314-05)
Siemens RUGGEDCOM ROS
Original release date: November 10, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 5.3
o ATTENTION: Exploitable remotely/low attack complexity
o Vendor: Siemens
o Equipment: RUGGEDCOM ROS
o Vulnerability: Uncontrolled Resource Consumption
2. RISK EVALUATION
Successful exploitation of this vulnerability could cause a denial-of-service
condition where the affected web servers wait for the completion of each
request, occupying all available HTTP connections. The web server recovers by
itself once the attack ends.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports this vulnerability affects the following RUGGEDCOM ROS switches
and serial-to-Ethernet devices:
o RUGGEDCOM ROS i800 V4.X: All versions
o RUGGEDCOM ROS i801 V4.X: All versions
o RUGGEDCOM ROS i802 V4.X: All versions
o RUGGEDCOM ROS i803 V4.X: All versions
o RUGGEDCOM ROS RMC30 V4.X: All versions
o RUGGEDCOM ROS RMC8388 V4.X: All versions
o RUGGEDCOM ROS RP110 V4.X: All versions
o RUGGEDCOM ROS RS1600 V4.X: All versions
o RUGGEDCOM ROS RS1600F V4.X: All versions
o RUGGEDCOM ROS RS1600T V4.X: All versions
o RUGGEDCOM ROS RS400 V4.X: All versions
o RUGGEDCOM ROS RS401 V4.X: All versions
o RUGGEDCOM ROS RS416Pv2 V4.X: All versions
o RUGGEDCOM ROS RS416v2 V4.X: All versions
o RUGGEDCOM ROS RS8000 V4.X: All versions
o RUGGEDCOM ROS RS8000A V4.X: All versions
o RUGGEDCOM ROS RS8000H V4.X: All versions
o RUGGEDCOM ROS RS8000T V4.X: All versions
o RUGGEDCOM ROS RS900 (32M) V4.X: All versions
o RUGGEDCOM ROS RS900 V4.X: All versions
o RUGGEDCOM ROS RS900G (32M) V4.X: All versions
o RUGGEDCOM ROS RS900G V4.X: All versions
o RUGGEDCOM ROS RS900GP V4.X: All versions
o RUGGEDCOM ROS RS900L V4.X: All versions
o RUGGEDCOM ROS RS900M V4.X: All versions
o RUGGEDCOM ROS RS900W V4.X: All versions
o RUGGEDCOM ROS RS910 V4.X: All versions
o RUGGEDCOM ROS RS910L V4.X: All versions
o RUGGEDCOM ROS RS910W V4.X: All versions
o RUGGEDCOM ROS RS920L V4.X: All versions
o RUGGEDCOM ROS RS920W V4.X: All versions
o RUGGEDCOM ROS RS930L V4.X: All versions
o RUGGEDCOM ROS RS930W V4.X: All versions
o RUGGEDCOM ROS RS940G V4.X: All versions
o RUGGEDCOM ROS RSG2100 (32M) V4.X: All versions
o RUGGEDCOM ROS RSG2100 V4.X: All versions
o RUGGEDCOM ROS RSG2100P V4.X: All versions
o RUGGEDCOM ROS RSG2200 V4.X: All versions
o RUGGEDCOM ROS RSG2288 V4.X: All versions
o RUGGEDCOM ROS RSG2300 V4.X: All versions
o RUGGEDCOM ROS RSG2300P V4.X: All versions
o RUGGEDCOM ROS RSG2488 V4.X: All versions
o RUGGEDCOM ROS RSG920P V4.X: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
Affected Siemens RUGGEDCOM ROS devices improperly handle partial HTTP requests,
which makes them vulnerable to slowloris attacks. This could allow a remote
attacker to create a denial-of-service condition that persists until the attack
ends.
CVE-2022-39158 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated. the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:N/I:N/A:L ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens identified the following specific workarounds and mitigations users can
apply to reduce risk:
o Deactivate the webserver if not required and if deactivation is supported
by the product.
o Restrict access to port 80/TCP and 443/TCP to only trusted IP addresses.
As a general security measure, Siemens recommends protecting network access to
devices with appropriate mechanisms. In order to operate the devices in a
protected IT environment, Siemens recommends configuring the environment
according to Siemens' operational guidelines for industrial security , and to
follow the recommendations in the product manuals.
Siemens provides additional information on industrial security on the Siemens
website .
For further inquiries on security vulnerabilities in Siemens' products and
solutions, users should contact Siemens ProductCERT .
For more information see the associated Siemens security advisory SSA-787941 in
HTML and CSAF .
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability these vulnerabilities. Specifically, users
should:
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from business networks.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber
defense best practices are available for reading and download, including
Improving Industrial Control Systems Cybersecurity with Defense-in-Depth
Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage at cisa.gov/ics in the technical information paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing suspected malicious activity should follow established
internal procedures and report findings to CISA for tracking and correlation
against other incidents.
No known public exploits specifically target this vulnerability. This
vulnerability is exploitable remotely. This vulnerability has a low attack
complexity.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY23C+MkNZI30y1K9AQhyhQ//VlgQYuP5dv6Fve+c9Y7EAc6dfVgv1npB
ahLPX1WTp0o9cYa0XcYsTGj8g0fpPguZUuazRPEs6p3PMY8dzbPCw25+sHPqL+GW
SUE2Eu1Fx4y8ITecHsaToySYe1Bz/8k9VXhK4S90Gh7n13rkBA5I1H2JukNFaVsW
7yqW1q1RZ70Cfo76TF5Y06PSvnceqlCFkQyn9DKkz6XMGnLJ3Fr9I4JwuPHRE621
rtq6KC6NBdy5I+zPXcT/Ke2XhZ1C+TuxYpLj5Y0wmxfAHeqsAyP/2p85tWUUkWj7
8QJP9DQdanDLXrHz9iczF1ZO/7OZGHL7W8mGT22ixcIzu8SSCtN7ZWXpF7vBljt6
h81MM5GibQAGazNefD3vCdi1oLUJOGzQjFbGDXj/lGlM5g3QtCZggf1qafwWFRkv
n2oAscix27wwwFK0K2GjQFKqPNEY9b806UKbbU6nXssH3okr7v2of70jrG6hebGG
O2sDWx88OwCjtWaq1JyZm39QL9MaZ1cJFiqr2sanBdaH4/7tk7Cy9iBvh9L4xU6Y
fLaPIeZhsxeKBSa8IX/ozrES79SNynhRZePmbOlKLroAIDetXH70MkxzpVYJwkv/
989SrfDmSOzTn4sOjSDzzZsG7zwcsBOe37kYQMPV6BE0x4UfzYiUvzZ1rC0bqXNo
PGIjTicVWhU=
=P3w6
-----END PGP SIGNATURE-----
ESB-2022.5797 - [Appliance] Omron NJ/NX-series Controllers and Software: CVSS (Max): 9.4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5797
ICS Advisory (ICSA-22-314-08) Omron NJ/NX-series Machine
Automation Controllers
11 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Omron NJ/NX-series Controllers and Software
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2022-34151 CVE-2022-33208
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-314-08
Comment: CVSS (Max): 9.4 CVE-2022-34151 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-314-08 )
Omron NJ/NX-series Machine Automation Controllers
Original release date: November 10, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 9.4
o ATTENTION: Exploitable remotely/low attack complexity/public exploits are
available
o Vendor: Omron
o Equipment: NJ/NX-series Controllers and Software
o Vulnerabilities: Hard-coded Credentials, Authentication Bypass by
Capture-replay
2. RISK EVALUATION
Successful exploitation of these vulnerabilities may allow an attacker to
bypass authentication in the communications connection process to login and
operate the controller products without authorization.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of NJ/NX-series, a machine automation controller, are
affected:
o NX7-series Machine Automation Controller (All Models): Versions 1.28 and
prior
o NX1-series Machine Automation Controller (All Models): Versions 1.48 and
prior
o NJ-series Machine Automation Controller (All Models): Versions 1.48 and
prior
o Automation Software Sysmac Studio (All Models): Versions 1.49 and prior
o NA-series Programable Terminal (NA5-15W, NA5-12W, NA5-9W, NA5-7W): Runtime
versions 1.15 and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 USE OF HARD-CODED CREDENTIALS CWE-798
Use of hard-coded credentials vulnerability exists in machine automation
controller NJ series models v1.48 and earlier, machine automation controller
NX7 series models v1.28 and earlier, machine automation controller NX1 series
models v1.48 and earlier, automation software Sysmac Studio models v1.49 and
earlier, and programmable terminal (PT) NA series NA5-15W/NA5-12W/NA5-9W/NA5-7W
models with runtime v1.15 and earlier; this may allow a remote attacker who
successfully obtained the user credentials by analyzing the affected product to
access the controller.
CVE-2022-34151 has been assigned to this vulnerability. A CVSS v3 base score of
9.4 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:L/I:H/A:H ).
3.2.2 AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294
An attacker who can capture and analyze communication between the affected
controllers and either automation software Sysmac Studio and/or a programmable
terminal (PT) can obtain sensitive information that would allow the attacker to
bypass authentication and access the controller.
CVE-2022-33208 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:R/S:U/
C:H/I:H/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Japan
3.4 RESEARCHER
Reid Wightman of Dragos reported these vulnerabilities to CISA.
4. MITIGATIONS
Omron recommends the following:
o NX7-series Machine Automation Controller: Update to version 1.29 or higher
o NX1-series Machine Automation Controller: Update to version 1.50 or higher
o NJ-series Machine Automation Controller (NJ501-1300, NJ501-1400,
NJ501-1500): Update to version 1.49 or higher
o NJ-series Machine Automation Controller (All other models): Update to
version 1.50 or higher
o Automation Software Sysmac Studio: Update to version 1.50 or higher
o NA-series Programable Terminal: Update to runtime version 1.16 or higher
For information on how to obtain and update firmware for the countermeasure
version of the product, contact Omron sales office or distributors . Users can
update the Sysmac Studio to the latest versions using the installed Omron
Automation Software AutoUpdate tool.
Omron recommends customers take the following mitigation measures to minimize
the risk of exploitation of this vulnerability:
Enable antivirus protection
o Protect any PC with access to the control system against malware by
ensuring the installation and maintenance of up-to-date commercial grade
antivirus software protection.
Implement security measures to prevent unauthorized access:
o Minimize connection of control systems and equipment to open networks
preventing untrusted devices from accessing them.
o Implement firewalls by shutting down unused communications ports, limiting
communications between hosts, and isolate affected systems from the IT
network.
o Use a virtual private network (VPN) for remote access to control systems
and equipment.
o Use strong passwords and change passwords frequently.
o Install physical controls that only permit authorized personnel access to
control systems and equipment.
o Scan USB drives or similar devices for viruses and malware to ensure the
devices are safe before connecting them to systems and devices.
o When possible, enforce multifactor authentication (MFA) on all devices with
remote access to control systems and equipment.
Protect data input and output:
o Perform process validation, such as backup validation or range checks, to
cope with unintentional modification of input/output data to control
systems and devices.
Use data recovery:
o Conduct periodical data backups and maintenance to prepare for potential
data loss.
For more information see Omron's advisory: OMSR-2022-001
This vulnerability and countermeasures correspond to the those reported in the
CISA ICS Alert: APT Cyber Tools Targeting ICS/SCADA Devices .
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber
defense best practices are available for reading and download, including
Improving Industrial Control Systems Cybersecurity with Defense-in-Depth
Strategies.
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage at cisa.gov/ics in the technical information paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies.
