Rewterz Threat Advisory – Multiple TP-Link Zero-Day Vulnerabilities
February 23, 2022Rewterz Threat Alert – Donot APT Group – Active IOCs
February 23, 2022Severity
High
Analysis Summary
Siemens COMOS Web
CVE-2021-37194
The COMOS Web component of COMOS allows to upload and store arbitrary files at the webserver. This could allow an attacker to store malicious files.
CVE-2021-37195
The COMOS Web component of COMOS accepts arbitrary code as attachments to tasks, which could allow an attacker to inject malicious code that is then executed when loading the attachment.
CVE-2021-37196
The COMOS Web component of COMOS unpacks specially crafted archive files to relative paths, which could allow an attacker to store files in any folder accessible by the COMOS Web webservice.
CVE-2021-37197
The COMOS Web component of COMOS is vulnerable to SQL injections, which could allow an attacker to execute arbitrary SQL statements.
CVE-2021-37198
The COMOS Web component of COMOS uses a flawed implementation of CSRF prevention, which an attacker could exploit to perform cross-site request forgery attacks.
CVE-2021-40367
The affected application lacks proper validation of user-supplied data when parsing DICOM files, which could result in an out-of-bounds write past the end of an allocated structure. An attacker could leverage this vulnerability to execute code in the context of the current process.
CVE-2021-42028
The affected application lacks proper validation of user-supplied data when parsing BMP files, which could result in an out-of-bounds write past the end of an allocated structure. An attacker could leverage this vulnerability to execute code in the context of the current process.
Siemens Healthineers syngo fastView
CVE-2021-40367
The affected application lacks proper validation of user-supplied data when parsing DICOM files, which could result in an out-of-bounds write past the end of an allocated structure. An attacker could leverage this vulnerability to execute code in the context of the current process.
CVE-2021-42028
The affected application lacks proper validation of user-supplied data when parsing BMP files, which could result in an out-of-bounds write past the end of an allocated structure. An attacker could leverage this vulnerability to execute code in the context of the current process.
CVE-2021-45465
The affected application lacks proper validation of user-supplied data when parsing BMP files. This could result in a write-what-where condition and an attacker could leverage this vulnerability to execute code in the context of the current process.
Siemens LOGO! CMR and SIMATIC RTU 3000
CVE-2021-37186
The underlying TCP/IP stack does not properly calculate the random numbers used as ISN (Initial Sequence Numbers). An adjacent attacker with network access to the LAN interface could interfere with traffic, spoof the connection, and gain access to sensitive information.
Siemens Simcenter Femap
CVE-2021-46151
Affected application contains an out of bounds write past the end of an allocated structure while parsing specially crafted NEU files. This could allow an attacker to execute code in the context of the current process.
CVE-2021-46152
Affected application contains a type confusion vulnerability while parsing NEU files. This could allow an attacker to execute code in the context of the current process.
CVE-2021-46153
Affected application contains a memory corruption vulnerability while parsing NEU files. This could allow an attacker to execute code in the context of the current process.
CVE-2021-46154
Affected application contains a stack-based buffer overflow vulnerability while parsing NEU files. This could allow an attacker to execute code in the context of the current process.
CVE-2021-46155
Affected application contains a stack-based buffer overflow vulnerability while parsing NEU files. This could allow an attacker to execute code in the context of the current process.
CVE-2021-46156
Affected application contains an out-of-bounds write past the end of an allocated structure while parsing specially crafted NEU files. This could allow an attacker to execute code in the context of the current process.
CVE-2021-46157
Affected application contains a memory corruption vulnerability while parsing NEU files. This could allow an attacker to execute code in the context of the current process.
CVE-2021-46158
Affected application contains a stack-based buffer overflow vulnerability while parsing NEU files. This could allow an attacker to execute code in the context of the current process.
CVE-2021-46159
Affected application contains an out-of-bounds write past the end of an allocated structure while parsing specially crafted NEU files. This could allow an attacker to execute code in the context of the current process.
CVE-2021-46160
Affected application contains an out-of-bounds write past the end of an allocated structure while parsing specially crafted NEU files. This could allow an attacker to execute code in the context of the current process.
CVE-2021-46161
Affected application contains an out-of-bounds write past the end of an allocated structure while parsing specially crafted NEU files. This could allow an attacker to execute code in the context of the current process.
Siemens Spectrum Power 4
CVE-2022-23312
The integrated web application “Online Help” in affected product contains a cross-site scripting vulnerability that could be exploited if unsuspecting users are tricked into accessing a malicious link.
Impact
- Cross-site request forgery attacks
- SQL injection
- Remote Code Execution
- Data Theft
- Gain Access
- Spoofing
- Unauthorized Access
- Buffer Overflow
Indicators of Compromise
CVEs
- CVE-2021-37194
- CVE-2021-37195
- CVE-2021-37196
- CVE-2021-37197
- CVE-2021-37198
- CVE-2021-40367
- CVE-2021-42028
- CVE-2021-45465
- CVE-2021-40367
- CVE-2021-42028
- CVE-2021-45465
- CVE-2021-37186
- CVE-2021-46151
- CVE-2021-46152
- CVE-2021-46153
- CVE-2021-46154
- CVE-2021-46155
- CVE-2021-46156
- CVE-2021-46157
- CVE-2021-46158
- CVE-2021-46159
- CVE-2021-46160
- CVE-2021-46161
- CVE-2022-23312
Affected Vendors
Siemens
Affected Products
- COMOS v10.2: All versions (only if web components are used)
- COMOS v10.3: All versions prior to v10.3.3.2.14 (only if web components are used)
- COMOS v10.4: All versions prior to v10.4.1 (only if web components are used)
- Syngo fastView: All versions
- LOGO! CMR2020 (6GK7142-7BX00-0AX0): All versions prior to v2.2
- LOGO! CMR2040 (6GK7142-7EX00-0AX0): All versions prior to v2.2
- SIMATIC RTU 3000 family: All versions
- SIMATIC RTU3010C (6NH3112-0BA00-0XX0): All versions prior to v4.0.9
- SIMATIC RTU3030C (6NH3112-3BA00-0XX0): All versions prior to v4.0.9
- SIMATIC RTU3031C (6NH3112-3BB00-0XX0): All versions prior to v4.0.9
- SIMATIC RTU3041C (6NH3112-4BB00-0XX0): All versions prior to v4.0.9
- Simcenter Femap v2020.2: All versions
- Simcenter Femap v2021.1: All versions
- Siemens Spectrum Power 4: All versions prior to v4.70 SP9 Security Patch 1
Remediation
Refer to CISA Advisory for the patch, upgrade, or suggested workaround information.
Siemens COMOS Web
https://www.cisa.gov/uscert/ics/advisories/icsa-22-013-05
Siemens Healthineers syngo fastView
https://www.cisa.gov/uscert/ics/advisories/icsa-21-350-16
Siemens LOGO! CMR and SIMATIC RTU 3000
https://www.cisa.gov/uscert/ics/advisories/icsa-21-257-13
Siemens Simcenter Femap
https://www.cisa.gov/uscert/ics/advisories/icsa-22-041-03
Siemens Spectrum Power 4
https://www.cisa.gov/uscert/ics/advisories/icsa-22-041-06