Full Report
Multiple vulnerabilities have been identified in the additional GNU/Linux subsystem of the firmware version >= V3.1.0 and These GNU/Linux vulnerabilities have been externally identified. Siemens has released new versions for the affected products and recommends to update to the latest versions. Note: This SSA advises vulnerabilities for firmware version V3.1 only; for versions https://cert-portal.siemens.com/productcert/html/ssb-439005.html).
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in SIMATIC S7-1500 GNU/Linux Subsystem
## CVE Details
This advisory covers a wide range of vulnerabilities found in the integrated GNU/Linux subsystem. Key examples include:
- **CVE-2019-19317**: CVSS **9.8 (Critical)** | CWE-681 (Incorrect Conversion)
- **CVE-2019-19646**: CVSS **9.8 (Critical)** | CWE-754 (Improper Check)
- **CVE-2017-9047**: CVSS **7.5 (High)** | CWE-119 (Buffer Error)
- **CVE-2019-19906**: CVSS **7.5 (High)** | CWE-787 (Out-of-bounds Write)
- **CVE-2019-19244**: CVSS **7.5 (High)** | CWE-20 (Improper Input Validation)
## Affected Systems
- **Products**: SIMATIC S7-1500 CPU 1518-4 PN/DP MFP and CPU 1518F-4 PN/DP MFP (including SIPLUS variants).
- **Versions**: All firmware versions >= V3.1.0 and prior to V3.1.5.
- **Configurations**: These vulnerabilities specifically affect the **additional GNU/Linux subsystem (MFP)** provided on these controllers.
## Vulnerability Description
The advisory addresses numerous security flaws identified in open-source components bundled within the firmware's Linux subsystem, including **SQLite, libxml2, and cyrus-sasl**. Technical flaws range from:
- **Memory Corruption**: Buffer overflows in `libxml2` (e.g., `xmlSnprintfElementContent`) and out-of-bounds writes in `cyrus-sasl`.
- **Logic/Validation Errors**: Improper handling of `SELECT` statements, `DISTINCT` clauses, and window functions in SQLite, leading to crashes or incorrect data processing.
- **Resource Management**: Uncontrolled recursion and memory leaks that can lead to Denial of Service (DoS).
## Exploitation
- **Status**: PoC available for several included CVEs (as indicated by "E:P" in CVSS vectors). No specific mention of wild exploitation in the context of Siemens hardware.
- **Complexity**: Varies from **Low** to **High** depending on the specific CVE.
- **Attack Vector**: Primarily **Network** (unauthenticated remote exploitability for several components).
## Impact
- **Confidentiality**: **High** (For Critical CVEs like 2019-19317/19646)
- **Integrity**: **High**
- **Availability**: **High** (System crashes and DoS are the most frequent risks)
## Remediation
### Patches
Siemens recommends updating affected products to the following version:
- **SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP**: Update to **V3.1.5** or later.
### Workarounds
- Limit access to the GNU/Linux subsystem to trusted users and networks only.
- Implement Defense-in-Depth strategies as per Siemens' operational guidelines.
- Use industrial firewalls and VPNs to isolate the PLC network from the internet.
## Detection
- **Indicators of Compromise**: Unexpected crashes of the Linux subsystem (MFP), unexplained reboots, or malformed LDAP/SQL traffic.
- **Detection methods**: Monitor system logs within the Linux subsystem for segmentation faults or memory errors. Use Network Intrusion Detection Systems (NIDS) to flag signatures for known SQLite or libxml2 exploits.
## References
- **Vendor Advisory**: hxxps://cert-portal.siemens.com/productcert/pdf/ssa-398330.pdf
- **Related Siemens Advisory**: hxxps://cert-portal.siemens.com/productcert/html/ssb-439005.html
- **Terms of Use**: hxxps://www.siemens.com/productcert/terms-of-use