Organizations observing suspected malicious activity should follow established
internal procedures and report findings to CISA for tracking and correlation
against other incidents.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY23C7ckNZI30y1K9AQjglQ/+OtizB/wBClre4rktludohFmbURUl+qeT
IOfp1A1pYGIvGEnlHZ1bAOMcf0JAZtT57Ng9MqPKivtr2lkbipVQ/P7OQPd+CrFk
aYEzUbOiLUb5bSAg8cMqu6aB1S3HT//ver/wTdIN0G6ms1HdWcAa49IdNp0aCTRp
CBqA7fHAm2RzRiWZXOMKYnWaHbFgd6P0Hbz3Lch+zCVdbDbcb+aZJ5zSozZGeu6Z
Wbiu5GfFTFelM1rPRJHwL2ZzQzlDUVPZykYKpATf0aAFn6vYDWTCcFGeZ/ZxJVzb
s+uWWYAYpqwrpuU09oXlToPj8zCmVJ8mWqKQpi8IbvlBQBElSmNzoqXCeTaPDph4
popER3e3zi/vHlLtdIpzYtZ/ewAgLLA4NkkeuE4Xc55RhTGhgf5STC0zP4F2/df7
WXyN5PLrw/1VPV5VJWOuqH1wgCzS9dQrUtXm+WpDKjnD0Ej/7WqhAgMgQhdtvYwN
PyH3FWSfdT0Ae0exetJPYWCKOc7Ajntm2Ter0z9guLh3aIwUV4IXvYsXpnT0j7kr
8wVdP9BE04rTXPRVY730AuG92QxArI5Fmj/W2mwWb5SwCZ8q8Xhssur+odKiCVIQ
F3fVBfRSi4XFW8miy+EaSLqhM6IIF+MV5pVgOUC9YYNVV5bBJ8Kh99M4Y8rL8otX
Ecn11NupbEE=
=rUwu
-----END PGP SIGNATURE-----
ESB-2022.5796 - [Appliance] Omron NJ/NX-series Machine Automation Controllers: CVSS (Max): 8.3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5796
ICS Advisory (ICSA-22-314-07) Omron NJ/NX-series Machine
Automation Controllers
11 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Omron NJ/NX-series Machine Automation Controllers
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2022-33971
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-314-07
Comment: CVSS (Max): 8.3 CVE-2022-33971 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-314-07)
Omron NJ/NX-series Machine Automation Controllers
Original release date: November 10, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 8.3
o ATTENTION: Exploitable remotely, public exploits are available
o Vendor: Omron
o Equipment: NJ/NX-series Machine Automation Controllers
o Vulnerability: Active Debug Code
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to obtain
unauthorized access to the device and cause the device to be in an "out of
service" state or execute a malicious program on the device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following products of the NJ/NX-series Machine Automation Controllers are
affected:
o NX7-series Machine Automation Controller (All Models): Versions 1.28 and
prior
o NX1-series Machine Automation Controller (All Models): Versions 1.48 and
prior
o NJ-series Machine Automation Controller (All Models): Versions 1.48 and
prior
3.2 VULNERABILITY OVERVIEW
3.2.1 ACTIVE DEBUG CODE CWE-489
An attacker who can analyze the communication of the affected product and
perform capture-replay can find unintended entry points into the affected
product and cause a denial-of-service condition or execute a malicious program.
CVE-2022-33971 has been assigned to this vulnerability. A CVSS v3 base score of
8.3 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:R/S:C/
C:H/I:H/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Japan
3.4 RESEARCHER
Reid Wightman of Dragos reported this vulnerability to CISA.
4. MITIGATIONS
Omron recommends updating versions of NJ/NX-series machine automation
controllers to address this vulnerability. These updates are available to users
by contacting their Omron or distributors :
o NX7-series Machine Automation Controller (All Models): Versions 1.29 or
higher
o NX1-series Machine Automation Controller (All Models): Versions 1.50 or
higher
o NJ-series Machine Automation Controller (NJ501-1300, NJ501-1400,
NJ501-1500): Versions 1.49 or higher
o NJ-series Machine Automation Controller (All other Models): Versions 1.50
or higher
Omron recommends users take the following mitigation measures to minimize the
risk of exploitation of this vulnerability:
Enable antivirus protection:
o Protect any PC with access to the control system against malware by
ensuring the installation and maintenance of up-to-date commercial grade
antivirus software protection.
Implement security measures to prevent unauthorized access:
o Minimize connection of control systems and equipment to open networks
preventing untrusted devices from accessing them.
o Implement firewalls by shutting down unused communications ports, limiting
communications between hosts, and isolate affected systems from the IT
network.
o Use a virtual private network (VPN) for remote access to control systems
and equipment.
o Use strong passwords and change passwords frequently.
o Install physical controls that only permit authorized personnel access to
control systems and equipment.
o Scan USB drives or similar devices for viruses and malware to ensure the
devices are safe before connecting them to systems and devices.
o When possible, enforce multifactor authentication (MFA) on all devices with
remote access to control systems and equipment.
Protect data input and output:
o Perform process validation, such as backup validation or range checks, to
cope with unintentional modification of input/output data to control
systems and devices.
Use data recovery:
o Conduct periodical data backups and maintenance to prepare for potential
data loss.
For more information see Omron's advisory: OMSR-2022-002
This vulnerability and countermeasures correspond to the those reported in the
CISA ICS Alert: APT Cyber Tools Targeting ICS/SCADA Devices .
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber
defense best practices are available for reading and download, including
Improving Industrial Control Systems Cybersecurity with Defense-in-Depth
Strategies.
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage at cisa.gov/ics in the technical information paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing suspected malicious activity should follow established
internal procedures and report findings to CISA for tracking and correlation
against other incidents.
This vulnerability has a high attack complexity.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY23C5skNZI30y1K9AQgRHRAAgUfpwV6Q1VtohhSLc4iR876akrmscz35
clxeCbA6p7DGOImQnphYXu/XZLAMoTy4K4VuUUm6uAuyMHfRZHHWGtkkRHXstKhm
sKoptkyHS2Bhr82qOxnZg2Hmw32XGSYI/w6O4hrNvTJcek4+RNHMa0zWAOPh1vf7
Mwc/FrT0x5mdajRZUTnvbU+Ucz9NM078T5VLftEfaJ3IPZ/rQHY6ufdPl2lz/6rc
cMFzWqzEokuFxqZPPbsFAOLuCjnOrWVq2c09RZkszRuEKMQ6EIWKITaaCUJmPuUh
xH/vqGnzqwo5WwGow2xL+zQN9mvSY7aD6uVwBkiBNzn+JywCJ1I7R0gmmwZTwqJh
KXGduWgcrDXprwOvA29XLd4shq+savZTvc/iuQFK4gAcwip/m5U7giXZTuU54Zks
u+LISHdx41iVn0nAGzMQeocHgQ6GLW1OPPe/f4ET5hLXeVjZTxhDUlmaYvrRyl6m
1tuPe1882s1vDbPXsNc3c9JZ73McnGbcCP0v1xCvz1+pSub9AcmchlXsfeR4e0Yo
N8R1RAdnaNP73ItNfT0sCMkelnd0w3vBmN3jfL+GgGK4+MxtSPvbRaKDrzZF7lwe
hpWdiXItZU+BQd2HUh4XpgbOnFhJb0UEAyDnpIBxDlq/dj2UD6VBHel9W73oMX0Q
RRYWxyfVb8U=
=kmP6
-----END PGP SIGNATURE-----
ESB-2022.5795 - [Appliance] Siemens SINEC NMS: CVSS (Max): 6.6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5795
ICS Advisory (ICSA-22-314-03) Siemens SINEC Network
Management System Logback Component
11 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens SINEC NMS
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2021-42550
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-314-03
Comment: CVSS (Max): 6.6 CVE-2021-42550 (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-314-03)
Siemens SINEC Network Management System Logback Component
Original release date: November 10, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 6.6
o ATTENTION: Exploitable remotely
o Vendor: Siemens
o Equipment: SINEC NMS
o Vulnerability: Deserialization of Untrusted Data
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow attackers with write
access to the logback configuration file to execute arbitrary code on the
system.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Siemens SINEC NMS, a network management system, are
affected:
o All versions prior to v1.0.3
3.2 VULNERABILITY OVERVIEW
3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502
In Siemens SINEC NMS logback version 1.2.7 and prior, an attacker with the
required privileges to edit configuration files could craft malicious packages
allowing the execution arbitrary code loaded from LDAP servers.
CVE-2021-42550 has been assigned to this vulnerability. A CVSS v3 base score of
6.6 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:H/UI:N/S:U/
C:H/I:H/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Energy
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported this vulnerability to CISA.
4. MITIGATIONS
Siemens recommends updating to version 1.0.3 or later.
Siemens identified the following workaround and mitigation customers can apply
to reduce risk:
o Restrict the write access to the logback configuration file (logback.xml)
to trusted personnel.
As a general security measure, Siemens recommends protecting network access to
devices with appropriate mechanisms. In order to operate the devices in a
protected IT environment, Siemens recommends configuring the environment
according to Siemens' operational guidelines for industrial security and
following the recommendations in the product manuals.
For more information, see Siemens Security Advisory SSA-371761 in HTML or CSAF
.
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability these vulnerabilities. Specifically, users
should:
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from business networks.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber
defense best practices are available for reading and download, including
Improving Industrial Control Systems Cybersecurity with Defense-in-Depth
Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage at cisa.gov/ics in the technical information paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing suspected malicious activity should follow established
internal procedures and report findings to CISA for tracking and correlation
against other incidents.
No known public exploits specifically target this vulnerability. This
vulnerability has a high attack complexity.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY23C38kNZI30y1K9AQgtug//SNYQr07Io/Qs9U/7wE530PwZiBrDQyh7
DD7SGMS4blmsS+XwpGn/lWp27X4aQa0iCswseHIT4tytZF7/N6PCIiMcOF3gtK7X
pbQGQOPfs83MWXi5LkjQktiQpzdrSlvEmqyeMFwARGaJIjJLLe3V298v8cwBsWj1
ycTfnm8K8tcbV0XTRQ+ZReoWB7MHR558EX9ywDaoPK6FyQkg1fQHcyt+utRJo525
GqmyBceA8Z/21JwFktIQZYiNrjFxcWQa6L40sMf1yHB34sXvyOWTFKXLB3vWiyWI
Bw7toYorZpizZ1I7BXdC70uhekynhbv7tU4H00EekH4pavmjI2VUnwvssZU/pMpV
8SUi519wR5RJHJqIkBTQU04RPPBMpybBgGLW/UGKgcgsIAUDw0eHIvfUZpvGxnix
8FvJkqkh0fbVdpiQXvluAfUfTwN+7fTlKoJQ5kTJHMHUTmkKp6qMGFJznY7s6efi
O47moxQ8tCJ3RwRiftfSrFq4E8QbU+laSCkYxRX3PFnbx9pUMW+NQWjyFkRTkUGP
S4hwyUTFFgo23KEFwA20r6W/sx8HuYW8HCZZvprHlpuvNxiyKwLOawkbM/IGr6ir
Uw4yhg5Ks2DnJAmfz3ZUY9ygCOOhrf4doNHCjU6F992OH5PQZatZULa6ReArPgQK
LaRWd9tHEgg=
=T1OC
-----END PGP SIGNATURE-----
ESB-2022.5794 - [Appliance] SIMATIC Industrial Controllers and Software: CVSS (Max): 6.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5794
ICS Advisory (ICSA-22-314-02) Siemens Web Server Login Page
of Industrial Controllers
11 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: SIMATIC Industrial Controllers and Software
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2022-30694
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-314-02
Comment: CVSS (Max): 6.5 CVE-2022-30694 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-314-02)
Siemens Web Server Login Page of Industrial Controllers
Original release date: November 10, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 6.5
o ATTENTION: Exploitable Remotely/low Attack Complexity
o Vendor: Siemens
o Equipment: SIMATIC Industrial Controllers and Software
o Vulnerability: Cross-Site Request Forgery (CSRF)
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to track
the activity of other users.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The web server login pages of the following Siemens devices are affected:
o SIMATIC Drive Controller family: All versions.
o SIMATIC ET 200pro IM154-8 PN/DP CPU (6ES7154-8AB01-0AB0): All versions
prior to V3.2.19.
o SIMATIC ET 200pro IM154-8F PN/DP CPU (6ES7154-8FB01-0AB0): All versions
prior to V3.2.19.
o SIMATIC ET 200pro IM154-8FX PN/DP CPU (6ES7154-8FX00-0AB0): All versions
prior to V3.2.19.
o SIMATIC ET 200S IM151-8 PN/DP CPU (6ES7151-8AB01-0AB0): All versions prior
to V3.2.19.
o SIMATIC ET 200S IM151-8F PN/DP CPU (6ES7151-8FB01-0AB0): All versions prior
to V3.2.19.
o SIMATIC PC Station: All versions V2.1 and later.
o SIMATIC S7-300 CPU 314C-2 PN/DP (6ES7314-6EH04-0AB0): All versions prior to
V3.3.19.
o SIMATIC S7-300 CPU 315-2 PN/DP (6ES7315-2EH14-0AB0): All versions prior to
V3.2.19.
o SIMATIC S7-300 CPU 315F-2 PN/DP (6ES7315-2FJ14-0AB0): All versions prior to
V3.2.19.
o SIMATIC S7-300 CPU 315T-3 PN/DP (6ES7315-7TJ10-0AB0): All versions prior to
V3.2.19.
o SIMATIC S7-300 CPU 317-2 PN/DP (6ES7317-2EK14-0AB0): All versions prior to
V3.2.19.
o SIMATIC S7-300 CPU 317F-2 PN/DP (6ES7317-2FK14-0AB0): All versions prior to
V3.2.19.
o SIMATIC S7-300 CPU 317T-3 PN/DP (6ES7317-7TK10-0AB0): All versions prior to
V3.2.19.
o SIMATIC S7-300 CPU 317TF-3 PN/DP (6ES7317-7UL10-0AB0): All versions prior
to V3.2.19.
o SIMATIC S7-300 CPU 319-3 PN/DP (6ES7318-3EL01-0AB0): All versions prior to
V3.2.19.
o SIMATIC S7-300 CPU 319F-3 PN/DP (6ES7318-3FL01-0AB0): All versions prior to
V3.2.19.
o SIMATIC S7-400 PN/DP V6 CPU family (incl. SIPLUS variants): All versions.
o SIMATIC S7-400 PN/DP V7 CPU family (incl. SIPLUS variants): All versions.
o SIMATIC S7-1200 CPU family (incl. SIPLUS variants): All versions.
o SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants):
All versions.
o SIMATIC S7-1500 Software Controller: All versions.
o SIMATIC S7-PLCSIM Advanced: All versions.
o SIMATIC WinCC Runtime Advanced: All versions.
o SINUMERIK ONE: All versions.
o SIPLUS ET 200S IM151-8 PN/DP CPU (6AG1151-8AB01-7AB0): All versions prior
to V3.2.19.
o SIPLUS ET 200S IM151-8F PN/DP CPU (6AG1151-8FB01-2AB0): All versions prior
to V3.2.19.
o SIPLUS S7-300 CPU 314C-2 PN/DP (6AG1314-6EH04-7AB0): All versions prior to
V3.3.19.
o SIPLUS S7-300 CPU 315-2 PN/DP (6AG1315-2EH14-7AB0): All versions prior to
V3.2.19.
o SIPLUS S7-300 CPU 315F-2 PN/DP (6AG1315-2FJ14-2AB0): All versions prior to
V3.2.19.
o SIPLUS S7-300 CPU 317-2 PN/DP (6AG1317-2EK14-7AB0): All versions prior to
V3.2.19.
o SIPLUS S7-300 CPU 317F-2 PN/DP (6AG1317-2FK14-2AB0): All versions prior to
V3.2.19.
