SB2023071731 - Multiple vulnerabilities in Siemens RUGGEDCOM ROX devices

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023071731

SB2023071731 - Multiple vulnerabilities in Siemens RUGGEDCOM ROX devices

Published: July 17, 2023

Security Bulletin ID SB2023071731
Severity
High
Patch available
YES
Number of vulnerabilities 21
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 5% Medium 33% Low 62%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 21 secuirty vulnerabilities.


1) OS Command Injection (CVE-ID: CVE-2022-1292)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the c_rehash script distributed by some operating systems. A remote attacker with ability to pass data to c_rehash script can and execute arbitrary OS commands with the privileges of the script.



2) Incorrect default permissions (CVE-ID: CVE-2022-32207)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to incorrect default permissions set to cookies, alt-svc and hsts data stored in local files. A local user with ability to read such files can gain access to potentially sensitive information.


3) Incorrect Implementation of Authentication Algorithm (CVE-ID: CVE-2022-27782)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the way libcurl handles previously used connections in a connection pool for subsequent transfers. Several TLS and SSH settings were left out from the configuration match checks, resulting in erroneous matches for different resources. As a result, libcurl can send authentication string from one resource to another, exposing credentials to a third-party.


4) Infinite loop (CVE-ID: CVE-2022-27781)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when handling requests with the CURLOPT_CERTINFO option. A remote attacker can consume all available system resources and cause denial of service conditions.


5) Improper Authentication (CVE-ID: CVE-2022-22576)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error when re-using OAUTH2 connections for SASL-enabled protocols, such as SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only). libcurl may reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. As a result, a connection that is successfully created and authenticated with a user name + OAUTH2 bearer can subsequently be erroneously reused even for user + [other OAUTH2 bearer], even though that might not even be a valid bearer.

A remote attacker can exploit this vulnerability against applications intended for use in multi-user environments to bypass authentication and gain unauthorized access to victim's accounts.



6) Cleartext transmission of sensitive information (CVE-ID: CVE-2021-22946)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to an error, related to incorrect enforcement of the --ssl-reqd option on the command line or CURLOPT_USE_SSL setting set to CURLUSESSL_CONTROL or CURLUSESSL_ALL with libcurl. A remote attacker with control over the IMAP, POP3 or FTP server can send a specially crafted but perfectly legitimate response to the libcurl client and force it silently to continue its operations without TLS encryption and transmit data in clear text over the network.


7) OS Command Injection (CVE-ID: CVE-2022-2068)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the c_rehash script distributed by some operating systems. A remote attacker with ability to pass data to c_rehash script can and execute arbitrary OS commands with the privileges of the script.

The vulnerability exists due to incomplete fix for #VU62765 (CVE-2022-1292).


8) Heap-based buffer overflow (CVE-ID: CVE-2022-24903)

The vulnerability allows a remote attacker to perform a denial of service or potentially execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when parsing data in imtcp, imptcp, imgssapi, and imhttp modules used for TCP syslog reception. A remote attacker can pass specially crafted data to the application, trigger heap-based buffer overflow and cause a denial of service or potentially execute arbitrary code on the target system.

Successful exploitation of this vulnerability is possible if the attacker is able to directly send specially crafted messages to the rsyslog daemon or by injecting specially crafted data into log files. Vulnerability exploitation in the second scenario requires that the rsyslog client supports octet-counted framing, which is not a default configuration.


9) Cross-site request forgery (CVE-ID: CVE-2022-29561)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.


10) Input validation error (CVE-ID: CVE-2022-29562)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send specially crafted HTTP packet and perform a denial of service (DoS) attack.


11) Cross-site scripting (CVE-ID: CVE-2023-36386)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the web interface. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


12) Cross-site scripting (CVE-ID: CVE-2023-36389)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the web interface. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


13) Cross-site scripting (CVE-ID: CVE-2023-36390)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the web interface. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


14) Inadequate Encryption Strength (CVE-ID: CVE-2023-36748)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the affected devices are configured to offer weak ciphers by default. A remote attacker on the local network can perform a man-in-the-middle attack to read and modify any data passed over to and from the affected device.


15) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2023-36749)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the webserver of the affected devices support insecure TLS 1.0 protocol. A remote attacker can perform a man-in-the-middle attack and compromise confidentiality and integrity of data.


16) Command Injection (CVE-ID: CVE-2023-36750)

The vulnerability allows a remote user to execute arbitrary commands on the target system.

The vulnerability exists due to improper input validation within the software-upgrade Url parameter in the web interface. A remote administrator can pass specially crafted data to the application and execute arbitrary commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


17) Command Injection (CVE-ID: CVE-2023-36751)

The vulnerability allows a remote user to execute arbitrary commands on the target system.

The vulnerability exists due to improper input validation within the install-app URL parameter in the web interface. A remote administrator can pass specially crafted data to the application and execute arbitrary commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


18) Command Injection (CVE-ID: CVE-2023-36752)

The vulnerability allows a remote user to execute arbitrary commands on the target system.

The vulnerability exists due to improper input validation within the upgrade-app URL parameter in the web interface. A remote administrator can pass specially crafted data to the application and execute arbitrary commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


19) Command Injection (CVE-ID: CVE-2023-36753)

The vulnerability allows a remote user to execute arbitrary commands on the target system.

The vulnerability exists due to improper input validation within the uninstall-app App-name parameter in the web interface. A remote administrator can pass specially crafted data to the application and execute arbitrary commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


20) Command Injection (CVE-ID: CVE-2023-36754)

The vulnerability allows a remote user to execute arbitrary commands on the target system.

The vulnerability exists due to improper input validation within the SCEP server configuration URL parameter in the web interface. A remote administrator can pass specially crafted data to the application and execute arbitrary commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


21) Command Injection (CVE-ID: CVE-2023-36755)

The vulnerability allows a remote user to execute arbitrary commands on the target system.

The vulnerability exists due to improper input validation within the SCEP CA Certificate Name parameter in the web interface. A remote administrator can pass specially crafted data to the application and execute arbitrary commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


Remediation

Install update from vendor's website.

References