Vulnerabilities > CVE-2020-15782 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Siemens products

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

siemens

CWE-119

NVD

Published: 2021-05-28

Updated: 2021-09-14

Summary

A vulnerability has been identified in SIMATIC Drive Controller family (All versions < V2.9.2), SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants) (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) (All versions < V21.9), SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All versions < V4.5.0), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions < V2.9.2), SIMATIC S7-1500 Software Controller (All versions < V21.9), SIMATIC S7-PLCSIM Advanced (All versions < V4.0), SINAMICS PERFECT HARMONY GH180 Drives (Drives manufactured before 2021-08-13), SINUMERIK MC (All versions < V6.15), SINUMERIK ONE (All versions < V6.15). Affected devices are vulnerable to a memory protection bypass through a specific operation. A remote unauthenticated attacker with network access to port 102/tcp could potentially write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks.

Vulnerable Configurations

Part	Description	Count
OS	Siemens Siemens Simatic Driver Controller Firmware - Siemens S7 1200 CPU Firmware - Siemens S7 1500 CPU Firmware - Siemens ET 200Sp Open Controller Firmware *	4
Hardware	Siemens Siemens CPU 1507D TF - Siemens CPU 1504D TF - Siemens CPU 1217C - Siemens CPU 1215Fc - Siemens CPU 1215C - Siemens CPU 1214Fc - Siemens CPU 1214C - Siemens CPU 1212Fc - Siemens CPU 1212C - Siemens CPU 1211C - Siemens 6Es7512 1Ck01 0Ab0 - Siemens 6Es7512 1Dk01 0Ab0 - Siemens 6Es7512 1Sk01 0Ab0 - Siemens 6Es7513 1Al01 0Ab0 - Siemens 6Es7513 1Al02 0Ab0 - Siemens 6Es7513 1Fl01 0Ab0 - Siemens 6Es7513 1Fl02 0Ab0 - Siemens 6Es7513 1Rl00 0Ab0 - Siemens 6Es7513 2Gl00 0Ab0 - Siemens 6Es7513 2Pl00 0Ab0 - Siemens 6Es7515 2Am01 0Ab0 - Siemens 6Es7515 2Am02 0Ab0 - Siemens 6Es7515 2Fm01 0Ab0 - Siemens 6Es7515 2Fm02 0Ab0 - Siemens 6Es7515 2Rm00 0Ab0 - Siemens 6Es7515 2Tm01 0Ab0 - Siemens 6Es7515 2Um01 0Ab0 - Siemens 6Es7516 2Gn00 0Ab0 - Siemens 6Es7516 2Pn00 0Ab0 - Siemens 6Es7516 3An01 0Ab0 - Siemens 6Es7516 3An02 0Ab0 - Siemens 6Es7516 3Fn01 0Ab0 - Siemens 6Es7516 3Fn02 0Ab0 - Siemens 6Es7516 3Tn00 0Ab0 - Siemens 6Es7516 3Un00 0Ab0 - Siemens 6Es7517 3Ap00 0Ab0 - Siemens 6Es7517 3Fp00 0Ab0 - Siemens 6Es7517 3Hp00 0Ab0 - Siemens 6Es7517 3Tp00 0Ab0 - Siemens 6Es7517 3Up00 0Ab0 - Siemens 6Es7518 4Ap00 0Ab0 - Siemens 6Es7518 4Ap00 3Ab0 - Siemens 6Es7518 4Fp00 0Ab0 - Siemens 6Es7512 1Ck00 0Ab0 - Siemens 6Es7511 1Uk01 0Ab0 - Siemens 6Es7511 1Tk01 0Ab0 - Siemens 6Es7511 1Fk02 0Ab0 - Siemens 6Es7511 1Fk01 0Ab0 - Siemens 6Es7511 1Ck01 0Ab0 - Siemens 6Es7511 1Ck00 0Ab0 - Siemens 6Es7511 1Ak02 0Ab0 - Siemens 6Es7511 1Ak01 0Ab0 - Siemens 6Es7510 1Sj01 0Ab0 - Siemens 6Es7510 1Dj01 0Ab0 - Siemens 6Es7518 4Fp00 3Ab0 - Siemens CPU 1515Sp PC - Siemens CPU 1515Sp PC2 -	57
Application	Siemens Siemens Simatic S7 1500 Software Controller * Siemens Simatic S7 Plcsim Advanced - Siemens Simatic S7 Plcsim Advanced 2.0	4

Common Weakness Enumeration (CWE)

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Common Attack Pattern Enumeration and Classification (CAPEC)

Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Client-side Injection-induced Buffer Overflow
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
MIME Conversion
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

References