3.2 VULNERABILITY OVERVIEW
3.2.1 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352
The login endpoint /FormLogin in affected web services does not apply proper
origin checking. This could allow authenticated remote attackers to track the
activities of other users via a login cross-site request forgery attack.
CVE-2022-30694 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been calculated. the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:R/S:U/C:H/I:N/A:N )
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
K Narahari from Sectrio reported these vulnerabilities to Siemens.
4. MITIGATIONS
Siemens has released updates for the following products and recommends updating
to the latest versions:
o SIMATIC ET 200pro IM154-8 PN/DP CPU (6ES7154-8AB01-0AB0): Update to V3.2.19
or later.
o SIMATIC ET 200pro IM154-8F PN/DP CPU (6ES7154-8FB01-0AB0): Update to
V3.2.19 or later.
o SIMATIC ET 200pro IM154-8FX PN/DP CPU (6ES7154-8FX00-0AB0): Update to
V3.2.19 or later.
o SIMATIC ET 200S IM151-8 PN/DP CPU (6ES7151-8AB01-0AB0): Update to V3.2.19
or later.
o SIMATIC ET 200S IM151-8F PN/DP CPU (6ES7151-8FB01-0AB0): Update to V3.2.19
or later.
o SIMATIC S7-300 CPU 314C-2 PN/DP (6ES7314-6EH04-0AB0): Update to V3.3.19 or
later.
o SIMATIC S7-300 CPU 315-2 PN/DP (6ES7315-2EH14-0AB0): Update to V3.2.19 or
later.
o SIMATIC S7-300 CPU 315F-2 PN/DP (6ES7315-2FJ14-0AB0): Update to V3.2.19 or
later.
o SIMATIC S7-300 CPU 315T-3 PN/DP (6ES7315-7TJ10-0AB0): Update to V3.2.19 or
later.
o SIMATIC S7-300 CPU 317-2 PN/DP (6ES7317-2EK14-0AB0): Update to V3.2.19 or
later.
o SIMATIC S7-300 CPU 317F-2 PN/DP (6ES7317-2FK14-0AB0): Update to V3.2.19 or
later.
o SIMATIC S7-300 CPU 317T-3 PN/DP (6ES7317-7TK10-0AB0): Update to V3.2.19 or
later.
o SIMATIC S7-300 CPU 317TF-3 PN/DP (6ES7317-7UL10-0AB0): Update to V3.2.19 or
later.
o SIMATIC S7-300 CPU 319-3 PN/DP (6ES7318-3EL01-0AB0): Update to V3.2.19 or
later.
o SIMATIC S7-300 CPU 319F-3 PN/DP (6ES7318-3FL01-0AB0): Update to V3.2.19 or
later.
o SIPLUS ET 200S IM151-8 PN/DP CPU (6AG1151-8AB01-7AB0): Update to V3.2.19 or
later.
o SIPLUS ET 200S IM151-8F PN/DP CPU (6AG1151-8FB01-2AB0): Update to V3.2.19
or later.
o SIPLUS S7-300 CPU 314C-2 PN/DP (6AG1314-6EH04-7AB0): Update to V3.3.19 or
later.
o SIPLUS S7-300 CPU 315-2 PN/DP (6AG1315-2EH14-7AB0): Update to V3.2.19 or
later.
o SIPLUS S7-300 CPU 315F-2 PN/DP (6AG1315-2FJ14-2AB0): Update to V3.2.19 or
later.
o SIPLUS S7-300 CPU 317-2 PN/DP (6AG1317-2EK14-7AB0): Update to V3.2.19 or
later.
o SIPLUS S7-300 CPU 317F-2 PN/DP (6AG1317-2FK14-2AB0): Update to V3.2.19 or
later.
Siemens has identified the following specific workarounds and mitigations users
can apply to reduce risk:
o Do not access the product's web service via URLs coming from untrusted
sources.
o Disable the web server if possible.
o SIMATIC PC Station (Specifically): Disable the web server. Note that this
feature is disabled by default.
As a general security measure, Siemens recommends protecting network access to
devices with appropriate mechanisms. To operate devices in a protected IT
environment, Siemens recommends configuring the environment according to
Siemens' Operational Guidelines for Industrial Security and following
recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the
Siemens industrial security webpage .
For further inquiries on security vulnerabilities in Siemens products and
solutions, users should contact Siemens ProductCERT .
For more information see Siemens Security Advisory SSA-478960 in HTML or CSAF .
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability these vulnerabilities. Specifically, users
should:
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from business networks.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber
defense best practices are available for reading and download, including
Improving Industrial Control Systems Cybersecurity with Defense-in-Depth
Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage at cisa.gov/ics in the technical information paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing suspected malicious activity should follow established
internal procedures and report findings to CISA for tracking and correlation
against other incidents.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY23C1ckNZI30y1K9AQjLAw/+KCSltHb1Qx8PcuNBY2BylgmUPEMKt4kU
8dJvw5PmjrrdMepWQa/cD0A6c9eEuh2NFECzmOrwN9fRYBXyEH/5dpBWdjt/QvH+
FN/EN3qG0sMsc2CpMBiTyPN3w0d1H7mW8vs68xh43nErzPX9ds8CpVYbOztOAoGV
iCGUHjyHynfpM+tbL3QhFAweSXrVlRKqPszcPlFgTJhV6Jx5hnhT/FKMafLGCwcy
ppO4iN72anEAV6secxnH33h7b7CrTmQKVUn0J4VUBJiR7EDwIapEQyLnfoaSm+sa
HKfau5Gn83rVZyzF1H3cHYtIHXOjK9uYkD/qvdmzb9GCZTnmZ2GaxfHpeRxgYP2T
YfuD1xb/fp4stURhEZd1FiQEUO5S3SAkQIArbDzKUbpeTSjEhCBGfQJTuEfGj/y0
cHR0ezcNNqeEA36wpzbQr0GglYeySMl63lHr3t8Gs1N95iLOibvLRuhidHyELr/B
56jZMYDw3MFreKI+S46zJNhbW5qwujNdO/Gc7FW4AlA4S8mW6XbB0vklfPgCXusQ
3CndOXcJfpz8bjtB9jteuQCZHg58+1CuM06iDKVr7MR3RpQS3qDWgPVm16RLcq1L
Ev2TCDYBSghSJu0M/o5Gpy6Im/swKeVsEVCnyBf4AHQq7A4ktGOdz3mhbIN5yor/
9ppmZtw0E5k=
=IJ2T
-----END PGP SIGNATURE-----
ESB-2022.5477.5 - UPDATE [Appliance] F5 Products: CVSS (Max): 7.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5477.5
K44030142: OpenSSL vulnerabilities CVE-2022-3786 and CVE-2022-3602
11 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: F5 Products
Publisher: F5 Networks
Operating System: Network Appliance
Resolution: None
CVE Names: CVE-2022-3786 CVE-2022-3602
Original Bulletin:
https://support.f5.com/csp/article/K44030142
Comment: CVSS (Max): 7.5 CVE-2022-3786 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: NVD
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Revision History: November 11 2022: Updated Subject to include CVSS Score
November 10 2022: F5 updated severity of the vulnerability
November 3 2022: Vendor updated bulletin
November 2 2022: F5 updated advisory with CVE details and product vulnerability details
November 1 2022: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
K44030142: OpenSSL vulnerabilities CVE-2022-3786 and CVE-2022-3602
Original Publication Date: 29 Oct, 2022
Latest Publication Date: 10 Nov, 2022
Security Advisory Description
o CVE-2022-3786
A buffer overrun can be triggered in X.509 certificate verification,
specifically in name constraint checking. Note that this occurs after
certificate chain signature verification and requires either a CA to have
signed a malicious certificate or for an application to continue
certificate verification despite failure to construct a path to a trusted
issuer. An attacker can craft a malicious email address in a certificate to
overflow an arbitrary number of bytes containing the `.' character (decimal
46) on the stack. This buffer overflow could result in a crash (causing a
denial of service).
o CVE-2022-3602
A buffer overrun can be triggered in X.509 certificate verification,
specifically in name constraint checking. Note that this occurs after
certificate chain signature verification and requires either a CA to have
signed the malicious certificate or for the application to continue
certificate verification despite failure to construct a path to a trusted
issuer. An attacker can craft a malicious email address to overflow four
attacker-controlled bytes on the stack. This buffer overflow could result
in a crash (causing a denial of service) or potentially remote code
execution.
Note: For more details about CVE-2022-3786 and CVE-2022-3602, refer to OpenSSL
Security Advisory [01 November 2022].
Impact
For products with None in the Versions known to be vulnerable column, there is
no impact.
For products with ** in the various columns, F5 will update this article after
confirming the required information. F5 Support has no additional information
about this issue.
Security Advisory Status
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following tables. You can
also use iHealth to diagnose a vulnerability for BIG-IP and BIG-IQ systems. For
more information about using iHealth, refer to K27404821: Using F5 iHealth to
diagnose vulnerabilities. For more information about security advisory
versioning, refer to K51812227: Understanding security advisory versioning.
In this section
o BIG-IP and BIG-IQ
o F5OS
o NGINX
o Other products
BIG-IP and BIG-IQ
BIG-IP is Not vulnerable because OpenSSL 3.x is not included in BIG-IP
releases. To see the OpenSSL versions that run on BIG-IP systems, refer to
K11398383: BIG-IP third-party software matrix. If the preceding article does
not apply to your version, follow the links in the article to the third-party
software article for your BIG-IP release.
Note: After a fix is introduced for a given minor branch, that fix applies to
all subsequent maintenance and point releases for that branch, and no
additional fixes for that branch will be listed in the table. For example, when
a fix is introduced in 14.1.2.3, the fix also applies to 14.1.2.4, and all
later 14.1.x releases (14.1.3.x., 14.1.4.x). For more information, refer to
K51812227: Understanding security advisory versioning.
+------------+------+--------------+----------+----------+------+-------------+
| | |Versions known|Fixes | |CVSSv3|Vulnerable |
|Product |Branch|to be |introduced|Severity |score^|component or |
| | |vulnerable^1 |in | |2 |feature |
+------------+------+--------------+----------+----------+------+-------------+
|BIG-IP (all |All |None |Not |Not |None |None |
|modules) | | |applicable|vulnerable| | |
+------------+------+--------------+----------+----------+------+-------------+
|BIG-IP SPK |1.x |** |** |** |** |** |
+------------+------+--------------+----------+----------+------+-------------+
|BIG-IQ | | |Not |Not | | |
|Centralized |All |None |applicable|vulnerable|None |None |
|Management | | | | | | |
+------------+------+--------------+----------+----------+------+-------------+
^1F5 evaluates only software versions that have not yet reached the End of
Technical Support (EoTS) phase of their lifecycle. For more information, refer
to the Security hotfixes section of K4602: Overview of the F5 security
vulnerability response policy.
^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
**Confirmation of vulnerability or non-vulnerability is not presently
available. F5 will update this article with the most current information as
soon as it has been confirmed. F5 Support has no additional information on this
issue.
F5OS
+-------+------+----------------+----------+----------+-------+---------------+
| | |Versions known |Fixes | |CVSSv3 |Vulnerable |
|Product|Branch|to be vulnerable|introduced|Severity |score^2|component or |
| | |^1 |in | | |feature |
+-------+------+----------------+----------+----------+-------+---------------+
|F5OS-A |All |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------+------+----------------+----------+----------+-------+---------------+
|F5OS-C |All |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------+------+----------------+----------+----------+-------+---------------+
^1F5 evaluates only software versions that have not yet reached the End of
Technical Support (EoTS) phase of their lifecycle. For more information, refer
to the Security hotfixes section of K4602: Overview of the F5 security
vulnerability response policy.
