As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
1. EXECUTIVE SUMMARY
- CVSS v3 7.5
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: RUGGEDCOM APE1808 Devices
- Vulnerabilities: Out-of-bounds Read, Insertion of Sensitive Information Into Sent Data, Allocation of Resources Without Limits or Throttling, Integer Overflow or Wraparound, Path Traversal, Out-of-bounds Write, HTTP Request/Response Splitting
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of service condition, perform a machine-in-the middle attack (MITM), escalate privileges, execute unauthorized code, and access unauthorized systems and information.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:
- Siemens RUGGEDCOM APE1808: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 OUT-OF-BOUNDS READ CWE-125
An out-of-bounds read vulnerability [CWE-125] in FortiOS SSLVPN web portal versions 7.4.0 through 7.4.4, versions 7.2.0 through 7.2.8, 7.0 all versions, and 6.4 all versions may all
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: