Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

fstec логотип

BDU:2019-00765

Опубликовано: 07 авг. 2018
Источник: fstec
CVSS3: 5.9
CVSS2: 5.4
EPSS Средний

Описание

Уязвимость программного обеспечения криптографической библиотеки OpenSSL связана с некорректной работой механизма «error state», в случае если функции SSL_read() или SSL_write() вызываются напрямую приложением. Эксплуатация уязвимости может позволить нарушителю передавать незашифрованные конфиденциальные данные по сети на уровне SSL/TLS

Вендор

OpenSSL Software Foundation
Siemens AG

Наименование ПО

OpenSSL
MindConnect IoT2040
SIMATIC ET 200SP Open Controller CPU 1515SP PC
MindConnect Nano (IPC227D)
SIMATIC HMI WinCC Flexible
SIMATIC IPC DiagMonitor
SIMATIC WinCC OA
SIMATIC WinCC (TIA Portal)
SIMATIC S7-1200
SIMATIC S7-1500
SIMATIC S7-1500 Software Controller
SIMATIC STEP 7 (TIA Portal)
SINUMERIK Integrate Operate Client
SIMATIC IPC DiagBase
SINUMERIK Integrate Access MyMachine

Версия ПО

1.0.2 (OpenSSL)
1.1.0 (OpenSSL)
до 03.01 (MindConnect IoT2040)
от 2.0 до 2.1.6 (SIMATIC ET 200SP Open Controller CPU 1515SP PC)
до 03.01 (MindConnect Nano (IPC227D))
до 15.1 (SIMATIC HMI WinCC Flexible)
до 5.0.3 (SIMATIC IPC DiagMonitor)
от 3.14 до 3.14-P021 (SIMATIC WinCC OA)
от 3.15 до 3.15-P014 (SIMATIC WinCC OA)
от 3.16 до 3.16-P002 (SIMATIC WinCC OA)
от 13 до 13 SP2 Update 2 (SIMATIC WinCC (TIA Portal))
от 15 до 15 Update 2 (SIMATIC WinCC (TIA Portal))
до 4.2.3 (SIMATIC S7-1200)
до 2.5.2 (SIMATIC S7-1500)
от 2.0 до 2.6 (SIMATIC S7-1500 Software Controller)
от 13 до 13 SP2 Update 2 (SIMATIC STEP 7 (TIA Portal))
от 14 (SIMATIC STEP 7 (TIA Portal))
от 15 до 15 Update 2 (SIMATIC STEP 7 (TIA Portal))
до 2.0.11 включительно (SINUMERIK Integrate Operate Client)
до 3.0.11 включительно (SINUMERIK Integrate Operate Client)
до 2.1.1.0 (SIMATIC IPC DiagBase)
до 14 SP1 Update 6 (SIMATIC WinCC (TIA Portal))
до 4.1.7 включительно (SINUMERIK Integrate Access MyMachine)

Тип ПО

Программное средство защиты
ПО программно-аппаратного средства АСУ ТП
Программное средство АСУ ТП

Операционные системы и аппаратные платформы

-

Уровень опасности уязвимости

Средний уровень опасности (базовая оценка CVSS 2.0 составляет 5,4)
Средний уровень опасности (базовая оценка CVSS 3.0 составляет 5,9)

Возможные меры по устранению уязвимости

Обновление программного обеспечения:
Для MindConnect IoT2040 и MindConnect Nano (IPC227D) до V03.01:
Обновление через интерфейс Mindsphere
Для SIMATIC ET 200SP Open Controller CPU 1515SP PC до V2.1.6:
https://support.industry.siemens.com/cs/us/en/view/109759122
Для SIMATIC HMI WinCC Flexible до V15.1:
https://support.industry.siemens.com/cs/us/en/view/109758794
Для SIMATIC IPC DiagMonitor до V5.0.3:
Для обновления необходимо связаться со службой поддержки
Для SIMATIC S7-1200 до V4.2.3:
https://support.industry.siemens.com/cs/us/en/view/109741461
Для SIMATIC S7-1500 до V2.5.2:
https://support.industry.siemens.com/cs/ww/en/view/109478459
Для SIMATIC S7-1500 Software Controller до V2.6:
https://support.industry.siemens.com/cs/us/en/view/109478528
Для SIMATIC STEP 7 (TIA Portal) V13 до V13 SP2 Update 2:
https://support.industry.siemens.com/cs/ww/en/view/109759753
Для SIMATIC STEP 7 (TIA Portal) V15 до V15 Update 2:
https://support.industry.siemens.com/cs/ww/en/view/109755826
Для SIMATIC WinCC (TIA Portal) V13 до V13 SP2 Update 2:
https://support.industry.siemens.com/cs/ww/en/view/109759753
Для SIMATIC WinCC (TIA Portal) V15 до V15 Update 2:
https://support.industry.siemens.com/cs/ww/en/view/109755826
Для SIMATIC WinCC OA V3.14 до V3.14-P021:
https://portal.etm.at/index.php?option=com_content&view=category&id=67&layout=blog&Itemid=80
Для SIMATIC WinCC OA V3.15 до V3.15-P014:
https://portal.etm.at/index.php?option=com_content&view=category&id=68&layout=blog&Itemid=80
Для SIMATIC WinCC OA V3.16 до V3.16-P002:
https://portal.etm.at/index.php?option=com_content&view=category&id=69&layout=blog&Itemid=80
Для SINUMERIK Integrate Access MyMachine до V4.1.8 и SINUMERIK Integrate Operate Client до V2.0.12 / 3.0.12:
https://w3.siemens.com/aspa_app
Конпенсирующие меры:
Для S7-1200:
Ограничение доступа к веб-серверу на конкретном порту Ethernet/PROFINET port/interface ( настройка находится General /
Web server access )
Для остальных затронутых продуктов:
Ограничение доступа к сети с помощью соотвествующих механизмов (например брандмауэра)

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Данные уточняются

Информация об устранении

Информация об устранении отсутствует

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 97%
0.32186
Средний

5.9 Medium

CVSS3

5.4 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2017-3737

CVSS3: 5.9
ubuntu
больше 7 лет назад

OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. OpenSSL version 1.0.2...

redhat логотип

CVE-2017-3737

CVSS3: 5.9
redhat
больше 7 лет назад

OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. OpenSSL version 1.0.2...

nvd логотип

CVE-2017-3737

CVSS3: 5.9
nvd
больше 7 лет назад

OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. OpenSSL version 1.0.2b-1

debian логотип

CVE-2017-3737

CVSS3: 5.9
debian
больше 7 лет назад

OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error stat ...

github логотип

GHSA-fwxf-w2h7-9w25

CVSS3: 5.9
github
около 3 лет назад

OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. OpenSSL version 1.0.2...

EPSS

Процентиль: 97%
0.32186
Средний

5.9 Medium

CVSS3

5.4 Medium

CVSS2

Уязвимость BDU:2019-00765