^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
NGINX
+---------+------+---------------+----------+----------+------+---------------+
| | |Versions known |Fixes | |CVSSv3|Vulnerable |
|Product |Branch|to be |introduced|Severity |score^|component or |
| | |vulnerable^1 |in | |2 |feature |
+---------+------+---------------+----------+----------+------+---------------+
|NGINX | | |Not |Not | | |
|(all |All |None |applicable|vulnerable|None |None |
|products)| | | | | | |
+---------+------+---------------+----------+----------+------+---------------+
^1F5 evaluates only software versions that have not yet reached the End of
Technical Support (EoTS) phase of their lifecycle. For more information, refer
to the Security hotfixes section of K4602: Overview of the F5 security
vulnerability response policy.
^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Other products
+-------+------+----------------+----------+----------+-------+---------------+
| | |Versions known |Fixes | |CVSSv3 |Vulnerable |
|Product|Branch|to be vulnerable|introduced|Severity |score^2|component or |
| | |^1 |in | | |feature |
+-------+------+----------------+----------+----------+-------+---------------+
|Traffix|All |None |Not |Not |None |None |
|SDC | | |applicable|vulnerable| | |
+-------+------+----------------+----------+----------+-------+---------------+
^1F5 evaluates only software versions that have not yet reached the End of
Technical Support (EoTS) phase of their lifecycle. For more information, refer
to the Security hotfixes section of K4602: Overview of the F5 security
vulnerability response policy.
^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Supplemental Information
o K41942608: Overview of security advisory articles
o K12201527: Overview of Quarterly Security Notifications
o K51812227: Understanding security advisory versioning
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K8986: F5 product support policies
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY23ruMkNZI30y1K9AQjmCg//Zi7+XR3Gha6sb4CdhSpK0pGSc24XfOxe
R5SEMf6asmIXINgW0c05FGbcLxejN0T0TTbIEURYhZY/i/hds2mLKsXAU/6Rp255
LelwGyyPo95P4QWynkSv9EGTjp9vYF0kBS1g0+k/2+hNFlK3Fi/cBnrKETmLCwPD
aP12xWkOo3Qrvc6H2pqk9SKt9iSoWBxi0MktUQhx9eUeNR/xyF1FFvtVGt6zEuZe
Do1OkNarcOddilmJbO2Q/EEgjUs2ucbUoaolHj0Lu5RK74hxKFuqh+fE/F6kiavt
jJSoVq5Wdcye6dq6PGXdty8rJp6R5c0uh4YbhN1FY/632A8bjDJ/ZBiwkW5U9Fyo
GM904wowT/qfjTdP6Yz6cCM5wsTh434fU1yI0BdE2u1L6x3p72/3TkmpTg0jW2V6
YSq22ePtMn9kXP1WgSrgv5gU3geJkBFvwPJkF/PghAgC3TUokiJdD4NnJ7c55uwB
extAAaG/UX9uhHGuxPidIc4MBLuyN0CwUV10TDlN2MyRYU5y8vL0sxzzqDwtc36Z
9IiSgdRN7bBwAAJeIb2zMEe4cK/+ygew7pKfEcW//JDprO+K1fo9jMZVN9X+csZp
7UYr9ZgycIh1j4De/aV0Gt6WaDcI7rT88cS6hS1KvjKjZubvdAFljEpgPkjvT+8i
KcXKLMphqjk=
=Pd50
-----END PGP SIGNATURE-----
ESB-2022.5474.5 - UPDATE [Win][UNIX/Linux][Appliance] Palo Alto Products: CVSS (Max): 7.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5474.5
PAN-SA-2022-0006 Impact of OpenSSL 3.0 Vulnerabilities
CVE-2022-3786 and CVE-2022-3602
11 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Palo Alto Products
Publisher: Palo Alto Networks
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Network Appliance
Resolution: None
CVE Names: CVE-2022-3786 CVE-2022-3602
Original Bulletin:
https://securityadvisories.paloaltonetworks.com/PAN-SA-2022-0006
Comment: CVSS (Max): 7.5 CVE-2022-3786 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: NVD
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Revision History: November 11 2022: Updated Subject to include CVSS Score
November 10 2022: Vendor updated bulletin: Final Release
November 3 2022: Vendor updated bulletin
November 2 2022: Palo Alto updated advisory with CVE details
November 1 2022: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Subject: Updated Palo Alto bulletin: PAN-SA-2022-0006 Impact of OpenSSL 3.0 Vulnerabilities CVE-2022-3786 and CVE-2022-3602
From: palo_alto-bulletins@auscert.org.au
Palo Alto Networks Security Advisories / PAN-SA-2022-0006
PAN-SA-2022-0006 Impact of OpenSSL 3.0 Vulnerabilities CVE-2022-3786 and
CVE-2022-3602
[INFO]
Informational
JSON
Published 2022-10-31
Updated 2022-11-09
Reference PAN-SA-2022-0006
Discovered externally
Description
The OpenSSL Project has published two high severity vulnerabilities
CVE-2022-3786 and CVE-2022-3602 that affect OpenSSL versions 3.0.0 through
3.0.6 on November 1st, 2022.
The Palo Alto Networks Product Security Assurance team has evaluated and
confirmed that all products and services are not impacted by these
vulnerabilities.
Product Status
Versions Affected Unaffected
AutoFocus None all
Bridgecrew None all
Cloud NGFW None all
Cortex Data Lake None all
Cortex XDR None all
Cortex XDR Agent None all
Cortex Xpanse None all
Cortex XSOAR None all
Enterprise Data Loss Prevention None all
Exact Data Matching CLI None all
Expanse None all
Expedition Migration Tool None all
GlobalProtect App None all
IoT Security None all
Okyo Garde None all
Palo Alto Networks App for Splunk None all
PAN-OS None all
Prisma Access None all
Prisma Cloud None all
Prisma Cloud Compute None all
Prisma SD-WAN (CloudGenix) None all
Prisma SD-WAN ION None all
SaaS Security None all
User-ID Agent None all
WildFire Appliance (WF-500) None all
WildFire Cloud None all
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue on
any of our products.
Solution
No software updates are required at this time.
NOTE: Cortex XDR Broker VM versions earlier than Cortex XDR Broker VM 17.4.1
contain an affected version of the OpenSSL 3.0 library but are not impacted.
There are no scenarios in Cortex XDR Broker VM software that enable successful
exploitation of these vulnerabilities. The OpenSSL 3.0 library has been removed
from Cortex XDR Broker VM 17.4.1 and later versions for security assurance.
Workarounds and Mitigations
Customers with a Threat Prevention subscription can block known attacks for
CVE-2022-3602 by enabling Threat ID 93212 (Applications and Threats content
update 8638). This mitigation reduces the risk of exploitation from known
exploits.
Frequently Asked Questions
Q. How can I find vulnerable versions of OpenSSL in my environment?
With Prisma Cloud, security teams can prepare to detect and patch
vulnerable systems as soon as the fix is available. Prisma Cloud customers
can apply controls to address this vulnerability across multiple stages in
the application lifecycle, from the code to the cloud.
See https://www.paloaltonetworks.com/blog/prisma-cloud/
prepare-openssl-vulnerability/ for more information.
Timeline
2022-11-09 Investigation is complete
2022-11-03 Cortex XDR Broker VM 17.4.1 is released and removes OpenSSL 3.0 for
security assurance
2022-11-02 A threat prevention signature is now available for CVE-2022-3602
2022-11-01 Updated advisory to reference the CVEs
2022-10-31 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
Policy Report vulnerabilitiesManage subscriptions
(C) 2022 Palo Alto Networks, Inc. All rights reserved.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY23g/skNZI30y1K9AQhhaBAAkwDPeBFvfgLG88lIeYR4291/e9tw7FNA
moUyVsqjEXxNhTo+EjHF+s+WTZ9+Euk7y8BhyZlhbGRtz0FoQ3l95sxJCN7SGbM+
1/aSeqeJIcD5SgLtWyFdJoHbIv9L3PKipasqHNEsCB58bq1QP9VPovuGj8oim33g
sKVv7gctivHNmDq21jsGoNcLFoLMQqkX/Brw1mvOPP0yZiLGLch4vLiO5A51w29j
DI7cVeFYuYDuC73UqHbcz+/lsn6ps8rkv5Qvm/rZz7vJK3nWnNgh2H65/FhngsZU
xqXsf+iC6nSAVK3Tf06FfTiNaWWb1Cx6K8OiCP4wMJseF/TQ00zQvZN02G+P3JJZ
hORv/qhKzvvDVbROMl9ki/YCTQbYfnrftwaU9IpZw90xGWrkOWBu6OZ9glqU/F7Q
pGxQTUL9tKWGwnAGo6MqajqgRlQKbPHacTT3W4dYickAax2p5WYJ8Os1BjS4jZJX
vQ3DIcdIWdUr2ThQZWKLGXAJXPDotbEbF1rdjiDRwEQ6ZfHnAsi7FdO4qSWOGG2o
jmIZclJkLS2Ajal+FCdHI2ho1V0WQbXrkem6LxjqICvUlOqNwrv5X6MLfgFrjAdJ
nyEVeTLuh7cF+Zpvnyz4m7Y4fHoySW12B7zi8ImGJqHuS7Rrk59tY81nEG2QZfIc
SDc+DvwCyqU=
=7acZ
-----END PGP SIGNATURE-----
ESB-2022.3979.3 - UPDATE [Cisco] Cisco Adaptive Security Appliance Software: CVSS (Max): 4.3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.3979.3
Cisco Adaptive Security Appliance Software Clientless SSL
VPN Client-Side Request Smuggling Vulnerability
11 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Adaptive Security Appliance Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Mitigation
CVE Names: CVE-2022-20713
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-webvpn-LOeKsNmO
Comment: CVSS (Max): 4.3 CVE-2022-20713 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Revision History: November 11 2022: Updated Subject to include CVSS Score
November 10 2022: Vendor updated bulletin
August 11 2022: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Adaptive Security Appliance and Firepower Threat Defense Software VPN Web
Client Services Client-Side Request Smuggling Vulnerability
Priority: Medium
Advisory ID: cisco-sa-asa-webvpn-LOeKsNmO
First Published: 2022 August 10 16:00 GMT
Last Updated: 2022 November 9 16:03 GMT
Version 2.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCwa04262
CVE Names: CVE-2022-20713
CWEs: CWE-444
Summary
o A vulnerability in the VPN web client services component of Cisco Adaptive
Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD)
Software could allow an unauthenticated, remote attacker to conduct
browser-based attacks against users of an affected device.
This vulnerability is due to improper validation of input that is passed to
the VPN web client services component before being returned to the browser
that is in use. An attacker could exploit this vulnerability by persuading
a user to visit a website that is designed to pass malicious requests to a
device that is running Cisco ASA Software or Cisco FTD Software and has web
services endpoints supporting VPN features enabled. A successful exploit
could allow the attacker to reflect malicious input from the affected
device to the browser that is in use and conduct browser-based attacks,
including cross-site scripting attacks. The attacker could not directly
impact the affected device.
There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-webvpn-LOeKsNmO
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco products if
they were running a vulnerable release of the following Cisco software:
ASA Software with Cisco AnyConnect VPN or Clientless SSL VPN enabled
FTD Software with Cisco AnyConnect VPN enabled
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Determine the ASA Software Configuration
To determine whether the software has a vulnerable feature enabled, use the
show-running-config CLI command. In the following table, the left column
lists the Cisco ASA Software features that are vulnerable. The right column
indicates the basic configuration for each feature from the show
running-config CLI command. If a device is running a vulnerable release and
has one of these features enabled, it is vulnerable.
Cisco ASA Feature Vulnerable Configuration
AnyConnect Internet Key Exchange crypto ikev2 enable client-services port
Version 2 Remote Access (with
client services)
webvpn
AnyConnect SSL VPN enable
Clientless SSL VPN webvpn
enable
Determine the FTD Software Configuration
To determine whether the software has a vulnerable feature enabled, use the
show-running-config CLI command. In the following table, the left column
lists the Cisco FTD Software features that are vulnerable. The right column
indicates the basic configuration for each feature from the show
running-config CLI command. If a device is running a vulnerable release and
has one of these features enabled, it is vulnerable.
Cisco FTD Feature Vulnerable Configuration
AnyConnect Internet Key Exchange crypto ikev2 enable client-services port
Version 2 Remote Access (with
client services) ^1,2
AnyConnect SSL VPN ^1,2 webvpn
enable
1. Remote Access VPN features were introduced in Cisco FTD Software Release
6.2.2.
2. Remote Access VPN features are enabled by using Devices > VPN > Remote
Access in Cisco Firepower Management Center (FMC) or by using Device >
Remote Access VPN in Cisco Firepower Device Manager (FDM).
