Buffer Overflow Vulnerabilities in OpenSSL 3.0 Affecting Siemens Products

Act Now7.5SSA-408105Dec 13, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

OpenSSL versions 3.0.0 through 3.0.6 contain two buffer overflow vulnerabilities (CVE-2022-3602, CVE-2022-3786) in X.509 certificate verification. These vulnerabilities affect multiple Siemens products: Calibre ICE (versions 2022.4 through 2023.0), Mcenter (5.2.1 through 5.2.x), SCALANCE X-200RNA family (3.2.7 and earlier), SICAM GridPass (1.80 through 2.19), and SIMATIC RTLS Locating Manager (2.13.0.0 through 2.13.0.2). An attacker can trigger a denial of service or execute arbitrary code by sending a specially crafted X.509 certificate during TLS handshake to a vulnerable TLS server (if client certificate authentication is enabled) or vulnerable TLS client.

What this means

What could happen

A buffer overflow in OpenSSL 3.0 used by Siemens industrial software could allow an attacker to crash these services (denial of service) or execute arbitrary code on them. This could disrupt engineering workstations, grid management systems, and real-time locating services that depend on these products.

Who's at risk

Siemens industrial software used in energy sector operations: SICAM GridPass (grid management), SCALANCE X-200RNA network switches (used in substations and plants), SIMATIC RTLS Locating Manager (facility real-time tracking), Mcenter (management and control), and Calibre ICE (power systems engineering and planning). Any organization running these products is affected.

How it could be exploited

An attacker could craft a malicious X.509 certificate and present it during TLS handshake to a vulnerable server (if client cert authentication is enabled) or send it to a vulnerable TLS client. When the certificate is verified, the buffer overflow is triggered, allowing the attacker to crash the service or run arbitrary code with the privileges of the affected application.

Prerequisites

Network access to the TLS service (typically port 443 or application-specific)
For TLS server exploitation: client certificate authentication must be enabled on the server
For TLS client exploitation: the client must attempt to connect to an attacker-controlled or compromised server

remotely exploitableno authentication required (for client exploitation)low complexityhigh EPSS score (83.2%)affects critical energy sector operations

Exploitability

High exploit probability (EPSS 83.2%)

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

Calibre ICE≥ 2022.4, < 2023.12023.1

Mcenter≥ 5.2.1, < 5.3.05.3.0

SCALANCE X-200RNA family≥ 3.2.7, < 3.2.83.2.8

SICAM GridPass≥ 1.80, < 2.202.20

SIMATIC RTLS Locating Manager≥ 2.13.0.0, < 2.13.0.32.13.0.3

Remediation & Mitigation

0/5

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

SIMATIC RTLS Locating Manager

HOTFIXUpdate SIMATIC RTLS Locating Manager to version 2.13.0.3 or later

SICAM GridPass

HOTFIXUpdate SICAM GridPass to version 2.20 or later

Calibre ICE

HOTFIXUpdate Calibre ICE to version 2023.1 or later

SCALANCE X-200RNA family

HOTFIXUpdate SCALANCE X-200RNA family to firmware version 3.2.8 or later

Mcenter

HOTFIXUpdate Mcenter to version 5.3.0 or later

CVEs (2)

CVE-2022-3602 CVE-2022-3786

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/82037744-a0c9-474e-b11e-467ee294cbda