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that devices with remote access VPN services that are
configured to accept only AnyConnect Internet Key Exchange Version 2 Remote
Access VPN with client services disabled are not affected by this
vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
For information about fixed software releases, see the Details section in
the bug ID(s) at the top of this advisory.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is aware that
proof-of-concept exploit code is available for the vulnerability described
in this advisory.
The Cisco PSIRT is not aware of any malicious use of the vulnerability that
is described in this advisory.
Source
o Cisco would like to thank James Kettle of Portswigger.net for reporting
this vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-webvpn-LOeKsNmO
Revision History
o +---------+-----------------------+----------------+--------+-------------+
| Version | Description | Section | Status | Date |
+---------+-----------------------+----------------+--------+-------------+
| | Added FTD Software as | Title, | | |
| | an affected product. | Summary, | | |
| | Updated the affected | Vulnerable | | |
| | VPN component. | Products, | | |
| 2.0 | Clarified affected | Products | Final | 2022-NOV-09 |
| | software | Confirmed Not | | |
| | configurations. | Vulnerable, | | |
| | Removed the | and | | |
| | mitigation because it | Workarounds | | |
| | no longer applies. | | | |
+---------+-----------------------+----------------+--------+-------------+
| 1.0 | Initial public | - | Final | 2022-AUG-10 |
| | release. | | | |
+---------+-----------------------+----------------+--------+-------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY23qeskNZI30y1K9AQhTQw//Xonh/n3SyLFfqNLA2noYYV5IDn/kUI9V
mc4f78dV1muApvREjgyE/LV5Fds6FKoOVpAttf9fD+TYIsXSDKa5L0uLO+ApX891
V4ve7S5U/IsvpAGEsfTknXSDXkXjH8Rek3Mj0qd6VM52jRlyeB0zDNEgNeoMb3uC
DLPyk9ZiQU92mIXF5XaWpRdmzMVb+NsWMEhL1BEtuV/uz19cN9OUNT8zEt7fVwu4
An7UtiboVoh1Yq72h2jCze/phoJtHsRIcyGDb/JRNQTkbLxlZAqkCMYpqgMVpO4Y
jxdt9ay0hMvo4V8tunmxr1nEBHKWhsg4ec086l77mDFt9iiX75Kh9Huy7kY5yfV4
SVBpyrgKIGm6oA4jk1kdGeA2pFPio0hm1BK+ljQM1rwW5NJ+JtJPnWBXgVG2Zkzy
EmnAoMmy8qFiACgbMRKvO0MauRt4cK6/B3JWvnhoCUr1qEqU6g3GASwR64pGDFEM
ZvLS7vTdrmFuoVOdfNZgCcCZwSOrlAN+1ABIHT9cH9Nb5HcgB3H3nTTE0S3q2hLY
nsR3C3tHVgEoWyPZJLgPshhd2HFaI1sRyvYh/ZORgZl7RraYp7IBw/FK3VjesOgD
DMeFnfJRNkD00ytxj1t7VdYZaKajcWX5DRaAub336UQx9iFmc8zIuN/swFuu7Sbg
C+m0zD8iQIU=
=zUkI
-----END PGP SIGNATURE-----
ESB-2022.3950.2 - UPDATE [Win][Mac] Intel Hardware Accelerated Execution Manager (HAXM): CVSS (Max): 8.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.3950.2
Intel HAXM Advisory
11 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Intel Hardware Accelerated Execution Manager (HAXM)
Publisher: Intel
Operating System: Windows
macOS
Resolution: Patch/Upgrade
CVE Names: CVE-2022-21812
Original Bulletin:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00655.html
Revision History: November 11 2022: Vendor Update
August 10 2022: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Intel ID: INTEL-SA-00655
Advisory Category: Software
Impact of vulnerability : Escalation of Privilege
Severity rating : HIGH
Original release: 08/09/2022
Last revised: 10/31/2022
Summary:
A potential security vulnerability in the Intel Hardware Accelerated Execution
Manager (HAXM) software may allow escalation of privilege. Intel is releasing
software updates to mitigate this potential vulnerability.
Vulnerability Details:
CVEID: CVE-2022-21812
Description: Improper access control in the Intel(R) HAXM software before
version 7.7.1 may allow an authenticated user to potentially enable escalation
of privilege via local access.
CVSS Base Score: 8.8 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected Products:
Intel HAXM software before version 7.7.1.
Recommendation:
Intel recommends updating Intel HAXM software to version 7.7.1 or later.
Updates are available for download at this location: https://github.com/intel/
haxm/releases
Acknowledgements:
Intel would like to thank SaifAllah benMassaoud for reporting this issue.
Intel, and nearly the entire technology industry, follows a disclosure practice
called Coordinated Disclosure, under which a cybersecurity vulnerability is
generally publicly disclosed only after mitigations are available.
Revision History
Revision Date Description
1.0 08/09/2022 Initial Release
1.1 10/31/2022 Updated Acknowledgement
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY23oKMkNZI30y1K9AQgw+Q/+PhzOz/j34XwZg82qIMs34rierSv6R8y9
etF4cMgYGVxQ370KDVvi07TCa4cUcaPT2Z3HyEWo7R9Z/B4Ea7CNkWsHTqT57KIP
Alo54zZKkHlw+VWUDTecjvwE5IaG/jadHezAiBX0M/0Ua8RuFUzi30zGsUGWdM3h
hk00cBU14BdmgxvWINMy/ysbadNFF2nWUnXMhXxv8nQ1hPBRrPwDl/rqw7ox8tkd
YezSWPQ99lhiEKbNh9BWC7kEQfhvLbeS0E9ploHYWC0QZqNS8mGVsTNfHc1q79cq
1leCsqRxIRipoupfpCODlvYFSU3QiLanHFoMazxac171pkAvaQG1zNK+V9mOWV1e
I/dPenTx5zQbGDiOlL+PCnyRrAmmOaZRm25a+HzMNqisGHl3EOjN9LorJs++Gxwf
gOdIQwMimn/+FabJyBHBNB3T7x4rQ3NKN7vn1N543LTGf0WCivBfEPGZOB4FFUfe
N7INTRZfb7VkRHaB1N7L7qNb9c+st03xOn/84WirSYPMeTpWfAsa+grRMFZURxZG
zmt0aATXlob325m4WJRn7BjbHQg4IgYJFD96ShMZMDzMiPCOuzRk+OIGTzkD7JBj
VJho0KZS9fikR2iwVMCyrFw37sbI5E5sQdLOyaKchUTKlhVuyv1dG31lDDpp8B73
lgCrhuEK1IE=
=yW72
-----END PGP SIGNATURE-----
ESB-2022.2922.2 - UPDATE [Win][UNIX/Linux] Intel Processors: CVSS (Max): 6.1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.2922.2
Intel Processors MMIO Stale Data Advisory
11 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Intel Processors
Publisher: Intel
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2022-21166 CVE-2022-21127 CVE-2022-21125
CVE-2022-21123
Original Bulletin:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00615.html
Revision History: November 11 2022: Vendor Update
June 15 2022: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Intel ID: INTEL-SA-00615
Advisory Category: Hardware
Impact of vulnerability : Information Disclosure
Severity rating : MEDIUM
Original release: 06/14/2022
Last revised: 10/19/2022
Summary:
Potential security vulnerabilities in Memory Mapped I/O (MMIO) for some Intel
Processors may allow information disclosure. Intel is releasing firmware
updates to mitigate these potential vulnerabilities.
Vulnerability Details:
CVEID: CVE-2022-21123
Description: Incomplete cleanup of multi-core shared buffers for some Intel
Processors may allow an authenticated user to potentially enable information
disclosure via local access.
CVSS Base Score: 6.1 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CVEID: CVE-2022-21125
Description: Incomplete cleanup of microarchitectural fill buffers on some
Intel Processors may allow an authenticated user to potentially enable
information disclosure via local access.
CVSS Base Score: 5.6 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
CVEID: CVE-2022-21127
Description: Incomplete cleanup in specific special register read operations
for some Intel Processors may allow an authenticated user to potentially enable
information disclosure via local access.
CVSS Base Score: 5.5 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVEID: CVE-2022-21166
Description: Incomplete cleanup in specific special register write operations
for some Intel Processors may allow an authenticated user to potentially enable
information disclosure via local access.
CVSS Base Score: 5.5 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected Products:
Some Intel Processors, see full list:
https://www.intel.com/content/www/us/en/developer/topic-technology/
software-security-guidance/
processors-affected-consolidated-product-cpu-model.html
Recommendations:
Intel recommends that users of the affected Intel Processors update to the
latest version provided by the system manufacturer that addresses these issues.
Intel SGX PSW for Windows to version 2.16.100.3 or later:
https://registrationcenter.intel.com/en/products/download/3406/
Intel SGX SDK for Windows to version 2.16.100.3 or later:
https://registrationcenter.intel.com/en/products/download/3407/
Intel SGX DCAP for Windows to version 1.14.100.3 or later:
https://registrationcenter.intel.com/en/products/download/3610/
Intel SGX PSW for Linux to version 2.17.100.3 or later:
https://01.org/intel-software-guard-extensions/downloads
Intel SGX SDK for Linux to version 2.17.100.3 or later:
https://01.org/intel-software-guard-extensions/downloads
Intel SGX DCAP for Linux to version 1.14.100.3 or later:
https://01.org/intel-software-guard-extensions/downloads
To address this issue, an Intel SGX TCB Recovery is planned. Details can be
found here .
Refer to Intel SGX Attestation Technical Details for more information on the
Intel SGX TCB recovery process.
Further TCB Recovery Guidance for developers is available
Acknowledgements:
The following issues were found internally by Intel employees. Intel would like
to thank Ke Sun, Alan Miller, Shlomi Alkalay, Robert Jones, Ezra Caltum for
reporting CVE-2022-21123, CVE-2022-21125, CVE-2022-21127, CVE-2022-21166. Jason
Kilman for reporting CVE-2022-21123, CVE-2022-21127, and Scott Cape and Anthony
Wojciechowski for reporting CVE-2022-21127.
Intel, and nearly the entire technology industry, follows a disclosure practice
called Coordinated Disclosure, under which a cybersecurity vulnerability is
generally publicly disclosed only after mitigations are available.
Revision History
Revision Date Description
1.0 06/14/2022 Initial Release
1.1 06/27/2022 Updated recommendations
1.2 10/19/2022 Updated SGX TCB Recovery plan Link
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY23oZckNZI30y1K9AQgKQg//WhDGCVDrmB2wHGB/m0XSe+KpSodswrLt
gd9DEMZ/LRscjKWnhHdJeVaS/+29K6PVH3v+ABmzgxGsmfLdf8YC5bW3ZzVud4eg
hzF/Wnz3XAZ5RWA9wdicufiPhAi/fwzuTbzrZD0EzyzlA2ZNqiUnuBkyxTlgG1ZQ
YMIxOw8tVyvuQ4BF278kbhWFps4DayyuIprFJL+O1KWIYHi9vEsBdUnkq78kRu7K
04/h2WzSd6RJQISWq1q7NOhjI9z2dEhFsCaj9Njbo4U6zac2NAgucNFh4EcrDDrL
MnGWCEY3VFon2kW/Z+i7uWF82dNX993s+0WZ8oyP38xbftGLlPxdnODeYUtcd6T4
SSClwKYc5U0en/FyMvBSRvcgkcGQ7jQGCQjcbQosiDOdW2Kashp1jxIDd/oRNIuX
X8ZrWe0FIFq0eCfNONQmvEakV14ZHWOo7NJXCt6K3QeqJLCFXTIiWtWL8nDiX90y
YnIIo3w+tZntRcmN4dd1k1dR7Vv5KzSd3JL2FiiV93GCxRS4nUUw5TBAQi5e+1Uf
qMXVa8r3Qdq9p3hWl9QP99a5dXWYoY2Y6jGaWy9ulSshgEyCOY2pt8Il2VqHrjIQ
70W19XnSuh68cK19LGvBd57Mx/3vpSAWuH7kjM6ufE5YrxlVpBL1AviILwnyn+Nx
sRzwPjQemy0=
=9Rvw
-----END PGP SIGNATURE-----
ESB-2022.2327.4 - UPDATE [Win][UNIX/Linux] Intel Processors:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.2327.4
3rd Generation Intel Xeon Scalable Processors Advisory
11 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Intel Processors
Publisher: Intel
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Resolution: Patch/Upgrade
CVE Names: CVE-2021-33117
Original Bulletin:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00586.html
Revision History: November 11 2022: Vendor Update
June 14 2022: Updated recommendations
May 12 2022: Vendor updated recommendations
May 12 2022: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Intel ID: INTEL-SA-00586
Advisory Category: Firmware
Impact of vulnerability : Information Disclosure
Severity rating : MEDIUM
Original release: 05/10/2022
Last revised: 10/19/2022
Summary:
A potential security vulnerability in some 3 ^ rd Generation Intel Xeon
Scalable Processors may allow information disclosure. Intel is releasing
firmware updates to mitigate this potential vulnerability.
Vulnerability Details:
CVEID: CVE-2021-33117
Description: Improper access control for some 3rd Generation Intel(R) Xeon(R)
Scalable Processors before BIOS version MR7, may allow a local attacker to
potentially enable information disclosure via local access.
CVSS Base Score: 6.5 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Affected Products:
+-----------------------------------------+----------+---------------+-------------+------------+
|Product Family |Processor |Vertical |CPU ID |Platform ID |
| | |Segment | | |
+-----------------------------------------+----------+---------------+-------------+------------+
|3 ^rd Generation Intel Xeon Scalable |06_6AH |Server |606AX |0x87 |
|Processors | | | | |
+-----------------------------------------+----------+---------------+-------------+------------+
Recommendations:
Intel recommends updating affected 3 ^ rd Generation Intel Xeon Scalable
Processors to BIOS version MR7 or later. Intel recommends the users to enable
the technologies that are used for BIOS to detect early boot code unauthorized
modification.
Alternatively, Intel recommends following the steps to update the microcode
patch located in platform flash designated by firmware interface table (FIT)
entry type1. Details on the firmware interface table layout and types can be
found at:
https://software.intel.com/content/dam/develop/external/us/en/documents/
firmware-interface-table-bios-specification-r1p2p1.pdf
Intel is releasing microcode updates, which are available at this GitHub*
repository link:
https://github.com/otcshare/Intel-Generic-Microcode/blob/main/NDA/repository/
server/production/m_87_606a6_0d000331.inc
This CVE requires a Microcode Security Version Number (SVN) update. To address
this issue, an Intel SGX TCB Recovery is planned. Details can be found here .
Refer to Intel SGX Attestation Technical Details for more information on the
Intel SGX TCB recovery process.
Further TCB Recovery Guidance for developers is available. .
Acknowledgements:
This issue was found internally by Intel employees.
Intel, and nearly the entire technology industry, follows a disclosure practice
called Coordinated Disclosure, under which a cybersecurity vulnerability is
generally publicly disclosed only after mitigations are available.
Revision History
Revision Date Description
1.0 05/10/2022 Initial Release
1.1 05/11/2022 Updated recommendations
1.2 06/13/2022 Updated recommendations
1.3 06/27/2022 Updated recommendations
1.4 10/19/2022 Updated SGX TCB Recovery plan Link
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY23o8ckNZI30y1K9AQgQZhAAvRqodd7OCcCRQ5C06A1nyXQV07jO1dwN
gJmSZ0Faq9d0dBhtT3bHXHlPuloKPSUyhQFQSRGEUqUxNy6fru1pCWw70/6r0EPF
ESzNmaWPHRh9gzuxgWQR2+sUW1Vv8lDHrCXwX+niyXyqTDlAto3mnm69FlPl+du0
h+j+mOA4PNiVXXHhkUL09WwdLPuQSs4/nkhq8I2fC+4VPLg4/kUxkAEZCxShgulV
DCTUS+/f2vWrD6gxZn7dZ+9P/V++NudCiidaZlF1y3VFiTnyY+IuVZ9T1bcFG3cf
32IzJQFAZBGJd7vLi2sj8uE2yQwNV6er0Z+ai+0Y5Cx57YzVKXwU+yjDSINm2X5d
iRW4r6Fu9F81y8U+cjCzcZKTM3anbpU7VgXbUW9gjFR56Pb5WuGVr2PVXOWSBhgb
Srz90mZuctZ8prdhQNZvMcZ7xLwxXxxOitxF2KLzSRumnDiDhMPHSkOS6D0pPBkd
8NcGNydtMWAleMQaof/xZl5RCLxvmT15xIbIa/gRN1UtsSCh5PDH8hcC31biv+Rx
N12+jSYfSyhLaJuUceXM+DcfuG+BPiIvO0lckumPhTmNOfde8Nwah/6RzUfIh/8h
kk1pSkTmhITHj+5bEB2bOrOiOePCEtgnfadokD9qScF6lE4EpU8pWGatAf5InrW3
RpzDWuUIJ3M=
=bUqw
-----END PGP SIGNATURE-----
ESB-2022.2288.3 - UPDATE [Win][UNIX/Linux] Intel Processors: CVSS (Max): 4.9
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.2288.3
IPU - Intel SGX Advisory
11 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Intel Processors
Publisher: Intel
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Resolution: Patch/Upgrade
CVE Names: CVE-2022-0005
Original Bulletin:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00614.html
Comment: CVSS (Max): 4.9 CVE-2022-0005 (CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)
CVSS Source: Intel
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Revision History: November 11 2022: Vendor Update
June 14 2022: Updated recommedations
May 12 2022: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Intel ID: INTEL-SA-00614
Advisory Category: Hardware
Impact of vulnerability : Information Disclosure
Severity rating : MEDIUM
Original release: 05/10/2022
Last revised: 10/19/2022
Summary:
A potential security vulnerability in the Intel Software Guard Extensions (SGX)
Platform may allow information disclosure. Intel is releasing firmware updates
to mitigate this potential vulnerability.
Vulnerability Details:
CVEID: CVE-2022-0005
Description: Sensitive information accessible by physical probing of JTAG
interface for some Intel(R) Processors with SGX may allow an unprivileged user
to potentially enable information disclosure via physical access.
CVSS Base Score: 4.9 Medium
CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Affected Products:
+-----------------------------------------------------+-------------------------------------+---------------+------------+------------+
|Product Family |Segment |Processor |Stepping |CPUID |
+-----------------------------------------------------+-------------------------------------+---------------+------------+------------+
|6 ^th Generation Intel Core Processor Family |Mobile |06_4EH |3 |406E3 |
+-----------------------------------------------------+-------------------------------------+---------------+------------+------------+
|1. Intel Xeon E processor family |1. Server Workstation Embedded |06_5EH |3 |506E3 |
|2. 6th Generation Intel Core Processor Family |2. Mobile Desktop | | | |
+-----------------------------------------------------+-------------------------------------+---------------+------------+------------+
|3 ^rd Gen Intel Xeon Scalable processor family |Server |06_6AH |4, 5, 6 |606AX |
+-----------------------------------------------------+-------------------------------------+---------------+------------+------------+
|10 ^th Generation Intel Core Processor Family |Mobile |06_7EH |5 |706E5 |
+-----------------------------------------------------+-------------------------------------+---------------+------------+------------+
|8 ^th Generation Intel Core Processor Family | | | | |
| |Mobile |06_8EH |9 |806E9 |
|7 ^th Generation Intel Core Processor Family | | | | |
+-----------------------------------------------------+-------------------------------------+---------------+------------+------------+
|8 ^th Generation Intel Core Processor Family |Mobile |06_8EH |A |806EA |
+-----------------------------------------------------+-------------------------------------+---------------+------------+------------+
|8 ^th Generation Intel Core Processors |Mobile |06_8EH |B |806EB |
+-----------------------------------------------------+-------------------------------------+---------------+------------+------------+
|8 ^th Generation Intel Core Processors 10 ^th | | | | |
|Generation Intel Core Processor Family |Mobile |06_8EH |C |806EC |
|Intel Pentium Gold Processor Series | | | | |
|Intel Celeron Processor 5000 Series | | | | |
+-----------------------------------------------------+-------------------------------------+---------------+------------+------------+
|1, 2. 7 ^th Generation Intel Core Processor Family |1. Desktop Embedded | | | |
|3. 8 ^th Generation Intel Core Processor Family |2. Mobile Embedded | | | |
|3. Intel Pentium Processor Family |3. Mobile |06_9EH |9 |906E9 |
|4. Intel Core X-series Processors |4. Desktop | | | |
|5. Intel Xeon E processor family |5. Server Workstation Embedded | | | |
+-----------------------------------------------------+-------------------------------------+---------------+------------+------------+
|1. 8 ^th Generation Intel Core Processor Family |1. Mobile | | | |
|2. Intel Xeon E processor family |2. Workstation AMT Server |06_9EH |A |906EA |
|3. 8 ^th Generation Intel Core Processor Family |3,4. Desktop | | | |
|4. 8 ^th Generation Intel Core Processor Family | | | | |
+-----------------------------------------------------+-------------------------------------+---------------+------------+------------+
|8 ^th Generation Intel Core Processor Family Intel | | | | |
|Pentium Gold Processor Series |Desktop |06_9EH |B |906EB |
|Intel Celeron Processor G Series | | | | |
+-----------------------------------------------------+-------------------------------------+---------------+------------+------------+
|9 ^th Generation Intel Core Processor Family |Desktop |06_9EH |C |906EC |
+-----------------------------------------------------+-------------------------------------+---------------+------------+------------+
|1, 2. 9 ^th Generation Intel Core Processor Family |1. Mobile | | | |
|3. Intel Xeon E processor family |2. Desktop |06_9EH |D |906ED |
| |3. Workstation AMT Server | | | |
+-----------------------------------------------------+-------------------------------------+---------------+------------+------------+
|10th Generation Intel Core Processor Family |Mobile |06_A5H |2 |A0652 |
|Intel Xeon W processor family |Workstation | | | |
+-----------------------------------------------------+-------------------------------------+---------------+------------+------------+
|10th Generation Intel Core Processor Family | | | | |
|Intel Pentium Gold Processor Family |Desktop Workstation |06_A5H |3 |A0653 |
|Intel Celeron Processor Family | | | | |
|Intel Xeon W processor family | | | | |
+-----------------------------------------------------+-------------------------------------+---------------+------------+------------+
|10th Generation Intel Core Processor Family |Desktop Workstation |06_A5H |5 |A0655 |
|Intel Xeon W processor family | | | | |
+-----------------------------------------------------+-------------------------------------+---------------+------------+------------+
|10th Generation Intel Core Processor Family |Mobile |06_A6H |1 |A0660 |
+-----------------------------------------------------+-------------------------------------+---------------+------------+------------+
|10th Generation Intel Core Processor Family |Mobile Desktop |06_A6H |<=1 |A0661 |
|Intel Xeon W processor family | | | | |
+-----------------------------------------------------+-------------------------------------+---------------+------------+------------+
|11th Generation Intel Core Processor Family |Desktop |06_A7H |1 |A0671 |
+-----------------------------------------------------+-------------------------------------+---------------+------------+------------+
Recommendations:
Intel recommends that users of affected Intel Processors update to the latest
version firmware provided by the system manufacturer that addresses these
issues.
Intel has released microcode updates for the affected Intel Processors that are
currently supported on the public github repository. Please see details below
on access to the microcode:
GitHub*: Public Github: https://github.com/intel/
Intel-Linux-Processor-Microcode-Data-Files
This CVE requires a Microcode Security Version Number (SVN) update. To address
this issue, an Intel SGX TCB Recovery is planned. Details can be found here .
Refer to Intel SGX Attestation Technical Details for more information on the
Intel SGX TCB recovery process.
Further TCB Recovery Guidance for developers is available.
Acknowledgements:
The following issue was found internally by Intel employees. Intel would like
to thank Ilya Alexandrovich for reporting this issue.
Intel, and nearly the entire technology industry, follows a disclosure practice
called Coordinated Disclosure, under which a cybersecurity vulnerability is
generally publicly disclosed only after mitigations are available.
Revision History
Revision Date Description
1.0 05/10/2022 Initial Release
1.1 06/13/2022 Updated recommendations
1.2 06/27/2022 Updated recommendations
1.3 10/19/2022 Updated SGX TCB Recovery plan Link
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY23pj8kNZI30y1K9AQggfRAAl2a8UzaAEDzQvESukuR/HN/5m6dqLHl4
W+cS3+sEuB+wDD1Y5qXkY/75hgCId6+anwl1AWuOEYG6wC94HTIuTBQniIkjt6hg
SHEVsG+/6PqQaiblsSmE63KhqV73w1B1PiXiB30nhVUdPEuZQ9aYGDYyujBwBAy2
7Ht6a+4U7Ulut0dN6Gn44bcPySVmAsq9k2j67zrH4lbkT5hzc9qlpXzLMz3n5Y7g
njZHdEhed3XGtvHa++PcS2F8yWRrBPC9HLIASs4L//sEov9xtblF3k7ePCwhIHRS
fOO0sYCHOaUgOge2TVS5CFpe0kfQ2pv7TDg1GJNJ84Iu85lrE7FbB/mXcEDxoFcU
Y4zoR0VPRo1au7ajQlm0n06/1DSIaIb6A8jSkcsvHhD8BsUa8jYwjlHJKMjfVFNU
lnyiDGNw/lUVN78lN5FwxZ14dlG0PHtPI7Ca7BPhYjAT2Uk3MU8u3Vnyo9B51oJb
ltYIivPmhclfuiuHHBNo7e7JYeLGqUG7coJ1oEZk6Np+IsWsJ2B4mLf6lPt2x6dj
ypVCddAqXJLP2QWNuZuXUN1YypEgBCffi6Rh9QeMt0vWhko0cZKTsRlqlK9nUfV2
w4oKUOoTdCMLCf23yi4EgdzxR65h52WydYxIX7VWwqKBZ7JU/yL1A68y9KP4huCY
rd4uU2ZdoWI=
=OpiD
-----END PGP SIGNATURE-----
ESB-2022.2287.3 - UPDATE [Win][UNIX/Linux] Intel Processors:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.2287.3
IPU - Intel Processor Advisory
11 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Intel Processors
Publisher: intel
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Resolution: Patch/Upgrade
CVE Names: CVE-2022-21151
Original Bulletin:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00617.html
Revision History: November 11 2022: Vendor Update
June 14 2022: Updated Recommendations
May 12 2022: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Intel ID: INTEL-SA-00617
Advisory Category: Firmware
Impact of vulnerability : Information Disclosure
Severity rating : MEDIUM
Original release: 05/10/2022
Last revised: 10/19/2022
Summary:
A potential security vulnerability in some Intel Processors may allow
information disclosure. Intel is releasing firmware updates to mitigate this
potential vulnerability.
Vulnerability Details:
CVEID: CVE-2022-21151
Description: Processor optimization removal or modification of
security-critical code for some Intel(R) Processors may allow an authenticated
user to potentially enable information disclosure via local access.
CVSS Base Score: 5.3 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N
Affected Products:
+--------------------------------------------------+---------------+---------+-------------+
|Product Collection |Vertical |CPU ID |Platform ID |
| |Segment | | |
+--------------------------------------------------+---------------+---------+-------------+
|10th Generation Intel Core Processor Family |Mobile |706E5 |80 |
+--------------------------------------------------+---------------+---------+-------------+
|Intel Pentium Processor Silver Series |Desktop | | |
| | | | |
|Intel Celeron Processor J Series |Mobile |706A1 |01 |
| | | | |
|Intel Celeron Processor N Series" | | | |
+--------------------------------------------------+---------------+---------+-------------+
|8th Generation Intel Core Processor Family |Desktop |906EB |02 |
+--------------------------------------------------+---------------+---------+-------------+
|8th Generation Intel Core Processors |Mobile |806EC |94 |
+--------------------------------------------------+---------------+---------+-------------+
|10th Generation Intel Core Processor Family |Desktop |A0653 |22 |
| | | | |
| |Mobile |A0655 |02 |
| | | | |
| | |AO661 |80 |
| | | | |
| | |806EC |94 |
+--------------------------------------------------+---------------+---------+-------------+
|6th Generation Intel Core Processor Family |Desktop |506E3 |36 |
| | | | |
| |Mobile |406E3 |C0 |
+--------------------------------------------------+---------------+---------+-------------+
|7th Generation Intel Core Processor Family |Desktop |906E9 |2A |
| | | | |
| |Mobile |806E9 |C0 |
+--------------------------------------------------+---------------+---------+-------------+
|9th Generation Intel Core Processor Family |Desktop |A0671 |02 |
+--------------------------------------------------+---------------+---------+-------------+
|3rd Generation Intel Xeon Scalable Processors |Server |606AX |0x87 |
+--------------------------------------------------+---------------+---------+-------------+
Recommendations:
Intel recommends that users of affected Intel Processors update to the latest
version firmware provided by the system manufacturer that addresses these
issues.
Intel has released microcode updates for the affected Intel Processors that are
currently supported on the public github repository. Please see details below
on access to the microcode:
GitHub*: Public Github: https://github.com/intel/
Intel-Linux-Processor-Microcode-Data-Files
This CVE requires a Microcode Security Version Number (SVN) update. To address
this issue, an Intel SGX TCB Recovery is planned. Details can be found here .
Refer to Intel SGX Attestation Technical Details for more information on the
SGX TCB recovery process.
Further TCB Recovery Guidance for developers is available.
Acknowledgements:
This issue was found internally by Intel employees. Intel would like to thank
Alysa Milburn, Jason Brandt, Avishai Redelman, Nir Lavi for reporting this
issue.
Intel, and nearly the entire technology industry, follows a disclosure practice
called Coordinated Disclosure, under which a cybersecurity vulnerability is
generally publicly disclosed only after mitigations are available.
Revision History
Revision Date Description
1.0 05/10/2022 Initial Release
1.1 06/13/2022 Updated Recommendations
1.2 10/19/2022 Updated SGX TCB Recovery plan Link
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY23os8kNZI30y1K9AQj1Xw//bX+lwW0WOv2eMroG+G5EVlHnH/vRuugn
RrrIteDUF2rbRGaUn7HIK8bcCd1FsDC8s+ZEuv9k03CQnSXPSsIAWN7CKuSk1n++
CuHa754LLsNxwETD4VYAN3g373bXDYQeHurr9yC2YFZ41tCpcnVtpdRi5jGxHnid
T3NQBsfY8NVivP1uKBOB+aK2qY9HxAVm1JPX0y0NiwFYkJ6yF9JPw9LT39ZqRUIu
kwO797j/w6LTCgY8+1PNqBOBdZBJFaO8vMyJru1Vnj5JL9uVa1pBvBFQWLEphZYx
XfxWKSNOU2mbUzr91yB+AeaFRWl/nkxc5Lr57PomG9LbouHqTUqvZt54ykDSg1g6
W15t4XMa+EMxYJzof9h21jyRZVDbcknMpDw9WpD/FaYzacZhjUfr9vqqpPfo2TKY
lPiu4MeHIjMSFH+zT8qK/GuN87bzOnaN8aguAaxYE/E6otJCWUHXB+2AINgUfVdZ
Xyj4gL67HhRiiTfUi3ugHy2D/vUy/PQKkfVpHys9rvqqqO0g8edUrlTn6zrkP/Lz
cuB3Aq6139UF59WWQ/ggE7fNU6UCgoEn/aWIUvowaoAp7lieZHlR5EEZA3fB+yx+
kkszROZqJyaobFemrNqX+5pyaAIqfuZhCLxQbsdCr4N8yoByN6o+dhTxiK+uRkKq
sE7KkjYQI/Y=
=uwnf
-----END PGP SIGNATURE-----
ESB-2022.1912.3 - UPDATE [Cisco] Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software: CVSS (Max): 8.6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1912.3
Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software Web Services Interface Denial of Service Vulnerability
11 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Adaptive Security Appliance Software
Firepower Threat Defense Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20745
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asafdt-webvpn-dos-tzPSYern
Revision History: November 11 2022: Updated Subject to include CVSS Score
November 10 2022: Vendor updated bulletin
April 29 2022: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software Web Services Interface Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-asafdt-webvpn-dos-tzPSYern
First Published: 2022 April 27 16:00 GMT
Last Updated: 2022 November 9 16:02 GMT
Version 1.2: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvz70595 CSCwb87950 CSCwb93914
CVE Names: CVE-2022-20745
CWEs: CWE-20
Summary
o A vulnerability in the web services interface for remote access VPN
features of Cisco Adaptive Security Appliance (ASA) Software and Cisco
Firepower Threat Defense (FTD) Software could allow an unauthenticated,
remote attacker to cause a denial of service (DoS) condition.
This vulnerability is due to improper input validation when parsing HTTPS
requests. An attacker could exploit this vulnerability by sending a crafted
HTTPS request to an affected device. A successful exploit could allow the
attacker to cause the device to reload, resulting in a DoS condition.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asafdt-webvpn-dos-tzPSYern
This advisory is part of the April 2022 release of the Cisco ASA, FTD, and
FMC Security Advisory Bundled publication. For a complete list of the
advisories and links to them, see Cisco Event Response: April 2022 Cisco
ASA, FMC, and FTD Software Security Advisory Bundled Publication .
Affected Products
o Vulnerable Products
This vulnerability affects Cisco products if they are running a vulnerable
release of Cisco ASA Software or Cisco FTD Software with a vulnerable
remote access VPN configuration.
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Determine the ASA Software Configuration
To determine whether the software has a vulnerable feature configured, use
the show running-config CLI command. In the following table, the left
column lists the Cisco ASA Software features that are vulnerable. The right
column indicates the basic configuration for each feature from the show
running-config CLI command. If a device is running a vulnerable release and
has one of these features configured, it is vulnerable.
Cisco ASA Feature Vulnerable Configuration
AnyConnect Internet Key Exchange crypto ikev2 enable client-services port
Version 2 Remote Access (with
client services)
webvpn
AnyConnect SSL VPN enable
Clientless SSL VPN webvpn
enable
Determine the FTD Software Configuration
To determine whether the software has a vulnerable feature configured, use
the show running-config CLI command. In the following table, the left
column lists the Cisco FTD Software features that are vulnerable. The right
column indicates the basic configuration for each feature from the show
running-config CLI command. If a device is running a vulnerable release and
has one of these features configured, it is vulnerable.
Cisco FTD Feature Vulnerable Configuration
AnyConnect Internet Key Exchange crypto ikev2 enable client-services port
Version 2 Remote Access (with
client services) ^1,2
AnyConnect SSL VPN ^1,2 webvpn
enable
1. Remote Access VPN features were introduced in Cisco FTD Software Release
6.2.2.
2. Remote Access VPN features are enabled by using Devices > VPN > Remote
Access in Cisco Firepower Management Center (FMC) or by using Device >
Remote Access VPN in Cisco Firepower Device Manager (FDM).
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco Firepower
Management Center (FMC) Software.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers with service contracts that entitle
them to regular software updates should obtain security fixes through their
usual update channels.
Customers may only install and expect support for software versions and
feature sets for which they have purchased a license. By installing,
downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
The Cisco Support and Downloads page on Cisco.com provides information
about licensing and downloads. This page can also display customer device
support coverage for customers who use the My Devices tool.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
In the following table(s), the left column lists Cisco software releases.
The center column indicates whether a release is affected by the
vulnerability described in this advisory and the first release that
includes the fix for this vulnerability. The right column indicates whether
a release is affected by any of the Critical or High SIR vulnerabilities
described in this bundle and which release includes fixes for those
vulnerabilities.
ASA Software
Cisco ASA First Fixed Release for First Fixed Release for
Software Release CSCvz70595 CSCwb87950 and CSCwb93914
9.6 and earlier ^ Not vulnerable. Not vulnerable.
1
9.7 ^1 Migrate to a fixed Migrate to a fixed release.
release.
9.8 9.8.4.44 9.8.4.46
9.9 ^1 Migrate to a fixed Migrate to a fixed release.
release.
9.10 ^1 Migrate to a fixed Migrate to a fixed release.
release.
9.12 9.12.4.35 9.12.4.52
9.13 ^1 Migrate to a fixed Migrate to a fixed release.
release.
9.14 9.14.3.13 9.14.4.16
9.15 9.15.1.21 Migrate to a fixed release.
9.16 9.16.2.7 9.16.3.15
9.17 Not vulnerable. 9.17.1.16
9.18 Not vulnerable. 9.18.1.3
1. Cisco ASA Software releases 9.7 and earlier, as well as releases 9.9,
9.10, and 9.13, have reached end of software maintenance . Customers are
advised to migrate to a supported release that includes the fix for this
vulnerability.
FTD Software
Cisco First Fixed Release for CSCvz70595 First Fixed
FTD Release for
Software CSCwb87950 and
Release CSCwb93914
6.1.0
and Not vulnerable. Not vulnerable.
earlier
^1
6.2.2 ^1 Migrate to a fixed release. Migrate to a
fixed release.
6.2.3 Migrate to a fixed release. Migrate to a
fixed release.
6.3.0 ^1 Migrate to a fixed release. Migrate to a
fixed release.
6.4.0 6.4.0.13 6.4.0.16
6.5.0 ^1 Migrate to a fixed release. Migrate to a
fixed release.
6.6.0 6.6.5.1 6.6.7.1
Cisco_FTD_Hotfix_AA-6.7.0.4-2.sh.REL.tar
6.7.0 Cisco_FTD_SSP_FP1K_Hotfix_AA-6.7.0.4-2.sh.REL.tar Migrate to a
Cisco_FTD_SSP_FP2K_Hotfix_AA-6.7.0.4-2.sh.REL.tar fixed release.
Cisco_FTD_SSP_Hotfix_AA-6.7.0.4-2.sh.REL.tar
7.0.0 7.0.2 7.0.4
7.1.0 Not vulnerable. 7.1.0.3
7.2.0 Not vulnerable. 7.2.1
1. Cisco FMC and FTD Software releases 6.2.2 and earlier, as well as
releases 6.3.0 and 6.5.0, have reached end of software maintenance .
Customers are advised to migrate to a supported release that includes the
fix for this vulnerability.
For instructions on upgrading your FTD device, see Cisco Firepower
Management Center Upgrade Guide .
The Cisco Product Security Incident Response Team (PSIRT) validates only
the affected and fixed release information that is documented in this
advisory.
Exploitation and Public Announcements
o The Cisco PSIRT is not aware of any public announcements or malicious use
of the vulnerability that is described in this advisory.
Source
o This vulnerability was originally found during the resolution of a Cisco
TAC support case.
Cisco would like to thank Saleh Iskandar from Indonesia for reporting that
the fix for the vulnerability was incomplete.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: April 2022 Cisco ASA, FMC, and FTD Software Security
Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asafdt-webvpn-dos-tzPSYern
Revision History
o +---------+----------------------------+-----------+--------+-------------+
| Version | Description | Section | Status | Date |
+---------+----------------------------+-----------+--------+-------------+
| | Updated fixed release | | | |
| | tables to reflect | Fixed | | |
| 1.2 | additonal fixes for Cisco | Software, | Final | 2022-NOV-09 |
| | bugs CSCwb87950 and | Source | | |
| | CSCwb93914. Also updated | | | |
| | source. | | | |
+---------+----------------------------+-----------+--------+-------------+
| 1.1 | Updated ASA 9.8 first | Fixed | Final | 2022-JUN-01 |
| | fixed release information. | Software | | |
+---------+----------------------------+-----------+--------+-------------+
| 1.0 | Initial public release. | - | Final | 2022-APR-27 |
+---------+----------------------------+-----------+--------+-------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY23ZIMkNZI30y1K9AQgnXA/+JYpmzslwAArY7EKWFTWYNZZWisZaIKUm
XMI4x+Z6Kg2ZEwTZQELaj7b8ITtv462DweAUR5bBFU7/LfpyD0gKdMGtmrzvPWQ2
y4G+4mtaiGNFTbycn9kJcAmiqvB2iVDWlTJM4cpeqTf9+aMdha0jmyajKHjP6CUg
nHAHtP3kVeVGKvLEU6huF/bb6o6YAOUgJmQd0fRf0ysW8S5HojCLiz2Ujt3Nhp/N
B8vnoov4LiEAK+semvvnGqmmG8pqYdjo+1ThvpQIjc0QTNxds+1YIZkXxJaj5ZIe
39hdHyHBlSr+dKDpKnM7AsJO2NeCHaD5XdzlKIz+ZnS6g9ueIgHdWZtw3btPrwHo
1420MJp2JxsntE1PyHx/QtfI717PCOqHKw4R65Za+EPwOOhnt4Wpqkgh4ruLA2Hq
xkx5SXbc0jZjayKTO4SppYhJXrRBoD53BZ8f+ZoMVj8D448Hhxs7+rsPkeUo5qnG
3e8mJOLSQ5GHy/7W1FgawNbaDOfr9E+PTjvS96DBcmr+SS4wc4tL7w8axNc3g+2Z
YPjYPn0rL8EhUMYIFpvNBGTdEnsAatjbL2/whuOEyPUvpyqRDy45Dn3635RtSLDG
HhQPgyD9nvf6rGlynGEy/fJFnuX8rtUUFD08dYyQyfxhC/NTdlsvApUpcmQWgDsI
5xrO4pS3NJY=
=s3Iq
-----END PGP SIGNATURE-----
ESB-2022.5792.2 - UPDATE [Apple iOS] iOS and iPadOS: CVSS (Max): 8.2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5792.2
APPLE-SA-2022-11-09-1 iOS 16.1.1 and iPadOS 16.1.1
11 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: iOS
iPadOS
Publisher: Apple
Operating System: Apple iOS
Resolution: Patch/Upgrade
CVE Names: CVE-2022-40304 CVE-2022-40303
Original Bulletin:
https://support.apple.com/HT213505
Comment: CVSS (Max): 8.2 CVE-2022-40304 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Revision History: November 11 2022: Changed product tag to include affected Apple products
November 10 2022: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2022-11-09-1 iOS 16.1.1 and iPadOS 16.1.1
iOS 16.1.1 and iPadOS 16.1.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213505.
libxml2
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: A remote user may be able to cause unexpected app termination
or arbitrary code execution
Description: An integer overflow was addressed through improved input
validation.
CVE-2022-40303: Maddie Stone of Google Project Zero
libxml2
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: A remote user may be able to cause unexpected app termination
or arbitrary code execution
Description: This issue was addressed with improved checks.
CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project
Zero
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNsFNIACgkQ4RjMIDke
Nxl2og/7Bwq+DwNmc4conLeNZ/4RVZ8Abf2kKMj71ZJrSov1lvW6W9l3NswznKc9
pV0Cack8zm1she6dr+HNMYFcsSbFF/OTPKsf2jlZ3aZY5on7FpDdzB8bLDbw0dvS
nO2Oc1mgcsBMIuSJBliUfgF0d6L6Hrj7L8Ja0pQP0W5BhcbWbd91wgj2KAQpaX6r
gh7oEy7W5GRPJwLAdOfHmpzWws+PjZ3DMlLuGvGRLwEyizsLbq6rX166KG+asXZz
CeWygTuKKcpZHG6FwahogBFnfl1ccTGJv4UV/9Ks3WEaZCGx5lpkgw+5H9Wx2HgX
Tr9Sh01CQVADadfeGp/Iat0TE2hscMZaTm2A1ZdmOeyK70r0jXvCCHtna9spbPO7
N0OBERsqS9fC+X/XVHuehIzoUXxFUJAuaXD2weBZHJZBZ7MoUqNm50taDqoYUX0y
B2BU0uWOitKfghLRBuFhpuUZtRaZdRfDLSEjSxCTCtGwWnIj4lLlZbE9RAwNNCU1
2+z6pHHlTxZ9c6IiQF8mrIx4IJ0OMIk6oH3gm71l8T5FSMiLCcuInL0XwC5ragJ/
irrxq3GuXL8x+3BjgxnRy4kKy6KUwZsLFp7OI71X/hyjEIyhcXopiRz0PXrooluR
UtooyxSCV8M9u3658pFT2+X4WvQASmk3z+ZUnTBQXrfNgWkxyUs=
=JERa
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY21dmMkNZI30y1K9AQj49g//fV6j/AG5sf/yExnBN4yuESfy84edzsUs
bO0/jwu756Da9vKPaFin1HgRn91l2GbrgSH/Md/V9IQZPSxyphOHjodZugHO2+tE
EDAZKFRORR3W/FQc7gEDbkgNqktv3W8PZBBheSblF6PNdeWhfKf1rG+itSMa9wJp
X+to8kCBDdeU3g+aI7cPuVsyTaESgIjJG/M+cntbMdzBHOVZ9/gukAHumMHRaRc3
eRGwXV6HjIYDgfkx2uIEWa9gswKWPCOlw8S3FBLmK8VrtZEr+mjyz0Qdz2OgwqaW
aEmahZz6ZeyB+plJacmYQWWV7QNwhfPSj/powE5ZGIRLv5yXiIKGh+xY7OZ68Ue4
OboXsNwrRasO3zmt+ASNfKexumwxVDHArJAYgHR9zIQo7E2DuuYB1u/QKPcZWvBe
l3JX2niHSHrCcfZ50ruq7nzALokCjN3pNCRqyUeJnVfwx+aK1sJSrosnxhcncmAD
pNSwtTRSPY0wEBuSSdH4/oNhtQOPXdEzfoJF+8SvcRUhjDUf5tOyWYNM2tkDDRcs
xHHA0T3u29Uk72Q4pD8xQU/f4E/yJPU83mMYPbQ/0H94V2v2VgpZzJzE4CNR1zSq
SIKkDMnVgOGTdp+svjNA4VtTIMX1/0oUvcQAwA38tK5j5KgZ4R99MMZHes0tK+de
IzncMxNbx8E=
=UebV
-----END PGP SIGNATURE-----
ESB-2022.5474.4 - UPDATE [Win][UNIX/Linux][Appliance] Palo Alto Products:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5474.4
PAN-SA-2022-0006 Impact of OpenSSL 3.0 Vulnerabilities
CVE-2022-3786 and CVE-2022-3602
10 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Palo Alto Products
Publisher: Palo Alto Networks
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Network Appliance
Resolution: None
Original Bulletin:
https://securityadvisories.paloaltonetworks.com/PAN-SA-2022-0006
Revision History: November 10 2022: Vendor updated bulletin: Final Release
November 3 2022: Vendor updated bulletin
November 2 2022: Palo Alto updated advisory with CVE details
November 1 2022: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Subject: Updated Palo Alto bulletin: PAN-SA-2022-0006 Impact of OpenSSL 3.0 Vulnerabilities CVE-2022-3786 and CVE-2022-3602
From: palo_alto-bulletins@auscert.org.au
Palo Alto Networks Security Advisories / PAN-SA-2022-0006
PAN-SA-2022-0006 Impact of OpenSSL 3.0 Vulnerabilities CVE-2022-3786 and
CVE-2022-3602
[INFO]
Informational
JSON
Published 2022-10-31
Updated 2022-11-09
Reference PAN-SA-2022-0006
Discovered externally
Description
The OpenSSL Project has published two high severity vulnerabilities
CVE-2022-3786 and CVE-2022-3602 that affect OpenSSL versions 3.0.0 through
3.0.6 on November 1st, 2022.
The Palo Alto Networks Product Security Assurance team has evaluated and
confirmed that all products and services are not impacted by these
vulnerabilities.
Product Status
Versions Affected Unaffected
AutoFocus None all
Bridgecrew None all
Cloud NGFW None all
Cortex Data Lake None all
Cortex XDR None all
Cortex XDR Agent None all
Cortex Xpanse None all
Cortex XSOAR None all
Enterprise Data Loss Prevention None all
Exact Data Matching CLI None all
Expanse None all
Expedition Migration Tool None all
GlobalProtect App None all
IoT Security None all
Okyo Garde None all
Palo Alto Networks App for Splunk None all
PAN-OS None all
Prisma Access None all
Prisma Cloud None all
Prisma Cloud Compute None all
Prisma SD-WAN (CloudGenix) None all
Prisma SD-WAN ION None all
SaaS Security None all
User-ID Agent None all
WildFire Appliance (WF-500) None all
WildFire Cloud None all
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue on
any of our products.
Solution
No software updates are required at this time.
NOTE: Cortex XDR Broker VM versions earlier than Cortex XDR Broker VM 17.4.1
contain an affected version of the OpenSSL 3.0 library but are not impacted.
There are no scenarios in Cortex XDR Broker VM software that enable successful
exploitation of these vulnerabilities. The OpenSSL 3.0 library has been removed
from Cortex XDR Broker VM 17.4.1 and later versions for security assurance.
Workarounds and Mitigations
Customers with a Threat Prevention subscription can block known attacks for
CVE-2022-3602 by enabling Threat ID 93212 (Applications and Threats content
update 8638). This mitigation reduces the risk of exploitation from known
exploits.
Frequently Asked Questions
Q. How can I find vulnerable versions of OpenSSL in my environment?
With Prisma Cloud, security teams can prepare to detect and patch
vulnerable systems as soon as the fix is available. Prisma Cloud customers
can apply controls to address this vulnerability across multiple stages in
the application lifecycle, from the code to the cloud.
See https://www.paloaltonetworks.com/blog/prisma-cloud/
prepare-openssl-vulnerability/ for more information.
Timeline
2022-11-09 Investigation is complete
2022-11-03 Cortex XDR Broker VM 17.4.1 is released and removes OpenSSL 3.0 for
security assurance
2022-11-02 A threat prevention signature is now available for CVE-2022-3602
2022-11-01 Updated advisory to reference the CVEs
2022-10-31 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
Policy Report vulnerabilitiesManage subscriptions
(C) 2022 Palo Alto Networks, Inc. All rights reserved.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY2yawMkNZI30y1K9AQi4iA//V4Xv8a572V/X/Z22t7zDbOi0Vvu/ukOU
0i3gOPfWGYzf5Wjyrh+yyHSMXUE9Y6OQDigCybDL0ypgU8tpXvNw43O4+nmxmwom
3QbAQxitl+E7eOFdBjtxOIop5kyGPRm7ncOTz3ZXFjJIWRAO7Uqbv5Zcoa+51pZb
vVHjKR66XbU/2OZxpRwE9fBA1L+bFBfbSbIHjmwzio8UMWkdr6Y3AoWhFEqiqF/E
+826g9Rv+mlcgr3ASbYbJzuzkTEPpHCwSBnkR9UsP5qWn3zKtJGKAJtR7jnxXyx1
IqvQ7v98QVWt/3I1915tQ0teb21kdylxOMJB6wVnH7VdPiHqVI9UQ3Mr1728FRxz
pKksGFJH5pLzJtc70Vg546747E7VxM9pPCYc3ZyP0nsa5S3gnatdzujb+yaUEwdY
7DlHZ/b31tL5F/MCQOLNGVWDD8f6fItS3R1qLsbMXeQ3L5lEthtey3sYCxAfCKAt
gQjmO4W2ilDWby7VFwYgvkxMejUHBA93To78l7/0anLczkHQDZ+GK+BMro2AqREo
JWOo03lU2a39kkkVfhNM8zGEnvHIjQYG1RqVFC3mm7+xAXN1O7oupZ3eKy3sr+hT
TMrB4j91d19Wn1rzQg7XETzQnGvQdHhw1rnSALPzng/5uTqTwOkI2ntw8EAUVO0c
qbmtA1yQLJ4=
=WepI
-----END PGP SIGNATURE-----